Stiofang Posted October 3, 2011 Share Posted October 3, 2011 Hey guys - I'm doing a demonstration on vulnerabilities in Instant Messaging but I'm having a problem finding a reliable MSN Sniffer on Linux. I've tried 'imsniff' which comes with backtrack and using a MITM arp spoofing attack on a virtual machine I am unable to sniff any conversations. If I enable verbose logging on imsniff using the -vvv switch it just tells me 'unknown data from an unknown conversation - skipping'. I can use Wireshark/Tshark to sniff conversations successfully but I need something cleaner. I've looked at msnshadow but its impossible to install. you need 14 billion different libraries to even remotely get it working. Any ideas? :) Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 3, 2011 Share Posted October 3, 2011 (edited) Why not take your wireshark pcap and make a program to parse it? Or you could make a program to tcpdump and have it parse on the fly and display in terminal. There is a .deb for msnshadow for x86 Or, this solution: msgsnarf root@bt:~# msgsnarf -h Version: 2.4 Usage: msgsnarf [-i interface | -p pcapfile] [[-v] pattern [expression]] Edited October 3, 2011 by Mr-Protocol Quote Link to comment Share on other sites More sharing options...
Stiofang Posted October 3, 2011 Author Share Posted October 3, 2011 rm -rf eh? Wowzer, that sounds totally 1337 - Let me try it immediately! :) I've tried msgsnarf but experience similar results. Had thought about scripting something to parse the Wireshark output but why reinvent the wheel if there's stuff already out there that'll do the job.. I'm using an x64 instance of BT5R1 running as a virtual machine on a Hyper-V Core box - Wireshark needs to be removed and recompiled from source in x64 BT5R1 - The default is for it to be b0rk. Not sure if that's relevant but thought I'd throw it out there anyway. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 3, 2011 Share Posted October 3, 2011 wireshark works fine on my x64 VirtualBox Also messenger traffic may be encrypted now? Quote Link to comment Share on other sites More sharing options...
Stiofang Posted October 3, 2011 Author Share Posted October 3, 2011 wireshark works fine on my x64 VirtualBox Also messenger traffic may be encrypted now? That's odd! I had to recompile to get it to work. Yes I was thinking that conversations might be encrypted but I can see chats in clear text in Wireshark.. they're just difficult to look at because of the hex formatting :) Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 4, 2011 Share Posted October 4, 2011 Well the formatting is because the chat packets are not just strings of chat. It includes stuff like: Sender ID Rec. ID Some checksum The Message And all of that info (possibly more, those are just examples) separated by a delimeter. I used to play with yahoo packets a long time ago to make bot logins, brute force, mass IM, and such other programs. It could be that either it's encrypted, or the "sniffer" cannot identify the new scheme the IM client uses to transmit communication and says "Unknown". Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.