Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: urlsnarf woes

From: Bog Witch <iambogwitch () gmail com>
Date: Thu, 8 Sep 2011 13:59:22 +0100
A quick update.

Although the urlsnarf is still not working, the use of httpry on a
VLAN tagged ethernet interface captures the information I was oping to
see. Capturing from the raw interface does not work efficiently and
only captures the source and destination addresses.

Thanks for the help, if anyone has any ideas as to who urlsnarf is not
functioning, I would be happy to hear them!

Cheers,

Bog

On Thu, Sep 8, 2011 at 9:59 AM, Bog Witch <iambogwitch () gmail com> wrote:

Hi Marcello,

Thanks for that. That has removed the VLAN tag (as verified by
Wireshark) but I am still not collecting URLs with urlsnarf.
Now I'm heavily confused. Iwas convinced that the VLAN tag was causing
the problems and your solution has successfully removed the VLAN tag.
If I run urlsnarf on eth0 (Internal network) and run up a browser, I
can capture URLs with urlsnarf. When it's running on the external
interface, it fails to collect URLs. The traffic is obviously there,
as wireshark will happily pick it up. I also have full capture running
to file and urlsnarf will not extract the URLs from the capture files
either!

So, I guess it's something obvious I'm missing. I'll give httpry a go,
as suggested by Paul Halliday but I would like to get urlsnarf working
as an intellectual exercise if nothing else!

Thanks again,

Bog

On Wed, Sep 7, 2011 at 5:22 PM, Marcello 'R.D.O.' Magnifico
<rdo-lists () yashima dyndns-server com> wrote:

 am I missing something more obvious?


Perhaps the problem can be just avoided.

Assuming that you're using some flavor of Linux, you could try and
set up a logical interface (i.e. eth0.10 for VLAN #10), a tagged
one, on top of a physical one; then, have another sniffer process
reading from it. That way, the kernel's network layer is expected to
strip away the tag from the top of the ethernet frame: the other sniffer
program shall see the incoming traffic as untagged, then decode it
properly. I guess you aren't required to set up an IP on the
logical interface in order to have a foot in the right VLAN; the setup
instructions, in order to do so, could be more/less fast/easy
depending on the Linux distribution you're on. For sure, Red Hat Linux
and its siblings/derivatives do that with just another configuration
file for the new logical interface.

The bad about such a solution, apart from forking a potentially high
number of processes, have a potentially high number of logical
interfaces to tap on and have no assurance that you can shut down
something at a given time without loosing new data, is that you need to
know in advance which 802.11Q VLAN numbers are in use. This is not such
an issue if you are the network manager and/or the VLAN allocation is
properly planned. Obviously, if you are asked to secure an undocumented
network, you can't count on anything but the data running through it.

If another sniffer could tell you just the VLAN tag numbers, a
bash/perl/whatever script of yours might parse its output in real time,
in order to fire up as many other interfaces+sniffers you need.


       best regards
       Marcello Magnifico


On Wed, 7 Sep 2011 11:47:54 +0100
Bog Witch <iambogwitch () gmail com> wrote:


Hi All,

I have used urlsnarf to good effect in previous organisations. I am
currently running a full capture of the external interface where I
currently work, dsniff is providing good results, along with mailsnarf
however urlsnarf is not providing me with any output. The only thing I
can distiguish between this trafffic and traffic tht provides a
urlsnarf output is that the failing traffic is VLAN tagged.

Is it possible to manipulate urlsnarf to ignore the VLAN tag in order
for me to capture URLs, is there a newer, VLAN aware tool I could be
using or am I missing something more obvious?

Thanks,

Bog

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs
an SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You will
find out how to test, purchase, install and use a thawte Digital
Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------






------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: