Sniffer technical materials

Sniffer is translated as a sniffer. It is a threatening passive attack tool! You can monitor the network status in an attack. Data Flow and information transmitted over the network can be attacked and intercepted through network monitoring. Hackers often like to use it to intercept user passwords!
Sniffer can be divided into two types: one is hardware and the other is software. Today we will talk about sniffer. sniffer can only capture packets of one physical network segment, that is, you cannot exchange routes with the listening target) or other devices that shield broadcast packets. Therefore, for dial-up Internet users, it is impossible to use sniffer to eavesdrop other people's communication content!
Sniffer is a second-level attack. That is to say, only when attackers have already entered the target system can they use the sniffer attack method to obtain more information. In addition to passwords or user names, sniffer can also obtain more information, such as other important information and financial information transferred online. Sniffer can obtain almost any data packet forwarded over Ethernet. Sniffer is a complicated attack method. Generally, only a hacker can use it as long as he understands it and can try it. I often know it through exercises !) For a new network user, even if a sinffer is successfully compiled and run on a host, no useful information is obtained. Because the information traffic on the network is usually quite large, it is very difficult to find the required information if you do not select the receiver to receive all the packets, in addition, if you listen for it for a long time, the hard disk of the machine where the sniffer is placed may burst!
Now let's look at a C program, which can complete the general listening function. **] It is an annotation!
* The following is the header file containing the system and network functions for debugging *]
# Include
# Include
# Include
* The following is the IP address and TCP packet header structure *]
Struct ip {
Unsigend int ip_length: 4; * defines the length of the IP header *]
Unsigend int ip_version: 4; * IP version, IPV4 *]
Unsigend char ip_tos; * service type *]
Unsigend short ip_total_length; * total IP packet length *]
Unsigend short ip_id; * authentication domain *]
Unsigend short ip_flags; * IP flag *]
Unsigend char ip_ttl; * retention period of the IP package *]
Unsigend char ip_protocol; * protocol on the IP layer *]
Unsigend short ip_sksum; * IP head Emy and *]
Unsigend int ip_source; * Source IP Address *]
Unsigend int ip_dest; * destination IP address *]
}
Struct tcp {
Unsigend short tcp_source_port; * define the TCP source port *]
Unsigend short tcp_dest_port * TCP destination port *]
Unsigend int tcp_seqno; * TCP serial number *]
Unsigend int tcp_ackno; * The next serial number that the sender expects *]
Unsigend int tcp_resl: 4; * The following are TCP labels *]
Tcp_hlen: 4,
Tcp_fin: 1,
Tcp_syn: 1,
Tcp_rst: 1,
Tcp_psh: 1,
Tcp_ack: 1,
Tcp_urg: 1,
Tcp_res: 2,
Unsigend short tcp_winsize; * Maximum number of bytes that can be received *]
Unsigend short tcp_cksum; * TCP training and *]
Unsigend short tcp_urgent; * Emergency flag *]
}
* Main function *]
Int main ()
{
Int sock, bytes_recieved, fromlen;
Char buffer [65535];
Struct sockaddr_in from; * define the socket Structure *]
Struct ip address; * define ip address and TCP structure *]
Struct tcp * tcp
Sock = socket (AF_INET, SOCK, IPPROTO_TCP)
* Establish a socket connection. The first parameter is the address family type. Use the INTERNET type *]
* The second parameter is of the socket type. SOCK--RAW is used here, which can bypass the transport layer ,*]
* Directly access the IP-layer package. To call SOCK--RAW, you must have the ROOT permission *]
* The third parameter is the protocol, select the IPPROTO--TCP to specify the content that can receive the TCP layer *]
While (1)
{
Fromlen = sizeof from;
Bytes_recieved = recvfrom (sock, buffer, sizeofbuffer, 0, (struct sockaddr *) & from, & fromlen );
* The above function receives data from the established socket connection *]
* Because recvfrom) requires a sockaddr data type, we use a forced type conversion *]
Printf ("\ nByets received ::% 4d \ n", bytes_recieved); * display the number of received data bytes *]
Printf ("Source address: % s \ n", inet_ntoa (ftom. sin_addr); * display Source address *]
Ip = (struct ip *) buffer; * converts the received data into a pre-defined structure for ease of viewing *]
Printf ("IP header length: % d \ n", ip-> ip_length); * display IP header length *]
Printf ("Protocol: % d \ n", ip-> ip_potocol); * display Protocol type, 6 is TCP, 17 is UDP *]
Tcp = (struct tcp *) (buffer + (4 * ip-> ip_length );
* The above sentence needs to be explained in detail, because the size of the IP header in the received packet header is fixed to 4 bytes *]
* Therefore, we use the IP length multiplied by 4 to point to the TCP Header *]
Printf ("Source potr: % d \ n", ntohs (tcp-> tcp_source_port) * display the Source port *]
Prinft ("Dest potr: % d \ n", ntohs (tcp-> tcp_dest_port) * display target port *]
}
The above C program lists the simplest columns to illustrate the sniffer's receiving principle. It completes the sniffer's receiving function, before running the command, we also need to manually set the NIC to the hybrid mode and set it with the root permission:
Ifconfig eth0 promisc
Assume that eth0 is your Ethernet device interface, and then the compiled program list is the C program above) you will be able to see the accepted packets! Important message: the function of this program is too simple. It can only display the source address, target address, source port, target port, and other extremely simple information. It is useless for you, but you can change it)
Now let's take a look at the ** sniffer program
Sniffit can run network listening software on linux Solaris sgi nt and other platforms. It monitors the computers running the protocol for the security of TCP/IP protocol.
Install
Come with me step by step. Don't run away! Run away. Don't blame me!
1. Use tat zvfx sniffit. *. tgz to decompress the downloaded sniffit. *. tgz to the target folder, if the version is. 0. 3. 7, you will see a sniffit in this directory. 0. 3. 7 directory.
2. Enable sniffit. 0. 3. 7 directory
3. Run the/configure & make command. If no unexpected error message is displayed on the terminal during the process, a binary sniffit file can be obtained even if the compilation is successful, run him directly!
4. Finally, run the make clean command to clear the temporary files.
How to Use sniffit
Sniffit command
Option Function
-V: display version information
-T Let the program listen to data from a specified IP Address
-S To allow the program to listen to IP data packets flowing out from an IP address, you can use the @ wildcard, such as-t 192. 168 .@
-I: The window is displayed. You can find the machine that is currently connected to the network.
-L extended interaction mode. Other options are ignored, which is more powerful than-L.
-C Use scripts to run programs
-F Force the program to use the network Hard Disk
-N: false packets are displayed. If ARP, RARP, or other packets that are not IP addresses are used, the packets are displayed.
-N indicates the option when only plugin is run to invalidate other options.
Use display Columns
Assume that there are two hosts in one subnet, one running sniffit, And the other IP address of sniffit.com is 192.168.0.1. Follow these steps to name it xxx.com!
1. Check whether sniffit can run;
Sniffit ~ /# Sniffit-d-p 7-t 192.168.0.1
Open another window;
Sniffit ~ /$ Telnet xxx.com
Sniffit ~ /# Sniffit-p 21-l 0-t 192.168.0.1
We can see that sniffit will remotely log on to the echo service package capture on port 7 of the other party.
2. Intercept the user password on xxx.com
Sniffit :~ /# Sniffit-p 23-t 192.168.0.1
Listening to port 23
3. If the root user of the xxx.com host claims a strange FTP connection and wants to record its action
Sniffit :~ /3 sniffit-p 21-l 0-t 192.168.0.1
4. Read all emails in and out of xxx.com
Sniffit :~ /# Sniffit-p 25-l 0-B-t 192.168.0.1 &
Or sniffit :~ /#-Sniffit-p 25-l0-B-s 192.168.0.1 &
5. Listen to the packets entering and exiting from 192.168.0.1 and fully monitor their rows
Sniffit :~ /# Sniffit-P ipicmptcp-p 0-B-a-d-x-s 192.168.0.1
6. Use the more 192 * command to read the password recorded in the following way:
Sniffit :~ /# Sniffit-p 23-A.-t 192.168.0.1
It's hard to write! Now we have changed it to a Windows sniffer! Is win common? HOHO
NetXRay
NetXRay has three main functions:
1. receive and analyze data packets
2. data packet transmission
3. network management monitoring function
The third function of NetXRay is network management monitoring. There are seven buttons in the network management function. Let's introduce it to you now!
DashBoard button: displays the traffic under the subnet in brief
HostTable button: Observe the network traffic of each host under the subnet
Matrix button: Observe the traffic between hosts in the subnet
History button: displays network data in charts
Protocal Distribution button: analyzes the Distribution of various communication protocols on the network
Alarm LOG button: Set network condition warning
Addree Book button: Set host information
Due to time issues, I would like to introduce the usage of the DashBoard button here. Wow, it is absolutely helpful to say that I am lazy. Please forgive me if I am still a student who does not have much time to access the computer ...... I will give you better teaching materials after the holiday !)
For details about other buttons, go to http: // 216.239.33.102!
The DashBoard button is used to display the traffic on the subnet in a brief way. After you click it, a graphical interface will appear, which is similar to the car's accelerator table. There is no time to capture the picture. Please forgive me)
The Packets row indicates the total number of data Packets so far, the Broadcasts row indicates the number of broadcast data Packets, and the Multucasts row indicates the number of broadcast data Packets, bytes indicates the total number of Bytes of data transmitted in your subnet, and Errors indicates the number of times Errors occur in the network.
I have written so many introductions about sniffer. Now you should have some knowledge about sniffer!
I am not very good at literary talent, or I suggest you make any mistakes or deficiencies! Myqq: 193480
E-mailHeiKeAngel@54Hack.Com
HeiKeAngel forever