Sniffing & Spoofingsniffingspoofingarpdnspasswordnfssshhttptcp

dsniff

dsniff is a suite of tools for sniffing network traffic to detect cleartext insecurities. It includes utilities to sniff passwords, forge DNS replies, intercept ARP, and perform man-in-the-middle attacks on SSH and HTTP/HTTPS.

Description

The dsniff package provides various tools designed to listen to and manipulate network traffic, exposing cleartext insecurities in protocols like FTP, Telnet, HTTP, POP, and more. These tools are useful for security testing on local networks, identifying weak authentication mechanisms, and demonstrating risks of unencrypted communications. Tools like dsniff sniff passwords, filesnarf extracts files from NFS, and urlsnarf logs HTTP URLs.

Use cases include penetration testing switched LANs, auditing for plaintext credentials, and educational demonstrations of network vulnerabilities. arpspoof enables ARP poisoning to intercept traffic, while sshmitm and webmitm facilitate monkey-in-the-middle attacks. The suite requires careful use, as noted by the warning not to abuse this software.

All tools operate on captured packets via libpcap, supporting live interfaces or pcap files, with version 2.5a2 providing options for filtering, verbose output, and protocol-specific behaviors.

How It Works

dsniff tools use libpcap for packet capture on interfaces or from pcap files, reassembling TCP streams for half-duplex analysis. They target cleartext protocols by decoding known ports or forcing deep packet inspection (DPI), ignoring /etc/services if needed. Techniques include ARP spoofing for traffic redirection, DNS query forgery from hosts files, MAC flooding to overload switches, and MITM proxying for SSH/HTTP/HTTPS to sniff credentials and content in real-time.

Installation

bash

sudo apt install dsniff

Flags

-i interfaceCapture on specified network interface

-p pcapfileRead packets from pcap file

-cHalf-duplex TCP stream assembly (dsniff)

-vVerbose output, show duplicates or banners

-dEnable debugging mode

-f servicesUse custom services file (dsniff)

-s snaplenSet snapshot length (dsniff)

Examples

Intercept packets on a switched LAN using ARP spoofing

arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host

Forge replies to arbitrary DNS address/pointer queries on LAN

dnsspoof [-i interface] [-f hostsfile] [expression]

Sniff passwords on eth0 interface with TCP stream assembly, output to log.txt

dsniff -i eth0 -C >log.txt

Save selected files sniffed from NFS traffic

filesnarf [-i interface | -p pcapfile] [[-v] pattern [expression]]

Sniff mail on LAN and store in mbox format

mailsnarf [-i interface | -p pcapfile] [[-v] pattern [expression]]

Output URLs sniffed from HTTP traffic in CLF

urlsnarf [-n] [-i interface | -p pcapfile] [[-v] pattern [expression]]

Perform SSH monkey-in-the-middle to proxy and sniff traffic

sshmitm [-d] [-I] [-p port] host [port]

Updated 2025-Dec-09kali.org ↗