Denial of Service is a very commonly used attack methodology.
Distributed Denial Of Service using a multiplicity of Zombie machines is an often seen attack methodology.
There are various tools available for attackers to perpetrate DOS attacks.
Protection against DOS is difficult due to the very nature of the attacks.
Different scanning tools are available to aid detection and plugging of vulnerabilities leading to DOS
Shareware
Snort
Shadow
Courtney
Commercial
ISS RealSecure
Axent NetProwler
Cisco Secure ID (Net Ranger)
Network Flight Recorder
Network Security Wizard's Dragon
An Intrusion Detection System (abbreviated as IDS) is a defense system, which detects hostile activities in a network. The key is then to detect and possibly prevent activities that may compromise system security, or a hacking attempt in progress including reconnaissance/data collection phases that involve for example, port scans.
One key feature of intrusion detection systems is their ability to provide a view of unusual activity and issue alerts notifying administrators and/or block a suspected connection. In addition, IDS tools are capable of distinguishing between insider attacks originating from inside the organization (coming from own employees or customers) and external ones (attacks and the thread posed by hackers).
Once an intrusion has been detected, IDS issues alerts notifying administrators of this fact. The next step is undertaken either by the administrators or the IDS itself, by taking advantage of additional countermeasures (specific block functions to terminate sessions, backup systems, routing connections to a system trap, legal infrastructure etc.) - following the organization's security policy.
There are two kinds of DDOS-generated traffic, control traffic (between DDOS client and servers) and flood traffic (between DDOS servers and DDOS victim).
Anomaly 0: This is not real "DDOS" traffic, but it can be a viable method of determining the origin of DDOS attacks. As observed by RFP, an attacker will have to resolve his victim's hostname before a DDOS attack. BIND name servers are capable of recording these requests. You can either send them a WINCH signal with 'kill' or you can specify query logging in the BIND configuration. A single PTR type query before an attack indicates the request was made from the attacker's host, a great load of PTR type query for a DDOS victim before an attack indicates that the flood servers have been fed a host name and each server was resolving the hostname for itself.
Anomaly 1: Amount of bandwidth exceeds a maximum threshold that is expected normal traffic for a site could cause. Alternatively, the threshold can be measures for addresses in the traffic. These are clear signs of flood traffic and ACL rules can be implemented on the backbone routers that detect these signs and filter traffic.
Anomaly 2: Oversized ICMP and UDP packets. Stateful UDP sessions are normally using small UDP packets, having a payload of not more than 10 bytes. Normal ICMP messages don't exceed 64 to 128 bytes. Packets that are reasonably bigger are suspicious of containing control traffic, mostly the encrypted target(s) and other options for the DDOS server. Once (non-decoy) control traffic is spotted, one of the DDOS servers' location is revealed, as the destination IP address is not spoofed in control traffic.
Anomaly 3: TCP packets (and UDP packets) that are not part of a connection. The stealthiest DDOS tools use random protocols, including connection-oriented protocols, to send data over non-connection-oriented channels. Using stateful firewalls or link-state routing can discover these packets. Additionally, packets that indicate connection requests with destination ports above 1024, with which no known service is registered and running, are highly suspicious.
Anomaly 4: Packet payload contains ONLY alphanumeric character (e.g. no spaces, punctuation, control characters). This can be a sign that the packet payload is BASE64-encoded, and therefore contains only base64 characters. TFN2K is sending such packets in its control traffic. A TFN2K (and TFN2K derivatives) specific pattern is a string of repeating A's (AAAA...) in the payload, since the buffer size is padded by the encryption routine. If the BASE64 encoding is not used, and the payload contains binary encrypted traffic, the A's will be trailing binary \0's.
Anomaly 5: Packet payload contains ONLY binary, high-bit characters. While this can be a binary file transfer (traffic transmitted over ports 20, 21, 80, etc. must be excluded if this rule is applied), especially if contained in packets that are not part of valid stateful traffic, it is suspicious of being non-base64 encoded, but encrypted control traffic that is being transmitted in the packet payload.
Some of the popular IDS are:
Shareware
Snort
Shadow
Courtney
Commercial
ISS RealSecure
Axent NetProwler
Cisco Secure ID (Net Ranger)
Network Flight Recorder
Network Security Wizard's Dragon
I previously blogged about Backtrack 3,the ultimate hacking tool disc with over 300 tools…Now..the good news follows up as the latest version of Backtrack was unveiled by the guys at Remote Exploit.
For those that don’t know what BackTrack is,It is the top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. 
It’s evolved from the merge of the two wide spread distributions – Whax and Auditor Security Collection. By joining forces and replacing these distributions, BackTrack has gained massive popularity and was voted in 2006 as the #1 Security Live Distribution by insecure.org. Security professionals as well as new-comers are using BackTrack as their favorite toolset all over the globe.
The new version has busted the 700mb file size though so it’d DVD or USB, it’s recommended to use a USB drive to run it or install it on your HDD as running from a CD isn’t exactly speedy.
Download BackTrack 4 Prerelaease
POSTED BY XERO . ALL RIGHTS RESERVED.Source-Darknet
big shock.
ID + Bethesda = Pure Awsummness!!!!
Yesterday I installed Vmware and tested Ubuntu Linux on it,however being a keyboard ninja,I felt clunked whenever I hit
the Windows key (another windows habit of bringing Start Menu) to bring the Ubuntu Panel at the top of screen as nothing happened at that time. Ubuntu Panel is a dropdown menu which is used to launch applications, which is quite similar to the way Windows has the start menu. However If you are a windows user new to Ubuntu, you might want to have the windows key launch the applications menu. Thankfully this is an easy thing to do in Ubuntu.
Go to the System \ Preferences \ Keyboard Shortcuts menu item:
Scroll down till you see the “Show the panel menu” item,click in the Shortcut column, and when it changes to “New accelerator…”, hit the Windows Key. Close all windows and you’re done!
Now whenever you will hit the windows key (intentionally/unintentionally/for God’s sake :P) , the application menu will pop up and you can navigate into it using the arrow keys.
Cheers and Keep Learning
Every budding Internet hacker or a user wants to hack a website,but is unsure on how to do that.In my last post,I 
discussed about Google Hacks which can be used to search for vulnerable sites and content from Google,however if you want to scan a website for its loopholes,you will need a good website ripper or a mapping tool. BlackWidow fills the missing link here.BlackWidow is a website scanner,a site ripper and mapping tool which is primarily used to scan a site and create a complete profile of the site’s structure, files, external links and even link errors.Upon scanning BlackWidow will download all file types such as pictures and images, audio and MP3 and literally any type of files from any websites.And If you are good (:P) then you can write your own "Plugins" for impossible to scan sites.
Primary features of black widow are -
That said,I was easily able to download the directory structure of my college’s website and scan it using Acunetix Vulnerability scanner for some loopholes and exploits.And it was easy as hell !! Overall,its a must have tool for security experts and noobs alike.
You can download it from the link below,its a trial version.
[PS:You know how to get full versions..aint it? and if not,email me,I will give you the link..afterall,Knowledge is unbounded and free]
Cheers and Keep Learning
POSTED BY XERO.ALL RIGHTS RESERVED.
and map services. You can use it to view a timeline of your search results, view a map, search for music, search for books, and perform many other specific kinds of searches. You can also use this program to use Google as a proxy.As the website itself says,Google Hacks is A compact utility for several google hacks. Although its not good as the Gooscan-a far superior tool to scan for vulnerabilities in web,its well worth a try.
Konami has launched the original Metal Gear Solid on PSN for $9.99.What Hideo Kojima created became a groundbreaking 
classic digital masterpiece by skillfully combining cinematic, fully voiced cut scenes with groundbreaking realitime 3D gameplay to deliver an all-new kind of genre that became known as tactical-espionage action. Plus, it was simply bad-ass.
The first remake,Twin Snakes was ruined. It was still a good game, but no where near as good as the original. The voice acting was all re-done and none of the actors put in as much effort, a lot of the classic lines have no impact in that version, and many of the scenes have Snake performing Spider-man style flips and jumps which appear very out of place and just silly.
Seriously, if you’ve never played this game, you gotta download this bad boy and check it out. One of the greatest games of all time. Period.Its simply deserves your time,I have played it for more than 10 times and I am still going strong for it,its that good,and no I am not a delirious fanboy of this game :P its just that good.
Play or D!* :P
[PS:Sorry for a late update,i was out of station :) ]
POSTED BY XERO.ALL RIGHTS RESERVED.SOURCE- GT AND EPICBATTLE.
A sniffer is a piece of software that captures the traffic flowing into and out of a computer attached to a network.
A sniffer attack is commonly used to grab logins and passwords that are traveling around on the network.
Sniffing can be active or passive.
Popular attack methods include man in the middle attack and session hijacking
On switched networks, MAC flooding and ARP spoofing is carried out.
DNS Spoofing is said to have occurred when a DNS entry points to another IP instead of the legitimate IP address.
When an attacker wants to poison a DNS cache, he will use a faulty DNS - which can be his own domain running a hacked DNS server. The DNS server is termed as hacked because the IP address records are manipulated to suit the attacker's needs.
| Concept | DNS Spoofing is said to have occurred when a DNS entry points to another IP instead of the legitimate IP address. Let us see how this is done. |
Typically, a DNS Server contains the records only for the machines of the domain it has authority over. If it has to answer queries about machines outside its domain, it has to send a request to the other DNS Server which handles these machines. As frequent communication is not practical, the DNS server keeps a cache and stores in it all the replies returned by other DNS servers.
When an attacker wants to poison a DNS cache, he will use a faulty DNS - which can be his own domain running a hacked DNS server. The DNS server is termed as hacked because the IP address records are manipulated to suit the attacker's needs.
| Attack Methods | The attack methodology goes like this. The attacker sends a request to the target DNS Server asking it to resolve www.attacker.com (attacker's domain). As the target DNS does not have the pointing record in its cache, it seeks the answer from the responsible name server (which is the attacker's DNS server). While replying to the target DNS server, the hacked DNS server transfers all the records, including the manipulated records, to the target server. This process is called zone transfer. The DNS server is poisoned as long as the cache is not cleared or updated. This way, the attacker can make some records point to spoofed addresses or even remain silent and let all the traffic pass through his server. |
| Countermeasures | Countermeasures include implementing much of the anti-spoofing rules on the border routers of network. This can be as simple as not allowing anything out with a source IP address not belonging to the network or anything in with a source IP address belonging to the network. |
The next level of protection can reside on the access routers. This could also be used in order to prevent IP spoofing at its most common source. While these filters can be sometimes tricky when it comes to combining dynamic IP and 'multi-POP' static IP routing, if implemented well, these filters can completely prevent IP spoofing that originates from an access network.
This tool is a simple DNS ID Spoofer for Windows 9x/2K.
In order to use it you must be able to sniff traffic of the computer being attacked.
Usage: wds -h
Example: wds -n www.microsoft.com -i 216.239.39.101 -9 00-00-39-5c-45-3b
| This is a simple tool for spoofing the DNS ID for Windows 9x/2K. In order to use the user must be able to sniff traffic of the computer being attacked. However, it does not work in a switched network, as a switched network requires ARP Cache Poisoning tools like winarp_sk or winarp_mim. |
A personal firewall must be configured to block UDP 53 destination port to check outgoing DNS traffic in order to ensure that the DNS Server does not answer before WinDNSSpoof does. The working of WinDNSSpoof then takes care of spoofing only those packets that are required to - while the rest are allow to go through. This is made possible by specifying the MAC address of the DNS server or the default gateway in case the DNS server is in another network.
Usage: wds -h
Example: wds -n www.targetsite.com -i 216.239.39.101 -g 00-00-39-5c-45-3b
| SMAC is a Windows MAC Address Modifying Utility that allows users to change MAC address for most Network Interface Cards (NIC) on the Windows 2000, XP, and 2003 Server systems. This is irrespective of whether the manufactures of the cards permit the change. It must be noted that SMAC does not burn a new address on the hardware and the new MAC addresses the user change will sustain from reboots.. |
SMAC has 2 modes of operation: [WBEM ON] and [WBEM OFF]. If the "Windows Management Instrumentation (WMI)" service is running, it will be running on [WBEM ON] mode. Otherwise, it is on [WBEM OFF] mode. The [WBEM ON] mode shows more information. The tool also allows the user to log and track SMAC activities.
SMAC takes advantage of the NdisReadNetworkAddress function in the Microsoft Device Driver Development Kit (DDK.) NdisReadNetworkAddress(...) is called by the network adapter driver to obtain a user specified MAC address in the registry. After the driver confirms that there is a valid MAC address specified in the registry key, the driver then programs the MAC address to its hardware registers to override the burnt-in MAC address.
SMAC was designed originally as a security vulnerability testing tool for MAC address authorization and authentication systems, Intrusion Detection Systems and MAC address based software licenses testing tool. When changing MAC address, the user must ensure that they assign MAC addresses according to IANA Number Assignments database.
MAC changer is a Linux utility for setting a specific MAC address for a network interface.
It enables the user to set the MAC address randomly. It allows specifying the MAC of another vendor or setting another MAC of the same vendor.
The user can also set a MAC of the same kind (e.g.: wireless card).
It offers a choice of vendor MAC list (more than 6200 items) to choose from
| MAC changer is a Linux utility for setting a specific MAC address for a network interface. It enables the user to set the MAC address randomly. It allows specifying the MAC of another vendor or setting another MAC of the same vendor. The user can also set a MAC of the same kind (e.g.: wireless card). It offers a choice of vendor MAC list (more than 6200 items) to choose from. The latest version is 1.3 and it offers more than 35 wireless cards as well. |
Usage Examples:
# macchanger eth1
Current MAC: 00:40:96:43:ef:9c [wireless] (Cisco/Aironet 4800/340)
Faked MAC: 00:40:96:43:ef:9d [wireless] (Cisco/Aironet 4800/340)
# macchanger -A eth1
Current MAC: 00:40:96:43:39:a6 [wireless] (Cisco/Aironet 4800/340)
Faked MAC: 00:10:5a:1e:06:93 (3Com, Fast Etherlink XL in a Gateway 2000)
| Iris is an advanced data and network traffic analyzer, a "sniffer", that collects, stores, organizes and reports all data traffic on the network. Iris has advanced integrated technology that allows it to reconstruct network traffic, all with a push of a button. |
Iris can reconstruct raw data in packets and turn it into complete HTTP, SMTP and POP3 sessions in their original format. The user can view both outgoing and incoming email messages, web browsing sessions, instant messenger exchanges, non-encrypted web-based email and FTP transfers. Using this, the user can set up automated screens to monitor the Web-browsing patterns of the network. With Iris, the user is able to read the actual text of an email - as well as any attachments - exactly as it was sent. Iris will reconstruct the actual html pages that network users have visited and even simulate cookies for entry into password-protected websites.
Iris provides a larger variety of statistical measurements such as pie charts and bar graphs, and provides information on protocol distribution, top hosts, packet-size distribution and bandwidth usage. Iris' Packet Editor gives the ability to create custom or spoof packets and to send them across the Internet, to specific ports or addresses, or repeatedly across the network. Iris has a fast packet injector that handles up to 9000 packets per second.
Iris can be easily configured to only capture specific data through any combination of packet filters. Packet filters can be based on the hardware or protocol layer, any number of key words, MAC or IP address, source and destination port, custom data and size of the packets
| NetIntercept from Sandstorm enterprises belongs to the category of Network Forensics Analysis Tools (NFAT) that is gaining popularity these days. Using a network forensics tool a user can spy on people's email, learn passwords, determine Web pages viewed, and even spy on the contents of a person's shopping cart. The tremendous power these forensic tools have over today's networks makes them subject to abuse. The difference is in range or depth of network monitoring. These tools can be used for full content network monitoring - not just filters. |
NetIntercept 1.2 captures LAN traffic using a standard Ethernet interface card placed in promiscuous mode and a modified UNIX kernel. The capture subsystem runs continuously, whether or not the GUI is active. NetIntercept performs stream reconstruction on demand. When the user selects a range of captured network traffic to analyze, NetIntercept assembles those packets into network connection data streams. The reconstructed streams are then presented to the NetIntercept analysis subsystem for identification and analysis. Once TCP streams are reconstructed and parsed, some of the objects that they contain need to be stored for long periods of time. Examples of such objects are web pages, files transferred by FTP, and e-mail attachments.
Besides controlling data capture and analysis, the GUI offers sophisticated search criteria. A user can find one or many network connections according to the time of day, source or destination hardware or Internet address, source or destination TCP or UDP port name or number, username associated with the connection, electronic mail sender, recipient(s) or subject header, file name or World Wide Web URI associated with the transfer, specific protocols or content types recognized in the connection's contents. Once a connection has been identified, the user can drill down to view the search criteria extracted from it
| Tools | One tool for doing this is called "macof. Dsniffs "macof" generates random MAC addresses exhausting the switch's memory. It is capable of generating 155,000 MAC entries on a switch per minute. Some switches than revert to acting like a hub. |
| Tools | Mailsnarf makes it possible to save the messages in standard mail format, so that the attacker can use just about any e-mail client to read what is captured as easily as he can read mail from his inbox. Mailsnarf reassembles and displays e-mail traffic in a legible manner, thus enabling the attacker to read other users' e-mail in real time. |
| Tools | urlsnarf is a tool for monitoring Web traffic. urlsnarf grabs all the HTTP requests from the captured network traffic and outputs the results in the Common Log Format (CLF), as used by Web servers such as Apache or IIS. |
| Tools | The webspy package (webspy.exe) is a hacking tool. By the usage webspy 111.111.111.111 the program intercepts all HTTP traffic to and from the IP addresses 111.111.111.111 and passes it off to a local browser. This will open Netscape or IE and the traffic sent to the attacker's browser will match that of the target. He can then follow targets around as they surf the net. However, Webspy won't follow targets over ssl connection or reveal information entered into form fields (like passwords). |
| Attack Methods | How does an attacker exploit this vulnerability using a tool such as dsniff? The attacker will use webmitm and sshmitm tools from the dsniff package for attacking HTTPS or SSH. |
Attackers position themselves between two systems and actively participate in the connection to gather data. The attacker may also run the dnsspoof program configured to send false DNS information so that a DNS query for a given website will resolve to the attacker's IP address. Then the attacker will activate webmitm program such that it will transparently proxy all HTTP and HTTPS traffic it receives.
The DNS spoof program detects DNS request for www.website.com and redirects the client to attacker's machine. The ARP table convinces the victim's machine that it is indeed talking to the intended web server. The victim's browser starts to establish a secure connection.
All messages for establishing SSL connection are sent to webmitm running on the attacker's machine. webmitm acts as a SSL proxy, establishing two SSL connections - one from victim to the attacker's machine and the other from attacker's machine to the actual web server. When establishing the SSL session between the victim machine and the attacker machine, webmitm will send the attacker's own certificate.
The victim's browser will notice that the certificate is not signed by a trusted Certificate Authority and show a message to the user asking the user whether to accept this un-trusted certificate or not. The normal tendency is to accept it, thinking it is some error message.
---Regards,
A possible way to sniff information would be to control an ARP table of a computer. ARP spoofing involves changing the MAC to IP address entries, causing traffic to be redirected from the legitimate system to an unauthorized system of the attacker's choice.
This is achieved by sending out a forged ARP packet to the target system, telling it that its default gateway has changed to the attacker's system. This way, whenever the target system sends traffic on the network, it will send it to the attacker's system first, which then forwards the packet on to its original destination as if nothing ever happened.
| Attack Methods | Let us take a closer look at the attack methodology. There are switches that are not foiled by MAC flooding. These switches stop storing new MAC addresses once their memory reaches a given limit. In this scenario, an attacker can use DSniff's tool called arpspoof. arpspoof allows an attacker to manipulate ARP traffic on a LAN by redefining the ARP table. |
Usually, such attempts are preceded by the scanning and enumeration phases where the attacker draws up a map of the network and discovers the network topology. Looking at the network topology the attacker can decipher the IP address of the default router for the LAN. He then sets up the attack by configuring the IP layer of the attacker's machine to forward any packet it receives from the LAN to the IP address of the default router (IP forwarding). The next step in the attack is sending the fake ARP replies to the victim's machine.
This ARP changes the victims ARP table by remapping the default router's IP (layer 3) to attacker own MAC address (layer2). The victim machine sends the data, forwarding it to what it thinks is the default router (but unknowingly using the attackers MAC address).
The attacker sniffs the information using any kind of sniffing tool. The attacker's machine will promptly forward the victim's traffic to default router on the LAN. Upon reaching the default router the traffic is transmitted to the outside world. The attacker is now sniffing in a switched environment.
SSL connection uses a session key to encrypt all data sent by server and client.
SSH is based on the public key encryption idea.
With SSH a session key is transmitted in an encrypted fashion using a public key stored on the server.
As such, these protocols - SSL and SSH are sound from a security standpoint. The problem however lies in the basis of these protocols - namely trust certificates and public keys.
One of the precautionary measures advocated to check information leakage by sniffing, is to use a secure protocol. While the S's in HTTPS, SSL and SSH stands for secure, the underlying basis of this is a trust relationship between public keys.
When an HTTPS connection is established, the server sends a certificate which the browser verifies. This certificate is like a digital driver's license identifying the Web server - that, it is indeed who it claims to be. This is endorsed by a certification authority by placing its digital signature on the certificate.
The browser on its part verifies the signature on the certificate to ensure that it is authentic and to verify server's identity. If the certificate was signed by a trusted Certificate Authority, an SSL connection will be established. Now, an SSL connection uses a session key to encrypt all data sent by server and client.
On the other hand, SSH does not support digital certificates though it is based on the public key cryptography. With SSH, a session key is transmitted in an encrypted fashion using a public key stored on the server. As such, these protocols SSL and SSH are sound from a security standpoint. The problem however lies in the basis of these protocols, namely trust certificates and public keys.
For SSL, if a web server sends the browser a certificate and if the browser does not recognize the certificate, it will prompt the user for his consent/approval to accept the certificate. For SSH the user will be warned that server's public key has changed. Nevertheless, he will still be permitted to establish connection to the server, thereby exposing him to attacks. Let us see how dsniff can be used by crackers to exploit this aspect.
A packet sniffer is seldom the only tool used for an attack. This is because a sniffer can work only in a common collision domain. A common collision domain is a network segment that is not switched or bridged (i.e. connected through a hub). Any traffic that is not switched or bridged on a network segment can be seen by all machines on that segment. As sniffers gather packets at Data Link Layer it can potentially grab all the packets on the LAN of the machine running the Sniffer program.
This is because on a network with a hub implements a broadcast medium shared by all systems on the LAN. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. If an attacker runs a Sniffer on one system on LAN, he can gather data sent to and from any other system on the LAN. Majority of the Sniffer tools are ideally suited to sniff data in a hub environment. These tools are called passive sniffers as they passively wait for the data to be sent and capture them. They are efficient in silently gathering the data from the LAN.
| Note | In passive sniff ing, the intruder gets access to the network by any of the following methods.
|
One countermeasure against passive sniffing is to replace the network hub with a switch. Unlike a hub based network, switched ethernet does not broadcast all information to all systems on the LAN. The switch regulates the flow of data between its ports by actively monitoring the MAC address on each port, which helps it pass data only to its intended target.
In other words, the main difference between a switch and hub is that while a hub has no mapping, and thus broadcasts line data to every port on the device, a switch looks at the MAC address associated with each frame passing through it and sends the data to the required connection on the switch.
The switch thereby limits the data that a passive sniffer can gather. If there is a passive sniffer activated on a switched LAN, the sniffer will only be able to see data going to and from one machine - i.e. the system on which it is installed.
However, it must be noted that the development of switched networks was driven by the need for more bandwidth, and not for the need of more secure networks. Since the evolution was not driven by security needs, there are ways to circumvent this network posture and sniff the traffic.
So how does an attacker sniff on a switched LAN? The sniffers for a switched LAN actively inject traffic into the LAN to enable sniffing of the traffic. Hence the term 'active sniffing'. Some of the methods used in the attack include ARP Spoofing, MAC Flooding and MAC Duplicating etc.
EtherFlood floods a switched network with Ethernet frames with random hardware addresses.
The effect on some switches is that they start sending all traffic out on all ports so that the attacker is able to sniff all traffic on the network.
In a switched network, the ARP table ensures that IP addresses are mapped to MAC addresses . However, this does not stop sniffing, as we see in ARP Spoofing. One way to sniff in a switched network is to convert the functionality of a switch to that of a hub.
In other words, to make a switch change its default directed output to broadcast method . One way of accomplishing this is to foil the switch by flooding the network with too many frames. When this happens, some switches become unable to perform the IP to MAC mappings and then "fail out" to broadcasting.
| Tools | EtherFlood floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending all traffic out on all ports so that sniffing of the switched network traffic is possible. |
dsniff is a collection of tools for network auditing and penetration testing.
dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).
arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching).
sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
| dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). |
Written by Dug Song, this collection of tools (bundled with the main dsniff utility) has certain unique functionality. However, they can be categorized as having similar baseline functionality. In general, the tools dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy can be used to sniff on a compromised host behind a firewall and look for interesting content.
These tools can be put to good use by network administrators or be used to obtain sensitive information such as login information that is sent in the clear or is weakly encrypted. These tools can also auto detect various messaging protocols (about 30 are included) when dsniff is launched with the "-m" option.
urlsnarf is capable of intercepting all http requests from the network it is deployed on, and formatting them into the Common Log Format (CLF) used by MS IIS and Apache. This makes it possible to conduct a log analysis by using suitable programs to interpret the results obtained from urlsnarf. urlsnarf is hard-coded to listen on ports 80 (where clear text http resides) as well as port 3128 (MS-proxy) and 8080 (generic proxy).
arpspoof, dnsspoof, and macof work on the interception of switched network traffic that is usually unavailable to a sniffer program due to the segment switching that occurs at the ISO layer 2 level. sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
