Sniffing packets of a software is one of the reverse engineering method to find out what data is being sent and received. Packet sniffing is mostly done by more advanced users and most of the time, hackers themselves. Many years ago when I was in the 8th-wonder team, our leader of the clan ad4 used packet sniffer and discovered that anyone can change a person’s ICQ details without logging in to that user account. He created a simple tool which is able to change the details of any ICQ account, unfortunately one of the clan member masta abused the tool and ICQ found out about that exploit and fixed it within 24 hours.
Other than that, it is also useful to check if a program is harvesting any sensitive data from your computer. If you do not have a firewall, you wouldn’t know if the program that you installed is connecting to the Internet or not. The most popular packet sniffer that is free today is Wireshare (last time was called Ethereal), but I’d like to introduce a different one called oSpy which has the capability of even decrypting encrypted SSL packets.
oSpy is a packet sniffing tool which aids in reverse-engineering software running on the Windows platform. The sniffing is done on the API level which allows a much more fine-grained view of what’s going on. Seeing return-addresses for each recv/send call (for example), can prove useful when you want to look at the processing code at that spot in a debugger or static analysis tool. And if an application uses encrypted communication it’s easy to intercept these calls as well. oSpy already intercepts one such API, and is the API used by MSN Messenger, Google Talk, etc. for encrypting/decrypting HTTPS data.
Another neat feature is when wanting to see how an application behaves when in a firewalled environment. Normally you would have to simulate such an environment by configuring firewalls etc., which not only is time-consuming, but might also cripple the rest of the applications you’ve got running. oSpy solves this problem by a feature called softwalling which allows you to set rules based on the type of function-call, the return-address, local/remote address/port, etc., and lets you choose which error to signal back to the application when the rule matches. This way you can make the application think that for example a connect() timed out, connection was refused, there was no route to host, etc.
Here is a simple test on how oSpy decrypts the SSL packet and display it in clear text.
1. I opened Maybank2u login webpage which has SSL.
2. I attached iexplorer.exe process to oSpy and start capturing the packets. Press F5 in oSpy, chose iexplorer.exe and click Start to start capturing packets on Internet Explorer.
3. I typed the username and password on the Maybank2u login page and click the login button.
4. oSpy shows the username and password that I typed in clear text!
I’ve tried capturing the packets using Wireshark but it only shows the encrypted data and nothing about the username and login even though all the protocols are enabled. The above is only one example of what you can do with oSpy and there are many other reasons to use this tool. What I like about oSpy is its portable, you don’t need to install WinPcap like most packet sniffer requires, small and it’s free!
There’s an annoying bug with oSpy which is if you do not terminate the program properly, you won’t be able to use it to capture packets on any process. It will ask you run a few gacutil commands in command prompt to cleanup the left-over .NET assemblies in your system-wide Global Assembly Cache. For gacutil to work, you will need to download and install .NET Framework SDK or Visual Studio. This might be fixed in the future versions…
[ Download oSpy ]
Related posts:
damn !!!
cool stuff.
cool you’re too Raymond, who’s find this awsome tools.
Hey Raymond,
This is a good tool, let me try it.
Thanks for the valuable articles which you publish so frequently….
Hats off to you.
Thanks,
Sandeep
cool one thanks
but it doesn’t work with raymond.cc forum
haha
why???
Is it actually portable? It´s hard to believe that there´s a portable packet sniffer, but since there´s no installer…
btw nice find, thanks!
awsome!!!!!
but didnt worked with gmail in ff??
another tool to sniff between app and the ssl : komodia.com/index.php?page=sniffer.htm
Thanks Raymond once again
were you using IE as an example, or do you usually use that, as it carry’s quite a few viruses with that =P, and it’s pretty slow
Hi Raymond, The news letter s not appearing correctly in my yahoo inbox. It is showing the source directly. It is something like,
try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==”?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe=”;var AdBrite_Referrer=”;} document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(‘ src=”ads.adbrite.com/mb/text_group.php?sid=1547046&br=1&ifr=’+AdBrite_Iframe+’&ref=’+AdBrite_Referrer+’” type=”text/javascript”>’);document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62)); Sniffing packets of a software is one of the reverse engineering method to find out what data is being sent and received. Packet sniffing is mostly done by more advanced users and most of the time, hackers themselves. Many years ago when I was in the 8th-wonder team, our [...]
Did you change anything in the way the news letters are sent ?
So very useful to me Raymond, thank you for this.
Wow! This is a great tool! Thanks sir Raymond…
Great tutorial…
Never heard this tool before.
Thanks… :)
nice tool…hope its useful
what about cain & abel ,can this ospy get data from the network like cain can ?
I’ve had a load of code in previous newsletter e-mails as well! Same as poster, Saby
I believe this program does not decrypt any SSL encrypted packets. What it must do is to intercept a call from the application to encrypt a packet.
To really verify if this decrypts a packet (which I doubt) you’d need to sniff someone else’s traffic from other computer using a hub. That way your input is just an encripted packet traveling on the network with no other information.
Anyway good to know a basic alternative to *Wireshark*
You should try : fiddler2.com/fiddler2/
Nope it’s not illegal.
I’ve put Adbrite code into an external javascript file, hopefully that would fix the RSS feed problem.
this tool is illegal right ? :S ?
Thanks…
i was always looking for this kind of tool….
and yes the posts are really annoying….!!!
however no trouble whatsoever in opening this page…
Oh crap, the feed is still being screwed up by Adbrite.
is this legal? haha
ThanX Raymond…..
raymond something is wrong with your email newsletter…..
it comes up like this
try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==”?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe=”;var AdBrite_Referrer=”;} document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(‘ src=”ads.adbrite.com/mb/text_group.php?sid=1547046&br=1&ifr=’+AdBrite_Iframe+’&ref=’+AdBrite_Referrer+’” type=”text/javascript”>’);document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62)); Sniffing packets of a software is one of the reverse engineering method to find out what data is being sent and received. Packet sniffing is mostly done by more advanced users and most of the time, hackers themselves. Many years ago when I was in the 8th-wonder team, our [...]
This is a good tool but ….doesn’t support to attach to a process from remote machine :(
The difference between oSpy and Tamper Data/HttpFox is it works with any applications, not only on Firefox. Another big difference is oSpy is a packet sniffer and those 2 Firefox plugins can only view and modify HTTP/HTTPS headers and post parameters.
I wonder how different is this from Tamper Data or HttpFox coz they reveal the same credentials too. I’m sure you will be able to quickly tell.
Thank you Raymond,
Really nice tool ;-)
cool tool