9.19. Detecting Insecure Network Protocols
Problem
You want to determine if insecure protocols are being used on the network.
Solution
Use dsniff .
To monitor the network for insecure protocols:
# dsniff -m [-iinterface
] [-ssnap-length
] [filter-expression
]
To save results in a database, instead of printing them:
# dsniff -w gotcha.db [other options...
]
To read and print the results from the database:
$ dsniff -r gotcha.db
To capture mail messages from SMTP or POP traffic:
# mailsnarf [-iinterface
] [-v] [regular-expression
[filter-expression
]]
To capture file contents from NFS traffic:
# filesnarf [-iinterface
] [-v] [regular-expression
[filter-expression
]]
To capture URLs from HTTP traffic:
# urlsnarf [-iinterface
] [-v] [regular-expression
[filter-expression
]]
ngrep is also useful for detecting insecure network protocols. [Recipe 9.18]
Discussion
dsniff is not supplied with Red Hat or SuSE, but installation is straightforward. A few extra steps are required for two prerequisite libraries, libnet and libnids, not distributed by Red Hat. SuSE provides these libraries, so you can skip ahead to the installation of dsniff itself on such systems.
If you need the libraries, first download libnet , a toolkit for network packet manipulation, from http://www.packetfactory.net/projects/libnet, and unpack it:
$ tar xvzpf libnet-1.0.*.tar.gz
Then compile it:[10]
$ cd Libnet-1.0.* $ ./configure --prefix=/usr/local $ make
and install it as root:
# make install
We explicitly configure to install in /usr/local ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.