The macosxhints Forums - Dsniff not working!

The macosxhints Forums (http://hintsforums.macworld.com/index.php)

- UNIX - General (http://hintsforums.macworld.com/forumdisplay.php?f=16)

- - Dsniff not working! (http://hintsforums.macworld.com/showthread.php?t=99792)

Dsniff not working!

So I have tried and tried, and then tried again, and just cannot seem to get dsniff working. I tried installing with macports, and when trying to run dsniff, got an error: Libnids not initialized. Compiling directly from source just gives me even more errors. I had heard that there is a patch out there for the program, but I do not know anything about it and cannot find any information on the web. Anyone able to help?

I need to make a security presentation, and part of it involves some white hat hacking, introduction to penetration testing, etc. If anyone also has recommendations on what techniques to show, that would be cool too :) This presentation is to a senior class at the University of Maryland, who are in the Business Information Systems major. I will be covering PHP security, packet sniffing, arp poisoning, mac spoofing, ddos, man in the middle, hashes and encryptions. Any other ideas?

~Pendraggon87

Fink has dsniff, and it works just fine. There's also a comment to a hint on the main Mac OS X Hints site, that links to an OS X precompiled binary including all libraries
http://www.macosxhints.com/article.p...10406124043420

I've got both installed on my Mac, and both versions work just fine. I've never tried the MacPorts version, so can't comment on that.

Trevor

I tried fink but did not see the package listed - I will try again :) The link tot he binaries has been removed, and they instead use the older version of dsniff, which I do not think works with libnet1.1

I saw the info on tcpdump. However, I do not know a good way to parse the output to make it human-reader-friendly - many of these students have never done anything of the sort before.

I just installed 'dsniff' via MacPorts on my 10.5.6 machine and it works fine.

Quote:

Originally Posted by pendraggon87 (Post 524327)

I tried fink but did not see the package listed - I will try again :)

I'm probably using the unstable branch of fink.

Code:

% fink list dsniff

Information about 5861 packages read in 12 seconds.

 i   dsniff           2.3-2        Network auditing and penetration test tools



% fink describe dsniff

Information about 5861 packages read in 10 seconds.



dsniff-2.3-2: Network auditing and penetration test tools

 dsniff is a collection of tools for network auditing and penetration 

 testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and

 webspy passively monitor a network for interesting data (passwords,

 e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the

 interception of network traffic normally unavailable to an attacker

 (e.g, due to layer-2 switching). sshmitm and webmitm implement

 active monkey-in-the-middle attacks against redirected SSH and HTTPS 

 sessions by exploiting weak bindings in ad-hoc PKI.

 .

 Web site: http://monkey.org/~dugsong/dsniff/

 .

 Maintainer: Ben Hines <bhines@alumni.ucsd.edu>

Trevor

It is stuck on trying to fetch something called m4...
I do remember though that when I had installed through MacPorts originally, I tried running

Code:

dsniff Kismet_Log.dump

and got an erro:

Code:

dsniff: Libnids not initialized.

What I was trying to do was use dsniff to parse through a Kismet dump and spit out the usernames and passwords it has, as a means to convince these students to start using the secure, encrypted network instead of the unsecure one.

Here is the error I have when trying to build with macports:

Code:

...

--->  Building libpcap

Error: Target org.macports.build returned: shell command " cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_net_libpcap/work/libpcap-1.0.0" && make all shared " returned error 2

Command output: /usr/bin/gcc-4.0 -O2 -fno-common -O2 -I.  -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -c ./pcap-bpf.c

In file included from ./pcap-int.h:39,

                 from ./pcap-bpf.c:106:

./pcap/pcap.h:339: error: conflicting types for 'bpf_filter'

/usr/local/include/net/bpf.h:369: error: previous declaration of 'bpf_filter' was here

./pcap/pcap.h:340: error: conflicting types for 'bpf_validate'

/usr/local/include/net/bpf.h:368: error: previous declaration of 'bpf_validate' was here

./pcap-bpf.c: In function 'pcap_inject_bpf':

./pcap-bpf.c:950: error: 'BIOCSHDRCMPLT' undeclared (first use in this function)

./pcap-bpf.c:950: error: (Each undeclared identifier is reported only once

./pcap-bpf.c:950: error: for each function it appears in.)

make: *** [pcap-bpf.o] Error 1



Error: The following dependencies failed to build: libnids libpcap

Error: Status 1 encountered during processing.

pendraggon87:
You don't seem to have mentioned what version of OS X you have.
I didn't build 'dsniff' from MacPorts source - I just did 'port install dsniff' and it installed libnids etc first.
Is your MacPorts install up to date? Try 'sudo port -d selfupdate'

Quote:

Originally Posted by hayne (Post 524402)

I am using Leopard, the most up-to-date version. I just did a fresh install of MacPorts 1.7. I typed in:

Code:

sudo port install dsniff

, and received those errors after it installed a lot of other stuff along the way. Could the error be because of trying to compile from source earlier? I don't think that should make a difference since ports installs into its own directory.

Quote:

Originally Posted by pendraggon87 (Post 524403)

I am using Leopard, the most up-to-date version. I just did a fresh install of MacPorts 1.7. I typed in:

Code:

sudo port install dsniff

, and received those errors after it installed a lot of other stuff along the way.

What errors?
I don't see where you have showed us the errors you got when trying to install dsniff - please show us them verbatim.

As mentioned above, here are the errors I get. Everything goes fine until here:

Quote:

Originally Posted by pendraggon87 (Post 524385)

Here is the error I have when trying to build with macports:

Code:

...

--->  Building libpcap

Error: Target org.macports.build returned: shell command " cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_net_libpcap/work/libpcap-1.0.0" && make all shared " returned error 2

Command output: /usr/bin/gcc-4.0 -O2 -fno-common -O2 -I.  -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -c ./pcap-bpf.c

In file included from ./pcap-int.h:39,

                 from ./pcap-bpf.c:106:

./pcap/pcap.h:339: error: conflicting types for 'bpf_filter'

/usr/local/include/net/bpf.h:369: error: previous declaration of 'bpf_filter' was here

./pcap/pcap.h:340: error: conflicting types for 'bpf_validate'

/usr/local/include/net/bpf.h:368: error: previous declaration of 'bpf_validate' was here

./pcap-bpf.c: In function 'pcap_inject_bpf':

./pcap-bpf.c:950: error: 'BIOCSHDRCMPLT' undeclared (first use in this function)

./pcap-bpf.c:950: error: (Each undeclared identifier is reported only once

./pcap-bpf.c:950: error: for each function it appears in.)

make: *** [pcap-bpf.o] Error 1



Error: The following dependencies failed to build: libnids libpcap

Error: Status 1 encountered during processing.

Quote:

Originally Posted by pendraggon87 (Post 524406)

As mentioned above, here are the errors I get.

I thought those were the errors you got when you tried to compile from source.

Please show us the full contents of your Terminal window from the point where you typed the command 'sudo port install dsniff' onwards.

That is the full output when I run the command at this point. I can try uninstalling all the ports and then reinstalling dsniff to provide the full text if that works.

Quote:

Originally Posted by pendraggon87 (Post 524409)

That is the full output when I run the command at this point.

I want to see everything including the command that you typed to start this off (the 'port install' command).

Quote:

I can try uninstalling all the ports and then reinstalling dsniff to provide the full text if that works.

That would probably be a good idea.

Here is the code of what I ran. I uninstalled all ports and ran fresh.

Code:

aaronkatz@Shadayim->~: sudo port install dsniff

--->  Fetching expat

--->  Verifying checksum(s) for expat

--->  Extracting expat

--->  Configuring expat

--->  Building expat

--->  Staging expat into destroot

--->  Installing expat @2.0.1_0

--->  Activating expat @2.0.1_0

--->  Cleaning expat

--->  Fetching gperf

--->  Verifying checksum(s) for gperf

--->  Extracting gperf

--->  Configuring gperf

--->  Building gperf

--->  Staging gperf into destroot

--->  Installing gperf @3.0.4_0

--->  Activating gperf @3.0.4_0

--->  Cleaning gperf

--->  Fetching libiconv

--->  Verifying checksum(s) for libiconv

--->  Extracting libiconv

--->  Applying patches to libiconv

--->  Configuring libiconv

--->  Building libiconv

--->  Staging libiconv into destroot

--->  Installing libiconv @1.12_2

--->  Activating libiconv @1.12_2

--->  Cleaning libiconv

--->  Fetching ncursesw

--->  Verifying checksum(s) for ncursesw

--->  Extracting ncursesw

--->  Configuring ncursesw

--->  Building ncursesw

--->  Staging ncursesw into destroot

--->  Installing ncursesw @5.7_0

--->  Activating ncursesw @5.7_0

--->  Cleaning ncursesw

--->  Fetching ncurses

--->  Verifying checksum(s) for ncurses

--->  Extracting ncurses

--->  Configuring ncurses

--->  Building ncurses

--->  Staging ncurses into destroot

--->  Installing ncurses @5.7_0

--->  Activating ncurses @5.7_0

--->  Cleaning ncurses

--->  Fetching gettext

--->  Verifying checksum(s) for gettext

--->  Extracting gettext

--->  Applying patches to gettext

--->  Configuring gettext

--->  Building gettext

--->  Staging gettext into destroot

--->  Installing gettext @0.17_4

--->  Activating gettext @0.17_4

--->  Cleaning gettext

--->  Fetching perl5.8

--->  Verifying checksum(s) for perl5.8

--->  Extracting perl5.8

--->  Configuring perl5.8

--->  Building perl5.8

--->  Staging perl5.8 into destroot

--->  Installing perl5.8 @5.8.9_2

--->  Activating perl5.8 @5.8.9_2

--->  Cleaning perl5.8

--->  Fetching perl5

--->  Verifying checksum(s) for perl5

--->  Extracting perl5

--->  Configuring perl5

--->  Building perl5

--->  Staging perl5 into destroot

--->  Installing perl5 @5.8.9_0

--->  Activating perl5 @5.8.9_0

--->  Cleaning perl5

--->  Fetching p5-locale-gettext

--->  Verifying checksum(s) for p5-locale-gettext

--->  Extracting p5-locale-gettext

--->  Applying patches to p5-locale-gettext

--->  Configuring p5-locale-gettext

--->  Building p5-locale-gettext

--->  Staging p5-locale-gettext into destroot

--->  Installing p5-locale-gettext @1.05_0

--->  Activating p5-locale-gettext @1.05_0

--->  Cleaning p5-locale-gettext

--->  Fetching help2man

--->  Verifying checksum(s) for help2man

--->  Extracting help2man

--->  Applying patches to help2man

--->  Configuring help2man

--->  Building help2man

--->  Staging help2man into destroot

--->  Installing help2man @1.36.4_1

--->  Activating help2man @1.36.4_1

--->  Cleaning help2man

--->  Fetching m4

--->  Verifying checksum(s) for m4

--->  Extracting m4

--->  Applying patches to m4

--->  Configuring m4

--->  Building m4

--->  Staging m4 into destroot

--->  Installing m4 @1.4.12_1

--->  Activating m4 @1.4.12_1

--->  Cleaning m4

--->  Fetching autoconf

--->  Verifying checksum(s) for autoconf

--->  Extracting autoconf

--->  Configuring autoconf

--->  Building autoconf

--->  Staging autoconf into destroot

--->  Installing autoconf @2.63_0

--->  Activating autoconf @2.63_0

--->  Cleaning autoconf

--->  Fetching automake

--->  Verifying checksum(s) for automake

--->  Extracting automake

--->  Configuring automake

--->  Building automake

--->  Staging automake into destroot

--->  Installing automake @1.10.2_0

--->  Activating automake @1.10.2_0

--->  Cleaning automake

--->  Fetching libtool

--->  Verifying checksum(s) for libtool

--->  Extracting libtool

--->  Configuring libtool

--->  Building libtool

--->  Staging libtool into destroot

--->  Installing libtool @2.2.6a_0

--->  Activating libtool @2.2.6a_0

--->  Cleaning libtool

--->  Fetching libnet

--->  Verifying checksum(s) for libnet

--->  Extracting libnet

--->  Applying patches to libnet

--->  Configuring libnet

--->  Building libnet

--->  Staging libnet into destroot

--->  Installing libnet @1.0.2a_4+darwin_9

--->  Activating libnet @1.0.2a_4+darwin_9

--->  Cleaning libnet

--->  Building libpcap

Error: Target org.macports.build returned: shell command " cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_net_libpcap/work/libpcap-1.0.0" && make all shared " returned error 2

Command output: /usr/bin/gcc-4.0 -O2 -fno-common -O2 -I.  -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -c ./pcap-bpf.c

In file included from ./pcap-int.h:39,

                 from ./pcap-bpf.c:106:

./pcap/pcap.h:339: error: conflicting types for 'bpf_filter'

/usr/local/include/net/bpf.h:369: error: previous declaration of 'bpf_filter' was here

./pcap/pcap.h:340: error: conflicting types for 'bpf_validate'

/usr/local/include/net/bpf.h:368: error: previous declaration of 'bpf_validate' was here

./pcap-bpf.c: In function 'pcap_inject_bpf':

./pcap-bpf.c:950: error: 'BIOCSHDRCMPLT' undeclared (first use in this function)

./pcap-bpf.c:950: error: (Each undeclared identifier is reported only once

./pcap-bpf.c:950: error: for each function it appears in.)

make: *** [pcap-bpf.o] Error 1



Error: The following dependencies failed to build: libnids libpcap

Error: Status 1 encountered during processing.

Quote:

Originally Posted by pendraggon87 (Post 524413)

Code:

aaronkatz@Shadayim->~: sudo port install dsniff

--->  Fetching expat

--->  Verifying checksum(s) for expat

[...]

--->  Fetching libnet

--->  Verifying checksum(s) for libnet

--->  Extracting libnet

--->  Applying patches to libnet

--->  Configuring libnet

--->  Building libnet

--->  Staging libnet into destroot

--->  Installing libnet @1.0.2a_4+darwin_9

--->  Activating libnet @1.0.2a_4+darwin_9

--->  Cleaning libnet

--->  Building libpcap

Error: Target org.macports.build returned: shell command " cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_ports_net_libpcap/work/libpcap-1.0.0" && make all shared " returned error 2

Command output: /usr/bin/gcc-4.0 -O2 -fno-common -O2 -I.  -DHAVE_CONFIG_H  -D_U_="__attribute__((unused))" -c ./pcap-bpf.c

In file included from ./pcap-int.h:39,

                 from ./pcap-bpf.c:106:

./pcap/pcap.h:339: error: conflicting types for 'bpf_filter'

/usr/local/include/net/bpf.h:369: error: previous declaration of 'bpf_filter' was here

./pcap/pcap.h:340: error: conflicting types for 'bpf_validate'

/usr/local/include/net/bpf.h:368: error: previous declaration of 'bpf_validate' was here

I don't have any "net" folder under "/usr/local/include" on my machine.
It looks like MacPorts is using the header files that you have there for some reason and this is screwing it up.

Could it be from a Wireshark installation? The contents of the /usr/local/net folder are: bpf.h
That is the only file there.

I just ran sudo mv /usr/local/include/net /usr/local/include/net1 and after that dsniff installed without a hitch. now to wait till i can find a network to test it on. There is no one on this network right now but me :)

Not sure if it is working though. Running:

Code:

sudo dsniff -i en1

gets me nadda.

Ok, so I can run some of the utilities, like urlsnarf. However, sudo dsniff -i en1 shows up nothing, and trying sudo dsniff KismetLog.dump gets me a

Code:

aaronkatz@Shadayim->~: sudo dsniff Kismet-Mar-17-2009-1.dump 

dsniff: nids_init: Libnids not initialized

As I recall, this is the way to parse the kismet dump file to scan for usernames and passwords to print in a nice list. I could use Wireshark I know for something like that, but I have not yet managed to become comfortable enough with the clunky interface.

Additionally, msgsnarf seems to segfault constantly. Was there something wrong with moving that /usr/local/include/net/ folder?

Quote:

Originally Posted by pendraggon87 (Post 524420)

Not sure if it is working though. Running:

Code:

sudo dsniff -i en1

gets me nadda.

Are you doing anything that sends passwords in the clear? - e.g. retrieving email from a POP server account that doesn't use SSH.

I tried creating a form that sent username and password in the clear to itself, got nothing. And trying

Code:

sudo dsniff -r KismetLog.dump

tells me it is in an invalid format. How would I get Kismet to output in the correct pcap format for dsniff?

Quote:

Originally Posted by hayne (Post 524456)

Are you doing anything that sends passwords in the clear? - e.g. retrieving email from a POP server account that doesn't use SSH.

I am doing a bunch of stuff that sends passwords in the clear and get nada. When running nessus on a site, dsniff will output the requests nessus is making, but when i go to an insecure site and send everything in cleartext, i get nothing.

For reading pcap files, I see there needs to be a patch, from: http://www.netstumbler.org/f50/dsnif...network-15596/

but I do not know how to actually implement the patch, as I get errors when trying.

I think I may just give up on dsniff - its a great concept but just isnt working.