PHoss

Phenoelit's own security sniffer

Documentation

Disclaimer

This program comes as it is. Use it at your own risk. This is free software with ABSOLUTELY NO WARRANTY. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of FITNESS FOR A PARTICULAR PURPOSE. It is free software but not under the terms of GNU General Public License. Modification is not permitted. Use it as it is or let it be. Redistribution is not permitted. You can give it to others for free. Exceptions are comercials: You need to ask me! Don´t use it for comercial proposes without permissions explicit given to you. You can get such permissions only from the owner of the copyrights.

Introduction

For all who do not know what the hell a sniffer is:
A sniffer is a software which opens a network interface for all packets and not only for these packets, which are send to this interface. This means, that the sniffer software hears everything. A sniffer can analyse the packets send and received over this segment.
ATTENTION:
Segment means a flat cable. All stations connected to the same bus are on the same segment. You share the bus with other stations if you use 10Base2 or 10BaseT connected to a HUB. A switch prevents the use of a sniffer because it prevents the traffic to pass your interface.

PHoss is a sniffer. A normal sniffer software is designed to find problems in data communication on the network. PHoss is designed to know some protocols which use (or may use) clear text passwords. Many protocols are designed to use secure authentication. For fallback they define a lowest level of authentication using clear text. Many companies use this lowest fallback definition as standard setting to make the product working in many environments.
This is our point to start from.

How to use

The usage is simple. Really.
Log on your Linux box as root and start PHoss:

./Phoss

If you like to see what's going on use the -v (verbose) option. If you use more then one v it increases the verbosity level. -vvv is maximum.
The other options are:

-i: specify the interface to listen on.
-f: set up filter rules like in tcpdump(1). If you don't know them, read the man pages of tcpdump(1).
-P: Disable the identification of protocols using the target port. This disables all protocols which can not be identified by patterns (like Telnet and LDAP)
Use this option seldom - only if you have significant problems.
-p: Disable the identification using patterns. This disables all protocols on the way to a non-default port.
Use this option seldom - only if you have significant problems.

Technical details

PHoss supports the following protocols in the current version:

HTTP
HTTP Basic authentication is supported. One effect is, that you get a password message for every HTTP packet, because they all contain username and password. Sorry for that but it is a minor problem.
FTP
FTP authentication works fine. Because FTP sends username and password in differnet packets, PHoss connects itself to this conversation and waits for the right password packet until it reports to you.
POP3
POP3 works like FTP. That's all.
IMAP4
The different authentication possibilities in IMAP4 require different procedures. In fact it works like POP3 or FTP but it has to keep track of more then two packets.
Attention: IMAP4 clients log on to the server only once a session. If you like to see IMAP4 passwords, start PHoss in the early morning because the time to get IMAP4 passwords is the start of the office houres.
LDAP
LDAP uses like HTTP an authentication in one packet. This makes it simple. The structure of LDAP itself is a little bit confusing and hard to scan in realtime. May be you will fail with some passwords ...
Telnet
Because Telnet does not carry any authentication itself it works completely different. The telnet handler saves all characters send from the client to the server including linefeeds. After 4 or 5 linefeeds it stops listening to this conversation and drops you a block of data:
```
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Source:         192.168.7.8:1172
Destination:    192.168.7.200:23
Protocol:       Telnet
Data: 
+++telnet+++
dummy
test123
ls -al
cat .b_
clear

---telnet---
```
The block betwen +++telnet+++ and ---telnet--- is the captured data. So, you know your target box and this means:
On the first prompt (login :) he entered "dummy"...
On the second prompt (password) he entered "test123"
after this, he has done a "ls -al", followed by "cat .b_" and a "clear".
In this case, the "cat .b_" was "cat .b[TAB]ash_[TAB]histroy" .. you know ?
Why more then 2 lines ? Why 5 ? See for yourself:
```
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Source:         192.168.7.8:1174
Destination:    192.168.7.200:23
Protocol:       Telnet
Data:
+++telnet+++
dummy
test123
su -
SuP3Rse(
vi /etc/passwd

---telnet---
```
Isn't it cool ?
VNC
VNC does not transfer the password in clear text, but it's challanges and the coresponding responses can be cracked with VNCrack.