Jump to content

Passive tap on http


edpr
 Share

Recommended Posts

Would a setup like this work in theory?

Original setup

[LAN]-[GATEWAY]

Hack setup

[LAN]-[THROWINGSTAR]-[GATEWAY]

with [THROWINGSTAR]-[PINEAPPLE]

Where...

The Pineapple has Apache, listening to *:80

.htaccess ports all requests to dump.php

dump.php script captures all $_REQUEST (this includes _POST of course) and dumps them in a textfile

Will this do what it's supposed to do; get a dump of all outgoing http requests to any host (~browser url bar content including form submissions)?

Link to comment
Share on other sites

No.

The tap is a passive device which will give you a copy of all the network traffic but you can't interact with it. You can't complete TCP handshakes so tools that interact with traffic,such as Apache, won't work.

What you need is to bring the two feeds together into a bridged interface then run something to extract HTTP traffic and pull out the information you want. There are tools which will do this but can't remember any names off the top of my head.

Link to comment
Share on other sites

I think you didn't understand the bridge comment, you bridge the two interfaces that come out of the tap to give you a single feed, otherwise you see two interfaces, one going one direction and one the other.

Capturing traffic with tcpdump and a filter will get you the pcap which you can then post-process.

Link to comment
Share on other sites

I do understand bridging concept - but I rather stay working with 1 cable and 1 physical interface if possible.

I don't need anything from the destination server, I only need the outgoing http requests from the source client.

I'm interested in the visited urls and the form post from the browser. I'm not interested in the stuff the webserver returns.

Therefore I thought that my initial apache setup would have done the trick. If Apache needs to do some handshaking before accepting a request, of course that path won't work.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...