Getting Information from the LAN

Here are some useful techniques for getting info out of the LAN you're sniffing.

Logging Packet Data

If you want to log packets you see in a file using the tools already covered, the process is actually somewhat standardized. If you are running p0f to fingerprint operating systems on the network, you can log results with the -o option.

If you would rather dump all packets to a file similar to the way you would with tcpdump(see Chapter 18), you can give p0f the -w (write packets) option:

[lou@duodenum] p0f -w session.pcap

The same holds true for dsniff; you can write packets to a file using the -w option:

[lou@duodenum] dsniff -w sniffedsession.pcap

ettercap also allows dumping packet data to a file. Again, the -w option is used to facilitate writing captured traffic:

[lou@duodenum] ettercap -T -i eth0 -w captured.pcap -M arp:poison //

Filtering Incoming Packets

ettercap, p0f, and dsniff all support BPF-style filters in the same format as tcpdump.

For example, this commands dsniff to listen for cleartext passwords in Telnet traffic going to 192.168.2.3:

[lou@duodenum] dsniff host 192.168.2.3 and port 23

This commands p0f to fingerprint FTP traffic coming from 192.168.2.2 or going to 10.0.0.2:

[lou@duodenum] p0f dst port 21 and (src host 192.168.2.2 or dst host 10.0.0.2)

Setting BPF filters in ettercap requires the -f (filter) option. This example commands ettercap to run in promiscuous mode on the default interface, listening for HTTP traffic with a packet size greater than 256 bytes:

[lou@duodenum] ettercap -T -f port 80 and greater 256

To filter ettercap's packet data output (referred in the manpage as visualization) according to a regular expression, use the -e option:

 [lou@duodenum] ettercap -T -e "foo|bar"

If you know what data you are looking for, the regular expressions can end up looking pretty complex:

[lou@duodenum] ettercap -T -e "[yY]ou shall be ([aq][bu][ci](et)?\.)|foobar"

You can combine BPF filters with packet logging to filter sessions with particular characteristics:

[lou@duodenum] p0f -w logging.pcap dst port 21 and src host 192.168.2.2

Fingerprinting LAN Hosts

If you are investigating a network and find that there are 60 or so Windows XP machines and one Solaris box, you may want to know why that one SUN box is there, right? It would also be interesting if you could identify which machines are running what operating system. To do that, let's use a technique called OS fingerprinting.

Various programs can provide good OS identification. For example, the widely used and famous Nmap program (available from http://www.insecure.org) uses a technique of active fingerprinting. Nmap sends packets to a host with particular TCP/IP options and headers set, and then sees how the machine responds.

Use the -O option to tell nmap that you want to fingerprint a host (for more on Nmap, see Chapter 2:

[lou@duodenum] nmap -O 10.150.9.86
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2006-07-26 18:23 PDT
Interesting ports on 10.150.9.86:
Not shown: 1677 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
6000/tcp open  X11
MAC Address: 00:16:CB:96:89:73 (Apple Computer)
Device type: general purpose
Running: Apple Mac OS X 10.3.X
OS details: Apple Mac OS X 10.3.5 or 10.3.7
Nmap finished: 1 IP address (1 host up) scanned in 35.251 seconds

Another method utilizes a technique called passive fingerprinting. Passive fingerprinting works by quietly examining packets for telltale patterns, not by sending data directly to a target host.

One of the granddaddies of passive fingerprinting is p0f, the Passive Operating System Fingerprinter. The O in operating system is replaced with a 0 (zero) character.

At its heart, p0f is trivial to use:

[lou@duodenum] p0f
p0f - passive os fingerprinting utility, version 2.0.5
(C) M. Zalewski <lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com>
p0f: listening (SYN) on 'eth1', 231 sigs (13 generic), rule: 'all'.
192.168.2.1:55487 - FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (1) (up: 4511 hrs)
  -> 192.168.2.3:22 (distance 0, link: ethernet/modem)

p0f listens to an interface (optionally specified by the -i option) for incoming SYN packets and then attempts to match the packet to a database of known characteristics. It is quite good at detecting the general flavor of the operating system.

One thing you might like to do is save network traffic with tcpdump and analyze the packets at your leisure using specialized tools. To have p0f read from a libpcap capture file, specify the -s option:

[lou@duodenum] p0f -s 200603031121-capture.pcap

A nice and relatively quiet way to get an idea of what is on the LAN is to arpspoof the gateway, use tcpdump to save a few hours of traffic, and then run p0f to identify the hosts.

ettercap can also fingerprint hosts. With the -P option, you can enable an ettercap plug-in by name:

[lou@duodenum] ettercap -Tq-P finger /10.0.0.1/80
ettercap NG-0.7.3  copyright 2001-2004 ALoR & NaGA
Fingerprinting 10.0.0.2:80...
 FINGERPRINT      : FFFF:05B4:40:00:0:1:1:1:A:3C
 OPERATING SYSTEM : Mac OS X (Panther) ver. 10.3.3 (7F44)

This fingerprinting is slightly out of date. I ran this against a Macintosh running Mac OS X 10.4.7 (Tiger), and as you can see, ettercap misidentified it as 10.3.3 (Panther).

ettercap 0.7.3 ships with 27 useful plug-ins and one plug-in called dummy for developers to get their feet wet. The arp_cop plug-in is quite useful for detecting unscrupulous users running ettercap on your LAN.

Figure 4-4 shows what the plug-in list looks like in the GTK+ interface.

ettercap sure has a lot of plug-ins

Figure 4-4. ettercap sure has a lot of plug-ins

Sniffing Plain-Text Passwords

If you are a security researcher or an administrator, you want to get an idea of how often plain-text passwords are used on your network. If it is easy for you to sniff a password, it is easy for the bad guy to sniff the same information.

ettercap makes it trivial to sit on a LAN segment and simply sniff traffic for plain-text passwords. Run the command:

[lou@duodenum] ettercap -Tq -i eth0 -M arp:remote -l /tmp/passwords

and ettercap sniffs on interface eth0 and logs all sniffed passwords. The -l option tells ettercap to log session information to an .eci file (in this case, the info is saved to /tmp/passwords.eci). If you want to log all the packet data as well, use the -L flag, and the packet data is saved to an .ecp file of the same name. For the preceding example, this is /tmp/passwords.ecp. These logfiles can be read back though etterlog. If you want ettercap to write packets to a libpcap file à la tcpdump, use the -w option.

If ettercap makes it trivial to capture cleartext passwords, the dsniff program makes it stupidly simple:

[lou@duodenum] dsniff
dsniff: listening on eth1
-----------------
07/24/06 16:21:51 tcp 192.168.2.1.55506 -> 192.168.2.3.21 (ftp)
USER louzah
PASS foolish

dsniff supports well over 30 protocols, including all of the well-known plain-text protocols (POP, IMAP, Telnet, FTP, HTTP) as well as several databases (Oracle SQL*Net, Microsoft SQL) and most of the common chat protocols (AOL Instant Messenger, ICQ).

Warning

Running dsniff on your network can suddenly create a lot of work for you or your network administrator as you discover how many applications send sensitive data in the clear. ;-)

Shadow Browsing

After arpspoof-ing the gateway, there's nothing quite like sneaking a look at what people are browsing. The dsniff suite includes a utility called webspy that surfs along with another host on the LAN by extracting the URLs they visit and opening them in your browser:

[lou@duodenum] webspy 192.168.2.3

If you are running a Gecko-based browser such as Firefox or Mozilla, webspy opens URLs right along with whatever and wherever that host visits. Unfortunately, webspy cannot tell you whether the person is actually browsing to a particular site, or whether they are running wget inside a scripted loop, generating a large number of URLs to, say, a JPEG of the Goatse Guy. (Not that you should ever do this if you suspect your browsing habits are being tracked.)