Driftnet – A picture is worth a thousand words

This post (and probably the following ones) is a result of my latest work – teaching Information Security at “Shenkar”.

The driftnet utility is known for its very malicious behaviour, and as such, its a great tool to demonstrate to my students what type of information can be easily grabbed off the network. And you know – A picture is worth a thousand words… So using driftnet is great, especially when it’s coupled with a backgrounded tcpdump using a simple filter. But lets talk about driftnet first:

The default driftnet package is compiled without html output support, although the sources contain all that is needed (except for a switch to enable it…). So, to enable html output, either change the line in driftnet.c
from

enum mediatype extract_type = m_image;

to

enum mediatype extract_type = m_image | m_text;

or use the better option and add ‘-t’ option to be able to toggle it. Also, to reduce useless html output you might want to add this ugly hack to http.c (under dispatch_http_req):

if (memstr(p, len - (p - data), "\r\nAccept: */*", 13)) return;

I know this is a bad hack but it cuts down most of the useless info embedded in html pages.
One last fix to driftnet is removing the last ‘xfree(tmpdir);’ which I didnt investigate why is it there in the first place (probably due to one of the patches I applied from here)
(another patch I always add is to maximize the gtk window… but its optional ofcourse – it’s just a matter of adding ‘gtk_window_maximize(window);’ to display.c)

Ok, so once you have a patched driftnet which also sniff http requests, lets fire it up
driftnet -t -i wlan0

You should know by now ‘-i’ is to set which network card to use. Usually this is redundant.
That was simple enough. But this gives way too much info on a busy LAN. Lets filter out all the info from our own computer (assuming our ip is 10.0.0.1)
driftnet -v -t "not src or dst host 10.0.0.1"

The quoted string is a pcap filter which driftnet applies when sniffing the network, telling driftnet to exclude packets from/to 10.0.0.1.
If we want to sniff only a specific target (assuming our target is 10.0.0.1) we use:
driftnet -v -t "host 10.0.0.1 and port 80"

I hope you get the idea. You can customize the filter to your likings.
Now lets run tcpdump with a simple password filter:
tcpdump -Avnes -0 | grep -i pass

Which can also be achieved by using
ettercap -T -e "pass|username"

And thats it. This is usually enough for unsecured networks. Most of the time my students won’t like what they see.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s