home |  contact

dsniff

dsniff is a suite of tools created by Dug Song. These tools focus on breaching the confidentiality of networks by sniffing, man-in-the-middle, and other techniques. The tools can be found at http://www.monkey.org/~dugsong/dsniff/.

Tools in the suite:

Sniffing tools:

• dsniff - password capture for FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft, SMB, Oracle SQL*Net, Sybase and Microsoft SQL
• filesnarf - dumps whole files sent via NFS
• mailsnarf - dumps emails in readable form from SMTP and POP
• msgsnarf - dumps instant messages
• urlsnarf - captures URL's in http
• webspy - mirrors web pages browsed by a user in real time

Attack tools:

• arpspoof - poisons a target's arp cache
• dnsspoof - poisons a target's dns lookups
• macof - floods switches with MAC addresses to fail them to repeaters
• sshmitm - performs ssh man in the middle
• webmitm - performs ssl man in the middle

Strengths of dsniff

dsniff presents some practical tools to explore the security vulnerabilities of packet switched networks. The sniffing family of tools allow for capturing various classes of information on an IP network. They utilize a number of techniques and libraries to efficiently and accurately classify, reassemble and present data to the user. While much of the suite's functionality has been widely available since the advent of packet switched network, dsniff is a widely accessible tool that simplifies the tedious task of interpreting data. The active tools realize many theoretical attacks for practical execution. The spoofing tools allow for very convenient techniques to counter the logistical problems of man in the middle and sniffing attacks. They also allow for a modification of the usually completely passive sniffing attacks that can counter switched networks. macof exposes a little known phenomenon found in switches to have them fail open to a shared environment. The man in the middle tools allow for real time execution of the widely known theoretical attacks of man in the middle on many strong cryptosystems.

Viable dsniff scenarios

dsniff tools require some proximity to the target communication path. Normally this will require a secondary breach on the source or destination network although any breach close enough at the data-link layer along the communication path is viable. The dsniff and snarf tools require access to the packets in question. The easiest way to access these packets would be on a shared medium with a network card in promiscuous mode. The other attack tools however open the doors to some variations on the attack that do not require direct access to a shared medium. While more flexible than the usual restrictions on sniffer attacks, it still requires some data-link level proximity to the target communication. At the very least, the attacker must have a machine close to capture the packets although actual analysis of the packets need not be performed on the attacking machine.

Variations using arpspoof

arpspoof allows an attacker to poison the arp cache of machines along the path of the target communication. When a machine wishes to route a packet, it must determine the next hop at the data-link layer utilizing information found at the network layer. Once the next hop is determined, the sending machine will consult its arp cache to determine the data-link address of the corresponding network device. If an entry is not found, the machine will send out an arp who-has request to resolve the data-link address. Upon receiving a request, the machine will add the resolution to its arp-cache for a predetermined amount of time. arpspoof works by preempting a legitimate arp response. In order to accomplish this, the attacker must be on the same data-link communication segment as the target. This need not be a collision domain in the case of Ethernet. Once the attacker's data-link address is in the target's arp cache, the target will send packets destined for the destination or next-hop IP address to the attacker's machine. The attacker is then welcome to manipulate or record the packet before forwarding it on to the legitimate machine with the correct data-link address in its cache. Because this completely interrupts communication, the target is open to active attacks such as the man in the middle tools.

Variations using dnsspoof

dnsspoof sacrifices some of the low level effectiveness of arpspoof in return for distance. dnsspoof races the actual reply of a DNS server in order to poison the cache of downstream DNS server or forge the reply sent back to the client. dnsspoof should be capable of doing this from a distance but is more effective when close to the client because it can monitor requests and continuously reply. DNS spoofing is more readily detected by an observant client who notices the wrong address returned. Given the incorrect address, the client will send traffic to the attacker's machine who may then process the packet and optionally forward the packets on to the real destination. At this point, the usual dsniff tools are available to the attack including the man in the middle attacks.

Variations using macof

macof attempts to flood a switch with random MAC addresses to confuse the switching matrix to the point of failing the switch. At this point many switches will fail to a hub like state sharing all ports in a single collision domain. At this point, all of the usual sniffing attacks including the dsniff tools are effective.

Man in the middle attacks

Both sshmitm and webmitm exploit the weak link between the keying information and the identity of servers in both the ssh and ssl protocols. Man in the middle attempts to play server to the client and client to the server.

sshmitm

Every ssh session must begin encryption utilizing a clear channel. To address this, many asymmetric encryption concepts are utilized to protect this cleartext portion of the session. When a client connects to the ssh server, after rudimentary identification, the server will send two RSA public keys. One is a static RSA public key to authenticate the server. The other is a smaller RSA public key that changes frequently (specified as an hour in the RFC.) Both keys encrypt the random session key generated by the client. sshmitm exploits the fact that the public key model is not bootstrapped with a manual exchange of trust. sshmitm attacks the ssh session setup by substituting its own public keys for the servers. There is no way for the client to detect the substitution of keys unless the host identity key is verified manually. In the case of a previously exchanged host identity key, most ssh clients will detect the change in keys for this session and warn the user. In the openssh client, this results in a conspicuous banner that warns of an altered host key that could indicate an attack and a yes/no prompt. If the user proceeds with the transaction, sshmitm will also perform a negotiation with the legitimate server and act as a bridge between the two copying packets as they pass through.

Webmitm

webmitm attempts to perform a similar man in the middle attack for ssl. In this case, we are attacking similar RSA keys used in ssl. In this case, most ssl implementations employ an x.509 public key infrastructure with a hierarchical trust model. This may be subverted either by a user clicking yes on the warning screen of the browser when receiving a key not signed by a trusted Certificate Authority or by poisoning the CA public key store in the user's browser.

Home

Services

Partners

About Us

Contact Us