Driftnet command tutorial and examples

Sniffing consists of intercepting packets through a network to get their content. When we share a network, intercepting the traffic going through it is pretty easy with a sniffer, that’s why protocol encryption such as https is so important, when traffic is unencrypted even credentials go in plain text and can be intercepted by attackers.

This tutorial focuses on intercepting media, specifically images using the Driftnet sniffer, as you will see it will be only possible to capture images going through unencrypted protocols like http rather than https, and even unprotected images within sites protected with SSL (insecure elements).

The first part shows how to work with Driftnet and Ettercap and the second part combines Driftnet with ArpSpoof.

Using  Driftnet to capture images with Ettercap:

Ettercap is a suite of tools useful to carry out MiM (Man in the Middle) attacks with support for active and passive dissection of protocols, it supports plugins to add features and works by setting the interface in promiscuous mode and arp poisoning.

To begin, on Debian and based Linux distributions run the following command to install

# apt install ettercap-graphical -y

Now install Wireshark by running:

# apt install wireshark -y

During the installation process Wireshark will ask if non root users are able to capture packets, take your decision and press ENTER to continue.

Finally to install Driftnet using apt run:

# apt install driftnet -y

Once all software is installed, to prevent interrupting the target connection you need to enable IP forwarding by running the following command:

# cat /proc/sys/net/ipv4/ip_forward
# ettercap -Tqi enp2s0 -M arp:remote ////
# echo “1”> /proc/sys/net/ipv4/ip_forward

Check the ip forwarding was properly enabled by executing:

Ettercap will start scanning all hosts

While Ettercap scans the network run driftnet using the -i flag to specify the interface as in the following example:

# driftnet -i enp2s0

Driftnet will open a black window in which images will appear:

If images aren’t displayed even when you access from other devices images through unencrypted protocols test if IP forwarding is properly enabled again and then launch driftnet:

Driftnet will start showing images:

By default, intercepted images are saved inside the /tmp directory with the prefix “drifnet”. By adding the flag -d you can specify a destination directory, in the following example I save the results inside the directory called linuxhinttmp:

# driftnet -d linuxhinttmp -i enp2s0

You can check inside the directory and you will find the results:

Using Driftnet to capture images with ArpSpoofing:

ArpSpoof is a tool included in the Dsniff tools. The Dsniff suite includes tools for network analysis, packets capture and specific attacks against specified services, the entire suite includes:arpspoof,dnsspoof, tcpkill, filesnarf, mailsnarf, tcpnice, urlsnarf, webspy, sshmitm, msgsnarf, macof, etc.

While in the previous example captured images belonged to random targets in the current example I will attack the device with IP 192.168.0.9. In this case the process combines an ARP attack forging the real gateway address making the victim to believe we are the gateway; this is another classical example of a “Man In the Middle Attack”.

To begin, on Debian or based Linux distributions install the Dsniff packet through apt by running:

# apt install dsniff -y

Enable IP forwarding by executing:

# echo1> /proc/sys/net/ipv4/ip_forward

Run ArpSpoof defining the interface using the flag -i, define the gateway and target followed by the -t flag:

# sudo arpspoof -i wlp3s0 -t 192.168.0.1 192.168.0.9

Now launch Driftnet by running:

# driftnet -i wlp3s0

How to get protected against sniffing attacks

Intercepting traffic is pretty easy with any sniffing program, any user without knowledge and with detailed instructions like the found in this tutorial can carry out an attack intercepting private information.

While capturing traffic is easy, it is to encrypt it too so when captured it remains unreadable for the attacker. The proper way to prevent such attacks is keeping safe protocols like HTTP, SSH, SFTP and refuse to work through unsecure protocols unless you are within a VPN or sae protocol with endpoint authentication to prevent addresses forgery.

Configurations must be done properly as with software like Driftnet you are still able to steal media from SSL protected sites if the specific element goes through an insecure protocol.

Complex organizations or individuals in need of security assurance can rely on Intrusion Detection Systems with capability to analyze packets detecting anomalies.

Conclusion:

All software listed in this tutorial is included by default in Kali Linux, the main hacking Linux distribution and in Debian and derived repositories. Carrying out a sniffing attack targeting media like the attacks shown above is really easy and takes minutes. The main obstacle is, its only useful through unencrypted protocols which aren’t widely used anymore. Both Ettercap and the Dsniff suite which contains Arpspoof contain a lot of additional features and uses which were not explained in this tutorial and deserve your attention, the range of applications range  from sniffing images to complex attacks involving authentication and credentials like Ettercap when sniffing credentials for services such as  TELNET, FTP, POP, IMAP, rlogin, SSH1, SMB, MySQL, HTTP, NNTP, X11, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, MSN, YMSG or Monkey in the MIddle of dSniff (https://linux.die.net/man/8/sshmitm).

I hope you found this tutorial on Driftnet command tutorial and examples useful.

Comments are closed, but trackbacks and pingbacks are open.