dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 32
- Reaction score
- 45,552
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
PHoss is a sniffer designed to find HTTP, FTP, LDAP, Telnet, IMAP4 and POP3 logins on the wire. It also sniffs the VNC challange/response handshake.
Hard to find and has great effect !
Introduction
For all who do not know what the hell a sniffer is:
A sniffer is a software which opens a network interface for all packets and not only for these packets, which are send to this interface. This means, that the sniffer software hears everything. A sniffer can analyse the packets send and received over this segment.
ATTENTION:
Segment means a flat cable. All stations connected to the same bus are on the same segment. You share the bus with other stations if you use 10Base2 or 10BaseT connected to a HUB. A switch prevents the use of a sniffer because it prevents the traffic to pass your interface. Use
to sniff in switched environments.
PHoss is a sniffer. A normal sniffer software is designed to find problems in data communication on the network. PHoss is designed to know some protocols which use (or may use) clear text passwords. Many protocols are designed to use secure authentication. For fallback they define a lowest level of authentication using clear text. Many companies use this lowest fallback definition as standard setting to make the product working in many environments.
This is our point to start from.
How to use
The usage is simple. Really.
Log on your Linux box as root and start PHoss:
./Phoss
If you like to see what's going on use the -v (verbose) option. If you use more then one v it increases the verbosity level. -vvv is maximum.
The other options are:
Technical details
PHoss supports the following protocols in the current version:
Hard to find and has great effect !
Introduction
For all who do not know what the hell a sniffer is:
A sniffer is a software which opens a network interface for all packets and not only for these packets, which are send to this interface. This means, that the sniffer software hears everything. A sniffer can analyse the packets send and received over this segment.
ATTENTION:
Segment means a flat cable. All stations connected to the same bus are on the same segment. You share the bus with other stations if you use 10Base2 or 10BaseT connected to a HUB. A switch prevents the use of a sniffer because it prevents the traffic to pass your interface. Use
This link is hidden for visitors. Please Log in or register now.
PHoss is a sniffer. A normal sniffer software is designed to find problems in data communication on the network. PHoss is designed to know some protocols which use (or may use) clear text passwords. Many protocols are designed to use secure authentication. For fallback they define a lowest level of authentication using clear text. Many companies use this lowest fallback definition as standard setting to make the product working in many environments.
This is our point to start from.
How to use
The usage is simple. Really.
Log on your Linux box as root and start PHoss:
./Phoss
If you like to see what's going on use the -v (verbose) option. If you use more then one v it increases the verbosity level. -vvv is maximum.
The other options are:
- -i: specify the interface to listen on.
- -f: set up filter rules like in tcpdump(1). If you don't know them, read the man pages of tcpdump(1).
- -P: Disable the identification of protocols using the target port. This disables all protocols which can not be identified by patterns (like Telnet and LDAP)
Use this option seldom - only if you have significant problems.
- -p: Disable the identification using patterns. This disables all protocols on the way to a non-default port.
Use this option seldom - only if you have significant problems.
- -L: make stdout line buffered so you can redirect output into a file and view it with tail
Technical details
PHoss supports the following protocols in the current version:
- HTTP
HTTP Basic authentication is supported. One effect is, that you get a password message for every HTTP packet, because they all contain username and password. Sorry for that but it is a minor problem.
- FTP
FTP authentication works fine. Because FTP sends username and password in differnet packets, PHoss connects itself to this conversation and waits for the right password packet until it reports to you.
- POP3
POP3 works like FTP. That's all.
- IMAP4
The different authentication possibilities in IMAP4 require different procedures. In fact it works like POP3 or FTP but it has to keep track of more then two packets.
Attention: IMAP4 clients log on to the server only once a session. If you like to see IMAP4 passwords, start PHoss in the early morning because the time to get IMAP4 passwords is the start of the office houres.
- LDAP
LDAP uses like HTTP an authentication in one packet. This makes it simple. The structure of LDAP itself is a little bit confusing and hard to scan in realtime. May be you will fail with some passwords ...
- Telnet
Because Telnet does not carry any authentication itself it works completely different. The telnet handler saves all characters send from the client to the server including linefeeds. After 4 or 5 linefeeds it stops listening to this conversation and drops you a block of data:
The block betwen +++telnet+++ and ---telnet--- is the captured data. So, you know your target box and this means:Code:>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Source: 192.168.7.8:1172 Destination: 192.168.7.200:23 Protocol: Telnet Data: +++telnet+++ dummy test123 ls -al cat .b_ clear ---telnet---
On the first prompt (login
he entered "dummy"...
On the second prompt (password) he entered "test123"
after this, he has done a "ls -al", followed by "cat .b_" and a "clear".
In this case, the "cat .b_" was "cat .b[TAB]ash_[TAB]histroy" .. you know ?
Why more then 2 lines ? Why 5 ? See for yourself:
Isn't it cool ?Code:>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Source: 192.168.7.8:1174 Destination: 192.168.7.200:23 Protocol: Telnet Data: +++telnet+++ dummy test123 su - SuP3Rse( vi /etc/passwd ---telnet---
- VNC
VNC does not transfer the password in clear text, but it's challanges and the coresponding responses can be cracked with
Download:
Password:
level23hacktools.com