# dsniff in FreeBSD



## halplus (Mar 1, 2011)

Hi:

I've being trying to use *dsniff* in FreeBSD but I am out of luck. Documentation for the tool is very much in short supply. I was reading here and there and tryied things just to test. For instance:

`/usr/local/sbin/urlsnarf` 

prints just this and nothing else:


```
urlsnarf: listening on re0 [tcp port 80 or port 8080 or port 3128]
```

Similar when I run *dsniff* even with *-m* switch. Documentation for *tcpkill* is again lacking a lot.

Is there any place I can see a tutorial or something to make it run in FreeBSD? Maybe requirements. I could be missing something. I read about bpf somewhere but again vage answer in some forum. Ahh, and I am also doing NAT with that computer so no need to use ARPspoof I think or play with *dnsspoof*... I think too since I am in the middle.

I also have pf enabled on it. Could it be blocking something? I don't think so as all internal computers have full internet access to the outside. 

And also I have a DNS cache with BIND locally. I tried *dnsspoof* for instance to test but hosts are being resolved same way they used to resolve. I mean real IP address.


----------



## honk (Mar 1, 2011)

Are you sure that re0 is the interface where the http traffic passes by? *Dsniff* uses bpf to capture the traffic, if you have a custom kernel make sure it is included in your kernel configuration (but I would guess that *dsniff* provides you an error message when bpf is not available).


----------



## SirDice (Mar 1, 2011)

This might help: Introduction to Dsniff (PDF).


----------



## halplus (Mar 1, 2011)

Hi Honk:



> Are you sure that re0 is the interface where the http traffic passes by?



Everything is entering through that interface and going out through the other one. I am the gateway of the network and "speak" with a cable to the ADSL router/modem on the other interface.

I "captured" traffic with httpry on that interface and printed all http requests that were requested by other computers.

To make the view wider, I am redirecting some traffic coming to my real ip to an internal computer too and I leave everything to go out with pf on that interface re0. The external interface is protected except some ports. I don't think that has anything to do but just in case.

Hi Sirdice:



> This might help: Introduction to Dsniff (PDF).



Unfortunately it is Linux oriented as all documentation I could get about dsniff . I want to say that I am not trying to be too active on the sniffing. Just grab what is in transit through my server. No need to poison with arp spoofing or that kind of things. I am also not looking forward to alter DNS resolution, only "see". I just tried dnsspoof to test and it didn't worked.


----------



## halplus (Mar 1, 2011)

> if you have a custom kernel make sure it is included in your kernel configuration



No, generic 8.1 kernel.


----------



## SirDice (Mar 1, 2011)

halplus said:
			
		

> Unfortunately it is Linux oriented as all documentation i could get about dsniff .


That's totally irrelevant because the tool works exactly the same.



> I want to say that i am not trying to be too active on the sniffing. Just grab what is in transit through my server. No need to poison with arp spoofing or that kind of things. I am also not looking forward to alter DNS resolution, only "see".


Then use tcpdump(1), no need to install anything, works out of the box.


----------



## halplus (Mar 1, 2011)

> That's totally irrelevant because the tool works exactly the same.



I installed that with `pkg_add -r dsniff`

I believe it should have downloaded and installed all dependencies. Also if I follow that procedure listed in there those libraries won't appear in the package dependency tree.

I really found problematic to do that however since I upgraded from 8.0 to 8.1 and then all software had dependency problems therefore I had to *pkg_delete -r* some things. And then I got warnings about older versions afterward so had to reinstall it several times until I got no more warnings. I don't know if there is a way to just upgrade every installed package but I didn't saw that in the upgrade guide.

Now that I see this in the document:



> The version numbers are very important, and using the wrong version may result in the application not working properly.



I am going to check every version of every package installed manually just to be sure. I think that the installer should do that or give me a warning in there but I didn't got more once I removed those with warnings of being old and reinstalled dsniff so I suppose that is not the cause.

I want to mention that in that article the usage link is broken http://www.sans.org/reading_room/threats/dsniff.htm



> Then use tcpdump(1), no need to install anything, works out of the box.



Can it grab passwords, logins, etc. and throw away the rest of the irrelevant information of the protocol? Grab files and emails? By what I saw is sort like wireshark but a whole lot simpler. I want to try also the attack on SSH and SSL too. I mean when I said "see things in transit" I meant no need to poison a switch or put in promiscuous mode an interface. Also no need to do "phish" like tricks in DNS requests. But I need to filter away irrelevant data so I think dsniff is the one. Correct me if I am wrong somewhere.


----------



## respite (Mar 2, 2011)

> Everything is entering through that interface and going out through the other one. I am the gateway of the network and "speak" with a cable to the ADSL router/modem on the other interface.



If re0 is the inbound interface, what is the outbound? What happens when you try the utilities on the outbound interface?


----------



## halplus (Mar 2, 2011)

> If re0 is the inbound interface, what is the outbound?



If I remember well (I am not at that computer ATM) it was fxp0.



> What happens when you try the utilities on the outbound interface?



Exactly the same.

I also was wondering how the utility should work. I mean somewhere I saw something about a database but no idea if it simply prints that message I am getting and dumps stuff to such database (and wondering in that case where it should save it) or simply prints captured things to stdout. I tried to read the manuals in french (I am not too good at that language but still) but again the link is gone.

http://www.groar.org/~ducamp/english.html#sec-trad

Interestingly all of the information on the internet about the tools seems wiped. Even at IBM.

http://www-106.ibm.com/developerworks/security/library/s-sniff2.html?dwzone=security (missing page)

http://www.linuxsecurity.com/feature_stories/feature_story-89.html (blank)

http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml (not found)


----------



## respite (Mar 7, 2011)

I have never had an issue with the dsniff suite on FreeBSD. You may want to review the official faq at:
http://monkey.org/~dugsong/dsniff/faq.html 

Assuming you installed it from the FreeBSD ports/package system you  already have the included man pages. Unfortunately I have never tried running directly on a gateways interface as it's always a switch/router. First step for me has always been arpspoof. 

I also like the ettercap tool, which I did a short write up for its use at the following link:
http://ericholzbach.net/blog/2011/01/https-password-sniffing-on-freebsd/


----------

