Pirni - Worlds first native network sniffer

[n1mda]

I'm happy to introduce Pirni, the worlds first native network sniffer and ARP poisoner for iPhone (AFAIK).

Currently it's just in an Alphaversion, but at least it works. Download it here: root@*:~/ » Pirni v0.1 Alpha - Worlds first native iPhone network sniffer

Please post your comments and thoughts.

[Vexamus]

Niiiiiice! Is it just due to the alpha status that it can't forward packets or a hardware limitation of some sort? I would imagine that forwarding would be integral to a successful ARP Poisoned sniffing attempt. If you block all the traffic you're just going to get a lot of syn and no ack and potentially not a whole lot of usable information.

Additionally due to the DoS'ing effect of not forwarding packets, it'd be more than noticable to the users.

I think this is awesome though and I'm going to give this a try on my own network and see how it works. I'm certain it'll piss my girlfriend off as soon as I fire it up...

I'd also like to mention that this isn't the first sniffer for the iphone, but it's the first with arp poisoning which since iphone 3g's can't go into promiscuous mode sniffing this feature becomes necessary to sniff through switches.. JUST NEED THAT PACKET FORWARDING!

[deenybird]

can't wait to hear your review vexamus

[n1mda]

The lack of packet forwarding is not due to any hardware limitations. It's just because of my lack of time that I can spend on developing it.

If anyone is able to help out, and perhaps share some comments on the source etc. just send me an email: [email protected]

The sourcecode will be available soon, and I might set up a repository for this, or I might ask MMi for hosting.

[SplitFire]

I tried playing around with Pirni, but when I launch it, terminal immediately displays "Killed". I tried signing it with ldid, but I get the same result. Any idea what would be causing this?

[n1mda]

Are you sure that you've set up the right permissions? chmod +x

Also, I'm not sure but you might have to install libnet and libpcap from cydia

[Chase817]

What exactly does this do?

[n1mda]

Chase817:

Read about packet sniffers here: [ame=http://en.wikipedia.org/wiki/Packet_sniffer]Packet analyzer - Wikipedia, the free encyclopedia[/ame]

[xZinnX]

If it is sniffing wifi, why would it cause DoS?

[SplitFire]

Are you sure that you've set up the right permissions? chmod +x

Also, I'm not sure but you might have to install libnet and libpcap from cydia

I set the permissions, installed libnet and libpcap, but still the same error.

[n1mda]

xZinnX:

It is an ARP spoofer as well. This means that all the traffic on the network is routed through the iPhone - and because the packages does not reach its final destination (the router) it causes a DoS.

SplitFire:

This is very odd, though I'm pretty sure I had the same problems as you before. Try disabling code signing:

sysctl -w security.mac.proc_enforce=0
sysctl -w security.mac.vnode_enforce=0

[xZinnX]

xZinnX:

It is an ARP spoofer as well. This means that all the traffic on the network is routed through the iPhone - and because the packages does not reach its final destination (the router) it causes a DoS.

Hmm guess I'm not too familiar with ARP spoofing or it's usefullness. I'm familiar with WEP cracking, but you simply pick up ARP packets and spew them back. Is it for WEP cracking? What does the iphone say (packets sent out) to make it the ARP 'router'?

Far more useful would be a simple sniffing program, minus the ARP part, until that is working. Have you released the source yet?

[n1mda]

xZinnX:

The packet sniffer is not for WEP/WPA cracking. It's for network analyzing.

The ARP spoofer is because the iPhone does not allow us to set the network card in promiscious mode (accepting all packets, not just adressed to us), so we can not receive all packets on the network.

I could implement an option that disables the ARP spoofing, resulting in a packet sniffer for broadcast packets or unbridged networking.

Source has not been released yet. I might do that later today / this week.

[xZinnX]

Ahh so the ARP spoofing method is a way around the non promiscuous mode? Gotcha. Not really interested in the WEP cracking just pulling packets with a handheld device.

Let me/us know when you release it!

[n1mda]

I decided to release the source as it is today:
http://axeldoesstockholm.se/techblog/pirni.tar.gz

Makefile uses arm-apple-darwin9-gcc with the libnet and libpcap headers copied from the device.

It should also compile ON the iPhone with required libraries installed.
It's released under the GPL license.

[n1mda]

If anyone is intrested in helping me out on the development, just hit me on my email: [email protected]

I always appreciate any help, and any patches/modifications to the code can always be submitted.

I'm very busy with other stuff, as always - so the development has stalled. I could really need some help.

[n1mda]

Pirni 1.0 is now out on cydia available for download. User guide here: PirniUsageGuide - n1mda-dev - How to use pirni, network sniffer for iPhone. - Google Code

[appreciated]

I tried it, but i cannot see any of my passwords in the pcap file in wirecard.

I testest it with www.web.de (my mailaccount) with ebay -- with www.diba.de (my bank) and www.meinvz.de

But sometimes I even cannot see the loginname.
Or the password is hidden with special signs.

With ettercap-ng in Backtrack I m able to see ebay or web.de passwords.

Problems with the promisc. Mode?

There are some listings in the pcap file like "TCP Out of roder what does this mean?"

[timf]

When ARP poisoning in Linux using file2cable you need to enable IP forwarding.

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

Could it be something similar with the iPhone?