This post (and probably the following ones) is a result of my latest work – teaching Information Security at “Shenkar”.
The driftnet utility is known for its very malicious behaviour, and as such, its a great tool to demonstrate to my students what type of information can be easily grabbed off the network. And you know – A picture is worth a thousand words… So using driftnet is great, especially when it’s coupled with a backgrounded tcpdump using a simple filter. But lets talk about driftnet first:
The default driftnet package is compiled without html output support, although the sources contain all that is needed (except for a switch to enable it…). So, to enable html output, either change the line in driftnet.c
enum mediatype extract_type = m_image;
enum mediatype extract_type = m_image | m_text;
or use the better option and add ‘-t’ option to be able to toggle it. Also, to reduce useless html output you might want to add this ugly hack to http.c (under dispatch_http_req):
if (memstr(p, len - (p - data), "\r\nAccept: */*", 13)) return;
I know this is a bad hack but it cuts down most of the useless info embedded in html pages.
One last fix to driftnet is removing the last ‘xfree(tmpdir);’ which I didnt investigate why is it there in the first place (probably due to one of the patches I applied from here)
(another patch I always add is to maximize the gtk window… but its optional ofcourse – it’s just a matter of adding ‘gtk_window_maximize(window);’ to display.c)
Ok, so once you have a patched driftnet which also sniff http requests, lets fire it up
driftnet -t -i wlan0
You should know by now ‘-i’ is to set which network card to use. Usually this is redundant.
That was simple enough. But this gives way too much info on a busy LAN. Lets filter out all the info from our own computer (assuming our ip is 10.0.0.1)
driftnet -v -t "not src or dst host 10.0.0.1"
The quoted string is a pcap filter which driftnet applies when sniffing the network, telling driftnet to exclude packets from/to 10.0.0.1.
If we want to sniff only a specific target (assuming our target is 10.0.0.1) we use:
driftnet -v -t "host 10.0.0.1 and port 80"
I hope you get the idea. You can customize the filter to your likings.
Now lets run tcpdump with a simple password filter:
tcpdump -Avnes -0 | grep -i pass
Which can also be achieved by using
ettercap -T -e "pass|username"
And thats it. This is usually enough for unsecured networks. Most of the time my students won’t like what they see.