Overview

What is dsniff?

dsniffi s a tool for sniffing plaintext traffic and extracting "goodies" from the traffic. There is an entire suite of sniffing/snarfing tools that are designed to work with dsniff to extract various types of information (passwords, images, emails, URLs, etc.).

dsniff can only sniff plaintext traffic, not encrypted traffic. That means that as SSL-protected communications have become much more common in modern browsers, websites, and networks in the past 15 years, the usefulness of dsniff on its own has diminished.

But because SSL will never be implemented everywhere, and because SSL itself has weaknesses, there are other tools to attack and remove the SSL layer, which makes communications vulnerable to dsniff.

How to use dsniff?

dsniff can be used in offline mode (pulling information from pcap files) or online mode.

To use dsniff to sniff live traffic, the machine running dsniff must be able to see traffic to/from the victim machine, unencrypted. (To use dsniff by itself to eavesdrop on communications, you don't have to control the traffic, just see it. To use dsniff with tools that actually modify the traffic, the machine running dsniff needs to control the traffic passing to/from the victim machine.)

An attacker can view or control traffic to a victim by using a man in the middle MITM attack. There are many types of MITM attacks, but one example might be an ARP spoofing attack, where the attacker sits between the network gateway and the victim, and tricks the gateway into thinking it is the victim, and tricks the victim into thinking it is the gateway.

Again, encrypted traffic is not visible to dsniff, so if the communications layer is protected with SSL, an SSL-stripping attack is needed in addition to the MITM attack, to strip the SSL layer. Then dsniff can see the traffic.

Tools

Dsniff Suite of Tools

dsniff can be used with other analysis tools to extract particular types of content from the traffic stream:

• filesnarf - saves selected files sniffed from NFS traffic.
• msgsnarf – record selected messages from different Instant Messengers.
• mailsnarf – sniffs mail on the LAN and stores it in mbox format.
• urlsnarf – output selected URLs sniffed from HTTP traffic
• webspy – sends URLs sniffed from a client to your local browser

additionally, dsniff comes with other tools that can be used to carry out a MITM attack in order to use dsniff:

• Arpspoof – Send out unrequested (and possibly forged) arp replies.
• Dnsspoof – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
• Macof - flood the local network with random MAC addresses.
• Sshmitm – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
• Sshow – SSH traffic analyser.
• Tcpkill – kills specified in-progress TCP connections.
• Tcpnice – slow down specified TCP connections via “active” traffic shaping.
• Urlsnarf
• Webmitm - HTTP / HTTPS monkey-in-the-middle. transparently proxies.

in case of SSL-encrypted traffic, attempt to strip the SSL layer using:

• SSLStrip
• SSLSniff

Installing

# apt-get install dsniff

That will install all of the utilities above.

References

https://www.monkey.org/~dugsong/dsniff/

Dsniff/PlasticForkGuide_HackBB

https://www.soldierx.com/tutorials/Sniffing-Various-Passwords-MITM-DSNIFF-and-SSL-Strip

Flags

monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker. MITM Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired Layer 1 and 2 MITM Attacks: MITM/Layer 1 and 2 Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin  · MITM/Evil Twin Layer 3 and 4 MITM Attacks: MITM/Layer 3 and 4 Traffic Sniffing: MITM/Sniffing ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS Layer 5 MITM Attacks: Session Hijacking: MITM/Session Hijacking Toolz: Ettercap  · Bettercap  · MITMf  · EvilFOCA Wireshark  · Aircrack Dsniff  · Arpspoof  · Dnsspoof SSLSniff  · SSLStrip  · Frankencert Driftnet  · Karma MITM Labs: {{MITMLabs}} Category:MITM  · Category:Attacks  · Category:Kali Attack Layers Template:MITMLabs  · Template:MITMFlag Flags  · Template:MITMFlag  · e

Kali Linux "The quieter you become, the more you are able to hear." Penetration testing Linux distribution. Kali  · Category:Kali Kali/Wireless Reboot Kali Software: Kali Tools Kali Top 10 Aircrack  · Wireshark  · John the Ripper  · Nmap  · Metasploit Framework Dsniff  · Tcpdump  · Hydra  · Sqlmap  · Burpsuite  · Commix Dirbuster  · Valgrind Attack Workflow: Kali/Workflow 1 Physical Attacks: Kali/Layer 1 Attacks 2 Data/MAC Attacks: Kali/Layer 2 Attacks 3 Network Attacks: Kali/Layer 3 Attacks 4 Transport Attacks: Kali/Layer 4 Attacks 5 Session Attacks: Kali/Layer 5 Attacks 6 Presentation Attacks: Kali/Layer 6 Attacks 7 Application Attacks: Kali/Layer 7 Attacks Red Team Blue Team Metasploitable - Red Team Metasploitable - Blue Team Networking: Kali/Hotspot  · Kali/OpenVPN  · Kali/OpenVPN/Hotspot  · Kali/OpenVPN/PIA Kali/IPv6 Booting: Kali/Dual Boot OS X  · Kali/Live USB  · Kali/Persistent USB Installing: Kali/Installing  · Kali/Post Install  · Kali/Fixes Kali on Raspberry Pi: Kali Raspberry Pi  · Kali Raspberry Pi/Installing  · Kali Raspberry Pi/Headless  · Kali Raspberry Pi/Post-Install Category:Security  · Category:Wireless  · Category:Passwords  · Category:Man in the Middle Flags  · Template:KaliFlag  · e