dsniff on an authenticated wireless network.

rubberband · 04-18-2005

Second post - still with the questions...

So I've partially given up on continuing on the w2k platform for now. Most of the tools I like are linux based, and the conveniance of connecting to my AP on windows is pretty much toast now that the madwifi drivers and wpa_supplicant are playing nice with others.

Anyhow, traditionally I have used this laptop + a cheap 10/100 card + cheap 10/100 hub to sit betwen the edge of the internal network and the gateway. Dsniff (or rather, the webspy component) runs, and the results are piped into a perl script that keeps a running tally of the most frequently access domains and emails the results to myself and the other admin every night. Pretty handy. I was hoping to do the same exclusively for our new-ish wireless AP, as most of the connecting clients are visitors/students at our building, and it's a seperate group worth tracking.

Problem is, I'm still a bit flaky on the right way to get dsniff up and running on a WiFI connection. Please correct me where I've made a mistake?

What I use: Mandrake 10.1 official, D-Link DWL-G650 card. Access Point is a D-Link XtremeG, WPA is enabled. As this is my AP, connecting is not an issue.

What I've been trying:

1. Get the drivers running (madwifi+wpa_supplicant+wireless-tools in my case)
2. Get the card online
3. Connect to the AP completely (in my case, via WPA)
4. Confirm that you're connected - ping the AP, load a webpage, whatever.
5. put the card into monitor mode (iwconfig <device> mode Monitor)
6. run iwconfig <device> again to make sure it worked - which it does.
7. run the sniffer of your choice and start capturing.

Of course with the card in monitor mode your connectivity is gone until you reset it to Managed, but I've written that into my scripts at this point (resets it for long enough to fire off the email, then returns to monitor mode).

I've obviously missed something obvious. dmesg reports the card entering promiscuous mode when I start up the sniffer just like when using a wired connection, and I'm not finding any errors or complaints for the most part. At startup dsniff will give the error:

WARNING: unsupported device type 0x322, assuming raw
Kernel filter, protocol ALL, raw packet socket
dsniff: listening on ath0 []

If started w/ the card in monitor mode, but it doesn't look like a showstopper.

Any thoughts?

wrzwaldo · 04-18-2005

How is this post relevant?

Quote:

Newbie Lounge
The place to come to ask your basic NetStumbler/WiFi questions before moving on to the rest of the forum.

rubberband · 04-18-2005

Quote:

Originally Posted by wrzwaldo

How is this post relevant?

I'm guessing that whatever I've done wrong in trying to get the system working the way I want is a common mistake rather than a complicated issue - hence the post in the newbie forum. Basically every wireless security paper or page anywhere says simply "dsniff is great - download, compile and run" so I've assumed what I'm missing isn't exactly advanced.

Moderators - please move this thread to the linux software forum or whatever if it's too far off-topic/the issue is more complicated than a simple "you forgot to do this:" answer.

Back on topic - what AM I missing?

sebasto · 04-22-2005

Hi,

I also tryed to get dsniff to work on a wireless connection - with no success. I've come to the conclusion that the 802.11 headers confuse dsniff.
I think this is the case because if I sniff the wireless network with kismet, then apply 802ether to the log file, then apply dsniff on the result, it works !

My solution is to use ettercap which works perfectly, and has more features (although I did not find a plugin equivalent to mailsnarf).

I hope this helps ...

tekn0 · 04-22-2005

What version of dsniff are you using after the 802ether step? Last i checked dsniff would not read pcap files with out source lib modification.

Also you could try ettercap-ng it works with wireless out of the box although i have not been successfull with the password parsing disectors vi wireless.

sebasto · 04-23-2005

I use dsniff 2.4b1 patched with a patch found at http://www.sephail.net/patches/dsniff/ which adds the possibility to read a pcap file.

For me, ettercap-ng works very well, and shows the passwords for a lot of protocols and remains a better alternative.

tekn0 · 04-23-2005

cool patch thanks for the info

rubberband · 04-25-2005

AAh.. I'd lost my copy of that patch, thanks. I'll try it out tonight and post if it works.

Ettercap looks like it has potantial, but it does a nice crash-n-burn if I try to start it up with my wireless card in Monitor mode, which makes it useless for live packet capture. Anyone else had this problem? Ettercap does support the Atheros/madwifi drivers, right?

04-18-2005	#1 (permalink)
rubberband Registered Member Join Date: Apr 2005 Posts: 7	dsniff on an authenticated wireless network. Second post - still with the questions... So I've partially given up on continuing on the w2k platform for now. Most of the tools I like are linux based, and the conveniance of connecting to my AP on windows is pretty much toast now that the madwifi drivers and wpa_supplicant are playing nice with others. Anyhow, traditionally I have used this laptop + a cheap 10/100 card + cheap 10/100 hub to sit betwen the edge of the internal network and the gateway. Dsniff (or rather, the webspy component) runs, and the results are piped into a perl script that keeps a running tally of the most frequently access domains and emails the results to myself and the other admin every night. Pretty handy. I was hoping to do the same exclusively for our new-ish wireless AP, as most of the connecting clients are visitors/students at our building, and it's a seperate group worth tracking. Problem is, I'm still a bit flaky on the right way to get dsniff up and running on a WiFI connection. Please correct me where I've made a mistake? What I use: Mandrake 10.1 official, D-Link DWL-G650 card. Access Point is a D-Link XtremeG, WPA is enabled. As this is my AP, connecting is not an issue. What I've been trying: 1. Get the drivers running (madwifi+wpa_supplicant+wireless-tools in my case) 2. Get the card online 3. Connect to the AP completely (in my case, via WPA) 4. Confirm that you're connected - ping the AP, load a webpage, whatever. 5. put the card into monitor mode (iwconfig <device> mode Monitor) 6. run iwconfig <device> again to make sure it worked - which it does. 7. run the sniffer of your choice and start capturing. Of course with the card in monitor mode your connectivity is gone until you reset it to Managed, but I've written that into my scripts at this point (resets it for long enough to fire off the email, then returns to monitor mode). I've obviously missed something obvious. dmesg reports the card entering promiscuous mode when I start up the sniffer just like when using a wired connection, and I'm not finding any errors or complaints for the most part. At startup dsniff will give the error: WARNING: unsupported device type 0x322, assuming raw Kernel filter, protocol ALL, raw packet socket dsniff: listening on ath0 [] If started w/ the card in monitor mode, but it doesn't look like a showstopper. Any thoughts?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

04-22-2005	#4 (permalink)
sebasto Registered Member Join Date: Apr 2005 Posts: 2	Hi, I also tryed to get dsniff to work on a wireless connection - with no success. I've come to the conclusion that the 802.11 headers confuse dsniff. I think this is the case because if I sniff the wireless network with kismet, then apply 802ether to the log file, then apply dsniff on the result, it works ! My solution is to use ettercap which works perfectly, and has more features (although I did not find a plugin equivalent to mailsnarf). I hope this helps ...

04-22-2005	#5 (permalink)
tekn0 Registered Member Join Date: Jan 2005 Posts: 36	What version of dsniff are you using after the 802ether step? Last i checked dsniff would not read pcap files with out source lib modification. Also you could try ettercap-ng it works with wireless out of the box although i have not been successfull with the password parsing disectors vi wireless.

04-23-2005	#6 (permalink)
sebasto Registered Member Join Date: Apr 2005 Posts: 2	I use dsniff 2.4b1 patched with a patch found at http://www.sephail.net/patches/dsniff/ which adds the possibility to read a pcap file. For me, ettercap-ng works very well, and shows the passwords for a lot of protocols and remains a better alternative.

04-23-2005	#7 (permalink)
tekn0 Registered Member Join Date: Jan 2005 Posts: 36	cool patch thanks for the info

04-25-2005	#8 (permalink)
rubberband Registered Member Join Date: Apr 2005 Posts: 7	AAh.. I'd lost my copy of that patch, thanks. I'll try it out tonight and post if it works. Ettercap looks like it has potantial, but it does a nice crash-n-burn if I try to start it up with my wireless card in Monitor mode, which makes it useless for live packet capture. Anyone else had this problem? Ettercap does support the Atheros/madwifi drivers, right?