Monday 21 September 2009

Analyzing / Monitoring network captures with dsniff

If you readily have access to the network, be it open or encrypted with WEP or WPA, the capture files can show a lot of information on what the target network was up to.
The toolsuite dsniff, consists of dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf and webspy.

I'll be looking at ;
urlsnarf shows the websites (urls) which were visited
driftnet can show pics of websites visited... (ooffff...)
dsniff can show passwords used in webforms
mailsnarf shows downloaded emails

Basically what we are doing is;
> capturing network traffic using airodump
> decrypting the network traffic using airdecap
> replaying the network traffic using tcpreplay
and using the above tools to check out the network session.

First stop is to identify our network that we want to monitor.

airmon-ng start wlan0
airodump-ng mon0

Locate the network, specify channel, bssid and output file.
airodump-ng mon0 -c 4 --bssid 00:11:22:33:44:55 -w wpa

As we are capturing from a WPA network, and want to decrypt lateron, a handshake needs to be in the capture file.
(The packets will only be decrypted as from the moment the handshake is obtained)
So after starting the airodump capture, start a new console and deauth a user forcing that user to reconnect ensuring the handshake will be in the capture file ;
(Here i did the deauth attack twice just to be sure the capture would be included)

aireplay-ng mon0 -0 -5 -a 00:11:22:33:44:55 -c 55:44:33:22:11:00

In airodump we will see the handshake captured in the top right of the screen.

Now we (the target PC) happily browse away and after a while stop the airodump capture.

To decrypt the WPA capture file, we will use airdecap-ng.
Tto correctly decrypt we need the network ESSID, the capture file with handshake and the WPA passphrase.

airdecap-ng -e ESSID -p 'wpa_password' wpa-01.cap

If successfull, you will see x amount of packages decrypted and there will be a new file; wpa-01-dec.cap
This is the decrypted cap file. 

Now to see what results we were able to obtain !

Open a new console and startup urlsnarf, specifying the local interface;

urlsnarf -i lo

To replay the network session, we use tcpreplay on the local interface using the decrypted file ;

tcpreplay -i lo wpa-01-dec.cap

In the console running urlsnarf you will see details coming by of the websites visited.

To speed up the replay, you can use the -t option to go as fast as is possible.

tcpreplay -i lo -t wpa-01-dec.cap

When the replay is completed it simply stops and you can close the close the other consoles after checking what you wanted to check.

You can run the tools together ;
Open up seperate consoles for each tool, again specifying the local interface.

dsniff -i lo
mailsnarf -i lo
driftnet -i lo
(driftnet opens up a seperate driftnet window showing the pictures)

Then when those are up, open a console and run tcpreplay -i lo wpa-01-dec.cap.

After visiting several sites, entering passwords to sites, checking my email on Outlook Express, checking several semi-decent sites ... *cough* ... my results were ;

works well in showing the urls visited, nothing to remark on there.
Below the results of checking out one of UK's "finest" newspapers...

Did not show the amount of pics I was expecting to see.. but does show quite a few, it depends on the sort of sites visited, will need to do some more checking on this one.
Below he result of browsing through said newspaper in the driftnet window.. What class.. !
If NSFW.. emigrate.. ;)

Only worked on 1 out 5 passworded sites I tried, not too impressed, but quite relieved to be honest !
The results from a browser game I am into;

sometimes showed emails I downloaded from Outlook Express, sometimes didn't.
When I had several mails it showed them, when I only 1 to download, it didnt, part of a result of the time it did work ;

All in all not a flawless result, but definately interesting and entertaining !.

As yet I have been unable to get webspy working using tcpreplay, a shame as webspy is reportedly able to
show realtime internet use in a browser window, which I had hoped would be able to be done using tcpreplay as well.
Have to look deeper into this later on.

I will be looking further into how to get maximum results from these tools and updating this post accordingly.


  1. hello .

    when i run urlsnarf i lo

    i dont see any thing ... just listeing ..

  2. You need to make sure that the .cap file does actually contain visited websites, so the victim PC mustof course browse away for a bit..

    Also, airdecap will ONLY decrypt the file as from AFTER the handshake.. so make sure you have the handshake first..

    Otherwise not sure what to say, the post is clear enough IMHO.

    1. question ive been trying to crack a cap file ive obtained useing aircrack and a !@#$ load of wordlist. would this what you have jus explained here help in any way ? pl email me at thanks !!!!!!!!!!!!!!!!!!! :D

    2. Try it on your own network instead... and leave other people's networks alone.

  3. wht if i try it in open network? will it work?

  4. Sure, works great on open networks, which is why you should never use one !

  5. Hello,

    When I type ./tcpreplay -i lo /root/Desktop/wpa-01-dec.cap, I get the following message:

    Warning: Packet #5 has gone back in time!
    Warning: Packet #6 has gone back in time!
    Warning: Packet #58 has gone back in time!
    Warning: Packet #84 has gone back in time!
    Warning: Packet #515 has gone back in time!

    and urlsnarf does not show any result. Please help

    1. tcpreplay;
      I have never seen that before so afraid I cant give you much advice on it,

      Also not sure why you are using the ./ in front of tcpreplay

      urlsnarf will only show results if addresses are there in capture, possibly they are not ?


Google Analytics Alternative