The DSniff project is comprised of the following tools that aid network auditing and penetration testing: dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.).
arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
I wrote these tools with honest intentions - to audit my own network, and to demonstrate the insecurity of most network application protocols. Please do not abuse this software.
redirect packets from a target host (or all hosts) on the LAN intended for another local host by forging ARP replies. this is an extremely effective way of sniffing traffic on a switch. kernel IP forwarding (or a userland program which accomplishes the same, e.g. fragrouter :-) must be turned on ahead of time.
forge replies to arbitrary DNS address / pointer queries on the LAN. this is useful in bypassing hostname-based access controls, or in implementing a variety of man-in-the-middle attacks (HTTP, HTTPS, SSH, Kerberos, etc).
password sniffer. handles FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase and Microsoft SQL auth info.
dsniff automatically detects and minimally parses each application protocol, only saving the interesting bits, and uses Berkeley DB as its output file format, only logging unique authentication attempts. full TCP/IP reassembly is provided by libnids(3) (likewise for the following tools as well).
saves selected files sniffed from NFS traffic in the current working directory.
flood the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). a straight C port of the original Perl Net::RawIP macof program.
a fast and easy way to violate the Electronic Communications Privacy Act of 1986 (18 USC 2701-2711), be careful. outputs selected messages sniffed from SMTP and POP traffic in Berkeley mbox format, suitable for offline browsing with your favorite mail reader (mail -f, pine, etc.).
record selected messages from sniffed AOL Instant Messenger, ICQ 2000, IRC, and Yahoo! Messenger chat sessions.
SSH monkey-in-the-middle. proxies and sniffs SSH traffic redirected by dnsspoof(8), capturing SSH password logins, and optionally hijacking interactive sessions. only SSH protocol version 1 is (or ever will be) supported - this program is far too evil already.
kills specified in-progress TCP connections (useful for libnids-based applications which require a full TCP 3-whs for TCB creation).
slow down specified TCP connections via "active" traffic shaping. forges tiny TCP window advertisements, and optionally ICMP source quench replies.
output selected URLs sniffed from HTTP traffic in CLF (Common Log Format, used by almost all web servers), suitable for offline post-processing with your favorite web log analysis tool (analog, wwwstat, etc.).
HTTP / HTTPS monkey-in-the-middle. transparently proxies and sniffs web traffic redirected by dnsspoof(8), capturing most "secure" SSL-encrypted webmail logins and form submissions.
sends URLs sniffed from a client to your local Netscape browser for display, updated in real-time (as the target surfs, your browser surfs along with them, automagically). a fun party trick.
· Berkeley DB
What's New in This Release: [ read full changelog ]
· Add VRRP parsing to dsniff, from Eric Jackson .
· Require pcap filter argument for tcpkill, tcpnice.
· Add Microsoft PPTP MS-CHAP (v1, v2) parsing to dsniff, based on anger.c by Aleph One .
· Fix pcAnywhere 7, 9.x parsing in dsniff.
· Add -t trigger[,...] flag to dsniff, to specify individual triggers on the command line.
· Convert most everything to use new buf interface.
· New programs: dnsspoof, msgsnarf, sshmitm, webmitm.
· Fix inverted regex matching in *snarf programs.
· Consistent arpspoof, macof, tcpnice, tcpkill output.
· Rename arpredirect to arpspoof (maintain consistent *sniff, *snarf, *spoof, *spy nomenclature).
· Consistent pcap filter argument to dsniff, *snarf programs.
· Add trigger for Checkpoint Firewall-1 Session Authentication Agent (261/tcp), as suggested by Joe Segreti .
· Add SMTP parsing to dsniff, as requested by Denis Ducamp .
· Add rexec and RPC ypserv parsing to dsniff, as requested by Oliver Friedrichs .
· Add HTTP proxy auth parsing back to dsniff, it got lost in the shuffle. Reported by Denis Ducamp .
· Add NNTPv2 and other AUTHINFO extensions to dsniff.