What is Sniff-n-Spit?

During Penetration testing it can be seen that thick-clients sometimes communicate with a server whose IP address is hardcoded in to it.The HTTP communication between such client and server is harder to intercept and test. Sniff-n-Snip is a very useful utility in such scenarios.It sniffs for HTTP packets from the client to server and forwards them to your favorite proxy (Burp, WebScarab , Paros etc).

User Input:

The tool expects the following user input:

  1. Number of the listening interface. This number can be found using the -l switch.
  2. Source IP, Source Port (optional), Destination IP, and Destination Port of the tcp session that is to be sniffed
  3. Target IP and Target Port of the Interceptor Proxy. Typically values will be 127.0.0.1, 8080.
  4. The tool can be forced to listen on promiscuous mode with the '-p' switch. This is OFF by default.

Inner Workings:

Sniff-n-Spit captures the packets, parses the HTTP and adds "http://" + <hostname> + ":" + <destination port> to the request URI.This makes the traffic suitable to be picked up by the proxy.

All the packets forwarded by Sniff-n-Spit contain a custom header 'X-CaughtBy: Sniff-n-Spit'. This header is added to prevent the forwarded packets from getting sniffed again. Without this header the same packet would be captured repeatedly by the tool.


Limitations:
  1. Packets are individually handled. If a single request is spread across multiple packets then it is lost.
  2. All request data is treated as UTF-8 encoded text. If the client is using a different encoding scheme for the POST body then this data gets corrupted.

Requirements:

WinPcap should be installed on the system, the tool requires this library for sniffing packets.

External Components:

SharpPcap v2.1.1.0, http://sourceforge.net/projects/sharppcap/

Contact:

I would love to hear your feedback. My email ID is available here