Welcome back, my tenderfoot hackers!
We have looked at a number of ways that we sniff traffic on the network with such tools as Wireshark, tcpdump, dnsiff, and others, but each of these tools is only capable of pulling packets off the wire.
Those packets can be examined for various attributes such as the source and destination IP address, what port is going to and coming from, the ASCII characters in the packet, and if we're lucky, maybe a password or two. Usually our sniffing is visualized like the Wireshark output below.
What none of these tools do is detect and display graphic files that are passing over the wire. This would require that such a tool would be able to...
- Identify packets containing the binaries for a portion of a graphic file,
- Then combine of the binaries of the packets,
- And then display them.
That is quite a task for any tool to do.
Fortunately for us, such a tool has been developed, albeit still in beta form. The tool is called driftnet and it was developed by Chris Lightfoot and is packaged with both Kali and BackTrack. Although far from perfect, it gives us the capability to sniff the wire for graphics, audio, or MPEG4 images and display them to an X window.
In our example situation, we'll be trying to determine what kind of images our neighbor is looking at. If you suspect your neighbor of watching pornographic films online, you can get a general idea of what their tastes may be by viewing trends in your area, but we'll be trying to pinpoint exactly what they're looking at instead.
Let's fire up Kali and open driftnet. Go to Applications, Kali Linux, Sniffing/Spoofing, Web Sniffers, and then driftnet
When you do, you will be greeted by this driftnet help screen.
Using driftnet is very simple without any options. Simple type the following at the prompt.
- kali >driftnet
When you do so, driftnet will open a small X window screen in the upper left-hand corner as seen in the screenshot below. Expand that screen as large as possible, if you want to see the images going across the wire.
If you do not designate a directory to store the images in (-d switch), driftnet will create a directory within your /tmp directory to store the images it captures.
Next, we need to get inside our neighbors network. We can do this by connecting to his access point (AP) in any of many ways. Check out my tutorials on cracking WEP passwords, WPA2 passwords and using Reaver or coWPAtty to crack WPS.
Maybe even easier, would be to set up an Evil Twin and let your neighbor connect to it. Remember, your neighbor's computer will automatically connect to the strongest AP. You can turn the power up on your AP so that your Evil Twin is stronger than his local AP and he will automatically connect to yours. Then, you can easily sniff all his traffic!
Of course, if it's your own AP and you're curious as to what your child, spouse, or girlfriend is viewing online, you won't need to do any cracking. You simply start sniffing the traffic and capturing the graphic images with driftnet.
I hope it goes without saying that this technique applies equally well to your corporate, school, or other institution's network. The key issue with these wired networks is overcoming the fact that the switch isolates traffic, but this can be overcome in a number of different ways such as MAC flooding or using dsniff.
Now, let's go back to the driftnet X window screen to see what are neighbor has been viewing
Hmm...looks like he hasn't been viewing porn at all, but rather the latest Sport Illustrated Swimsuit issue!
The viewer in driftnet is great to view what is crossing the wire in real-time, but driftnet also captures the images and places them on your computer in the /tmp directory. Navigate to the /tmp with the following.
- kali > cd /tmp
Then, list all the directories there.
- kali > ls -l
At the very top of my screen and the directory listing, you can see a new directory named drifnet-y46mNv. Note that driftnet is spelled incorrectly. After all, it is only a beta.
Next, navigate to that directory.
- kali > cd drifnet-y46mNv
And then list the contents.
- kali > ls -l
Here we can see all the images that driftnet captured as we were sniffing our neighbor's traffic. Driftnet can also be used to capture MPEG4 files and audio files, but I'll leave that for another day.
Driftnet is one of those open source tools that does the job, but still needs a bit of refinement. In our case, it enabled us to snoop on our neighbors Internet viewing. We'll explore more of driftnet's capabilities in future tutorials, so keep coming back, my tenderfoot hackers!