Download the script here.

Read about aimsnarf in the previous post about it.

Changes in this version:

• Trillian is now supported, as well as AOL’s AIM client. Most other clients should be supported too, I figured out the variable length/number of TLV fields in the packet, so aimsnarf is much smarter about decoding them
• Code cleaned up to be more readable
• Fixed some misc messages that were showing up, you still might see a few

Todos:

• Figure out what the heck iChat is doing, it doesn’t seem to be sending the same kind of data as all the other AIM clients
• Still do OTR stuff
• Maybe add support for different protocols?
• More testing!

If you find any bugs, send me a note or leave a comment. If you really want to help, you can send me some pcap data to analyze   If you have any feature requests, lemme know!

Firstly, download the script here.

aimsnarf.rb is a small (~200 lines) Ruby script that I’ve written to sniff and dump AOL IM messages to STDOUT. I wrote this an as alternative to aimsniff, because I really dislike having to install aimsniff and all of it’s dependancies when all I want is a simple text transcript. I really felt like the dsniff toolkit should have had something like this (they already have urlsnarf, filesnarf, etc) to be used for penetration testing.

The only thing aimsnarf requires is Ruby and the ruby-pcap library (which is waaay easier to install than the 10+ CPAN modules that aimsniff requires). After installing the pcap library, simply run aimsnarf.rb on the console, here’s the usage:

Use '-h' to display usage
Usage: aimsnarf.rb [ -dnv ] [ -i interface | -r file ] [ -c count ] [ -s snaplen ] [ filter ]
Options:
-n do not convert address to name
-d debug mode
-v verbose mode

Due to the way that ruby-pcap works, I don’t have control over the usage displayed, currently the only real options you should mess with are ‘-i interface‘ and ‘-r file‘, changing anything else might produce “unknown” consequences ;). If you want to see hex dumps of the AIM data, edit the script and change the line “ap.data_debug(0)” to be “ap.data_debug(1)“, this will display the hex data as it is received.

Ignore the “pcap.bundle: warning: do not use Fixnums as Symbols” warnings you get when you run the program, the warning lies with the ruby-pcap library, so it’s out of my hands to fix. When run correctly, you should see something like this:

****** --> <you>: <HTML>what're you up to?</HTML>
<you> --> ******: <HTML>doing some stuff</HTML>
****** --> <you>: <HTML>awesome</HTML>
<you> --> ******: <HTML>talkity talk talk</HTML>
etc, etc

“******” will be the screen name of the person that’s talking. Yes, AIM sends the HTML tags, I don’t put those on.

Tangent:
Let’s talk a little bit about how much I hate the AIM protocol
Take a look at the protocol listing as given from ethereal, you can see that each AIM packet actually holds a pretty good amount of information, turns out, AOL decided to make a ton of their fields variable length, which means a headache for me in decoding it, because the length has to be read, translated, then used to set the offset for reading the data, this is the reason the code for the script is incredibly messy, I plan on cleaning it up at a later time. In a future post, I’ll also go into more detail about how this particular script decodes the protocol (very much hackish at the moment).

Known Issues:

• Messages received by people who are away don’t get intercepted due to the packet being different than a regular incoming message packet
• Different clients might not work (depending on the features supported). Right now I’ve tested with GAIM/Pidgin and Adium, it looks like Trillian isn’t working correctly yet, although I’ve collected some data for analysis so I can get it working.
• This is probably the first *useful* script I’ve written in Ruby. I am not a ruby master so the code is really messy and probably badly written, have a problem with it? Send a patch!
• OTR encrypted chat interception doesn’t work (duh)

TODO (no particular order):

• Clean up code to make it easier to extend to different protocol/clients
• Fix the Trillian problem
• Test with AOL’s AIM client
• Fix the incoming/away message
• Correctly detect OTR chat and do (something?) about it

Remember people, don’t send credit card numbers, social security numbers, passwords, PIN numbers, etc over IM, ESPECIALLY when you’re somewhere like a coffeeshop using public wifi.

Thanks to the HeX LiveCD team for putting out a great release, already having the tools installed for use in a system is super helpful

Questions? Problems? Patches? Hatemail? Email me or leave a comment below!