During Penetration testing it can be seen that thick-clients sometimes communicate with a server whose IP address is hardcoded in to it.The HTTP communication between such client and server is harder to intercept and test. Sniff-n-Snip is a very useful utility in such scenarios.It sniffs for HTTP packets from the client to server and forwards them to your favorite proxy (Burp, WebScarab , Paros etc).
The tool expects the following user input:
- Number of the listening interface. This number can be found using the ‘-l’ switch.
- Source IP, Source Port (optional), Destination IP, and Destination Port of the tcp session that is to be sniffed
- Target IP and Target Port of the Interceptor Proxy. Typically values will be 127.0.0.1, 8080.
- The tool can be forced to listen on promiscuous mode with the '-p' switch. This is OFF by default.
Sniff-n-Spit captures the packets, parses the HTTP and adds "http://" + <hostname> + ":" + <destination port> to the request URI.This makes the traffic suitable to be picked up by the proxy.
All the packets forwarded by Sniff-n-Spit contain a custom header 'X-CaughtBy: Sniff-n-Spit'. This header is added to prevent the forwarded packets from getting sniffed again. Without this header the same packet would be captured repeatedly by the tool.
- Packets are individually handled. If a single request is spread across multiple packets then it is lost.
- All request data is treated as UTF-8 encoded text. If the client is using a different encoding scheme for the POST body then this data gets corrupted.
WinPcap should be installed on the system, the tool requires this library for sniffing packets.
SharpPcap v220.127.116.11, http://sourceforge.net/projects/sharppcap/
I would love to hear your feedback. My email ID is available here