angst - an active sniffer
by Patroklos Argyroudis <argp at domain cs.tcd.ie>
[ Introduction ]
Angst is an active sniffer, based on libpcap and libnet. Angst provides
methods for aggressive sniffing on switched local area network environments.
It dumps the payload of all the TCP packets received on the specified ports.
Moreover, it implements methods for active sniffing. Angst currently provides
two active sniffing methods. The first monitors ARP requests, and after
enabling IP forwarding on the local host, sends ARP replies mapping all IPs
to the local MAC address. The second method floods the local network with
random MAC addresses (like macof v1.1 by Ian Vitek), causing switches to send
packets to all ports. Made just for testing purposes and fun. If you compile
it on any other platform except the ones listed below, please contact me at the
above email address. As always, published under a BSD style license, see the
included LICENSE file.
[ Supported platforms ]
Angst has been thoroughly tested on the following platforms:
OpenBSD 2.8 (i386)
OpenBSD 2.7 (i386)
OpenBSD 2.6 (i386)
Also, angst is known to compile and run on:
FreeBSD 4.2-STABLE (i386)
NetBSD 1.4.2 (i386)
Slackware Linux 7.1, with 2.2.13 kernel (i386)
[ Compilation and installation ]
You must first build and install libpcap and libnet. BSD systems have
libpcap installed by default. If you test it on any other platform except
the ones mentioned, send me the diffs. It should be portable since it is
based on libpcap and libnet.
If you run {Free,Net,Open}BSD simply type: make
If you run Linux type: make -f Makefile.linux
In order to compile with debug support, edit the Makefile that corresponds
to your platform and remove the comment from -DDEBUG.
In order to install angst type: make install
This will install the angst binary to /usr/local/sbin and the angst manual
page to /usr/local/man/man8.
To uninstall angst type: make uninstall
[ Usage ]
By invoking angst with the -h switch you get the following help message:
[ angst - an active sniffer ]
[ Patroklos Argyroudis <argp at domain bsd.gr> ]
usage: angst [active sniffing method] [active sniffing options] [options]
active sniffing methods:
[ -a man-in-the-middle ARP method ]
[ -f flood random MAC addresses method ]
active sniffing options:
[ -d don't try to enable IP forwarding on the local host ]
[ -s specify the seconds between each flooding for flood method,
or the seconds between the injection of the fake ARP replies ]
[ -c specify the number of packets to flood, for flood method ]
options:
[ -h this help message ]
[ -p don't put the interface into promiscuous mode ]
[ -r resolve IP addresses ]
[ -v display the version number and exit ]
[ -i specify which interface to use ]
[ -l specify the log filename ]
[ -e specify the port numbers to build the filter expression ]
Note that there are default values for all the command line arguments. In
order to keep things cleaner, you cannot specify a filter expression as a
command line option. In order to monitor other ports than the default ones
(21, 23, 110, 143) you have to specify them with the -e switch. The -e switch
accepts comma separated numbers, and by using them it builds a correct filter
expression. An example usage of the -e switch is:
# ./angst -a -e 23,25,113
warning: the filter expression is arp or (tcp and (dst port 23 or dst port 25
or dst port 113))
As you can see, angst always informs you about the filter expression when the
-e switch is used. Moreover, in order for the man-in-the-middle ARP method
to work, IP forwarding must be enabled on the local host. The -d switch is
useful when you want to enable IP forwarding yourself, and not let angst to
do it for you.
[ Download ]
You can find angst at: http://ntrg.cs.tcd.ie/~argp/software/
and/or at: http://angst.sourceforge.net/
[ Music ]
Hocico, Velvet Acid Christ, and Suicide Commando mostly.
[ Acknowledgments ]
Ioanna Stamouli, for support, discussions, and ideas.
Georgios Kargiotakis, for interesting discussions.
Jackal for his libpcap based code, some years ago.
Scut for his cool mail about the man-in-the-middle method.
--
Patroklos Argyroudis
http://ntrg.cs.tcd.ie/~argp/
$Id: README,v 1.35 2001/02/07 18:41:25 argp Exp $