LinuxQuestions.org

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - webspy (https://www.linuxquestions.org/questions/linux-security-4/webspy-73016/)

when i start webspy (dsniff) i get this return - 'listening on eth0'
but i get no return on netscape from the target machine. i've done this correctly at one time but i forgot how to, anybody else know?

How did you start it, what is your commandline? If you "strace -v /path/to/webspy <args>" does it show parsing any traffic?

If this is your own private network *only you* muck on (not invading other peoples privacy): are you in the position to actually see traffic from that host (netwrk topo)? Tried using a MiM tool?

I have the same problem. I haven't managed to get it working but I read somewhere that you can't use the dsniff tools on a switched LAN without ARP poisoning the victim's PC. I've tried using arpspoof and ettercap to do this and although I am able to arp poison with ettercap I still couldn't get webspy to work. I'll have to see if I can get any of the other tools to work.

Sorry I couldn't be of more help

Ok, I managed to get this to work Hooray! It's not perfect but it's good enough.

If you're on a network where you and the victim are connected via a hub then you shouldn't need to do a mitm (man in the middle) attack, however, if you are connected via a switch then you will. I recommend using ettercap for that.

Once you've got the mitm set up (if needed) you'll need to start up your browser, I've only used webspy from knoppix-std so I've only tried this using mozilla/firefox, but I would assume any browser should be fine.

After your browser's started you then need to run webspy parsing the IP address of the victims PC and optionally the interface on your PC to listen to,
i.e. $ webspy -i eth0 192.168.2.100

Then all you need is for the victim to start surfing!

Two notes on this though:

1) webspy doesn't seem to be able to cope with tabbed browsing very well, i.e. if the victim is using a tabbed browser then things can get a bit messy and it doesn't always pick up every URL for some reason. I've been redirected to the KDE home site when the victim PC requested somewhere completely different.

2) this should only be tried out on a network that either you own (i.e. your home network) or where you have express permission from the powers that be, seriously. Just as ettercap can be used to ARP poison (perform mitm attacks), it can also be used to detect them...

Sorry, I forgot to mention that you'll need to enable IP forwarding in the kernel. This is done by issuing this command as root:

echo 1 > /proc/sys/net/ipv4/ip_forward

I don't know whether this is needed on a hubbed network but it's definately needed on a switched network and should be done before you attempt the mitm setup in ettercap.