Getting Log in Info from Dsniff

mmhat · 10-02-2005, 03:16 PM

Hi every one:
I Finally succeeded in install Dsniff in my Mandrake 10.1 PC. However, I tried to capture a log in information of my email and some SMB in a small local Network I made between few PCs, when I use the Dsniff it tell me it trigger a blah .. blah protocol EX:

dsniff: trigger_tcp_raw: decoding port 8080 as http

How could I View the Exact representation of the capture packet
Note if I didn't use the debug mode that above line won't even appear...

[root@localhost ~]# dsniff -c -d -i eth0
dsniff: trigger_set_tcp: port 21 -> ftp
dsniff: trigger_set_tcp: port 23 -> telnet
dsniff: trigger_set_tcp: port 25 -> smtp
dsniff: trigger_set_ip: proto 47 -> pptp
dsniff: trigger_set_tcp: port 80 -> http
dsniff: trigger_set_ip: proto 89 -> ospf
dsniff: trigger_set_tcp: port 98 -> http
dsniff: trigger_set_tcp: port 106 -> poppass
dsniff: trigger_set_tcp: port 109 -> pop
dsniff: trigger_set_tcp: port 110 -> pop
dsniff: trigger_set_tcp: port 111 -> portmap
dsniff: trigger_set_tcp: port -111 -> portmap
dsniff: trigger_set_udp: port 111 -> portmap
dsniff: trigger_set_udp: port -111 -> portmap
dsniff: trigger_set_ip: proto 112 -> vrrp
dsniff: trigger_set_tcp: port 119 -> nntp
dsniff: trigger_set_tcp: port 139 -> smb
dsniff: trigger_set_tcp: port 143 -> imap
dsniff: trigger_set_udp: port 161 -> snmp
dsniff: trigger_set_tcp: port 220 -> imap
dsniff: trigger_set_tcp: port 261 -> telnet
dsniff: trigger_set_tcp: port 389 -> ldap
dsniff: trigger_set_tcp: port 417 -> mmxp
dsniff: trigger_set_udp: port 417 -> mmxp
dsniff: trigger_set_tcp: port 512 -> rlogin
dsniff: trigger_set_tcp: port 513 -> rlogin
dsniff: trigger_set_tcp: port 514 -> rlogin
dsniff: trigger_set_udp: port 520 -> rip
dsniff: trigger_set_tcp: port 587 -> smtp
dsniff: trigger_set_tcp: port 1080 -> socks
dsniff: trigger_set_tcp: port 1433 -> tds
dsniff: trigger_set_udp: port 1433 -> tds
dsniff: trigger_set_tcp: port 1494 -> citrix
dsniff: trigger_set_tcp: port 1521 -> oracle
dsniff: trigger_set_tcp: port 1526 -> oracle
dsniff: trigger_set_udp: port 2001 -> sniffer
dsniff: trigger_set_tcp: port 2401 -> cvs
dsniff: trigger_set_tcp: port 2417 -> mmxp
dsniff: trigger_set_udp: port 2417 -> mmxp
dsniff: trigger_set_tcp: port 2638 -> tds
dsniff: trigger_set_tcp: port 3128 -> http
dsniff: trigger_set_udp: port 4000 -> icq
dsniff: trigger_set_tcp: port 4444 -> napster
dsniff: trigger_set_tcp: port 5190 -> aim
dsniff: trigger_set_tcp: port 5432 -> postgresql
dsniff: trigger_set_tcp: port 5555 -> napster
dsniff: trigger_set_tcp: port 5631 -> pcanywhere
dsniff: trigger_set_tcp: port 6000 -> x11
dsniff: trigger_set_tcp: port 6001 -> x11
dsniff: trigger_set_tcp: port 6002 -> x11
dsniff: trigger_set_tcp: port 6003 -> x11
dsniff: trigger_set_tcp: port 6004 -> x11
dsniff: trigger_set_tcp: port 6005 -> x11
dsniff: trigger_set_tcp: port 6666 -> napster
dsniff: trigger_set_tcp: port 6667 -> irc
dsniff: trigger_set_tcp: port 6668 -> irc
dsniff: trigger_set_tcp: port 6669 -> irc
dsniff: trigger_set_tcp: port 7599 -> tds
dsniff: trigger_set_tcp: port 7777 -> napster
dsniff: trigger_set_tcp: port 8080 -> http
dsniff: trigger_set_tcp: port 8888 -> napster
dsniff: trigger_set_tcp: port 9898 -> aim
dsniff: trigger_set_tcp: port 65301 -> pcanywhere
dsniff: trigger_set_rpc: program 100005 -> mountd
dsniff: trigger_set_rpc: program 100004 -> ypserv
dsniff: trigger_set_rpc: program 100009 -> yppasswd
dsniff: listening on eth0
dsniff: trigger_tcp_raw: decoding port 8080 as http
dsniff: trigger_tcp_raw: decoding port 8080 as http
dsniff: trigger_tcp_raw: decoding port 8080 as http
dsniff: trigger_tcp_raw: decoding port 139 as smb

int0x80 · 10-02-2005, 03:43 PM

If you want the exact capture data, you'll want to use a more robust sniffer like tcpdump, ettercap, or ethereal. dsniff is an application with a specifc purpose to capture and extract login credentials from known protocols.

mmhat · 10-02-2005, 11:20 PM

OK... but the thing is that What is the Exact Benefits from using Dsniff... I could use Ethereal which specify exactly each field in SMB packet. This is one point.

You Said :: "dsniff is an application with a specifc purpose to capture and extract login credentials from known protocols."

Q: Where did dsniff exactlly extract login credentials? In what format they are? how can they be retrived

int0x80 · 10-03-2005, 07:53 AM

Quote:

Originally posted by mmhat
Q: Where did dsniff exactlly extract login credentials? In what format they are? how can they be retrived

They are either written to STDOUT, or can be written to a file using the -w flag.
You may want to read the man page, and other informational pages found by googling dsniff.

mmhat · 10-03-2005, 03:05 PM

Yes Man you are to the Point GNUbie I tried the -w [file] option in the dsniff BUT!!! I could not Understand or interpret the meaning of what is inside it ( It codes and ununderstood symbols)... Therefore, Let me rephrase my question Is there a tool or method that is capable of translate the contant of this dsniff output file to a meaningful text.

One last thing you mentioned the output might be written to STDOUT. What is that? Can you please clarify this point?

I Appreciate your cooperative with me.
Thanks

int0x80 · 10-03-2005, 07:18 PM

Quote:

Originally posted by mmhat
Yes Man you are to the Point GNUbie I tried the -w [file] option in the dsniff BUT!!! I could not Understand or interpret the meaning of what is inside it ( It codes and ununderstood symbols)... Therefore, Let me rephrase my question Is there a tool or method that is capable of translate the contant of this dsniff output file to a meaningful text.

One last thing you mentioned the output might be written to STDOUT. What is that? Can you please clarify this point?

I Appreciate your cooperative with me.
Thanks

You can read the file that dsniff has saved to using the -r option. For example, if you ran dsniff with the following:
bash# dsniff -m -n -i eth0 -w /tmp/dsniff.logfile

You could then read the saved data using:
bash# dsniff -r /tmp/dsniff.logfile

As for your question of STDOUT... STDOUT is merely the place where a process normally puts its output. If you were to run dsniff from a terminal, and not use the -w flag, any login credentials detected by dsniff would be output to the screen in the terminal that dsniff was run from.

mmhat · 10-03-2005, 08:10 PM

Quote:

Originally posted by GNUbie
You can read the file that dsniff has saved to using the -r option. For example, if you ran dsniff with the following:
bash# dsniff -m -n -i eth0 -w /tmp/dsniff.logfile

You could then read the saved data using:
bash# dsniff -r /tmp/dsniff.logfile

OK ... I believe this is where my problem begins...
I tried the write and read options for the dsniff BUT!!! it did not give me any thing

[root@localhost ~]# dsniff -r /tmp/ff.logfile
[root@localhost ~]#

and when tried to open the file normally I get

[root@localhost ~]# kate /tmp/ff.logffile
kdecore (KAction): WARNING: KActionCollection::KActionCollection( QObject *parent, const char *name, KInstance *instance )

Using the editor Kate in manderiva 10.1
So Where is the problem???

int0x80 · 10-04-2005, 02:48 AM

Quote:

Originally posted by mmhat
OK ... I believe this is where my problem begins...
I tried the write and read options for the dsniff BUT!!! it did not give me any thing

[root@localhost ~]# dsniff -r /tmp/ff.logfile
[root@localhost ~]#

and when tried to open the file normally I get

[root@localhost ~]# kate /tmp/ff.logffile
kdecore (KAction): WARNING: KActionCollection::KActionCollection( QObject *parent, const char *name, KInstance *instance )

Using the editor Kate in manderiva 10.1
So Where is the problem???

You haven't captured any login credentials. Initiate some plaintext authenticated sessions (eg: telnet, ftp, pop3, etc) with dsniff running. Then you should have some findings. Also, storing your logfile to /tmp means that your logfile will be deleted when the computer reboots as /tmp is thusly cleaned at that point.