Introducing ‘aimsnarf.rb’ => A simple AIM sniffing tool written in Ruby

November 12, 2007

[UPDATE 11/13/07] : version 0.11 released

Firstly, download the script here.

aimsnarf.rb is a small (~200 lines) Ruby script that I’ve written to sniff and dump AOL IM messages to STDOUT. I wrote this an as alternative to aimsniff, because I really dislike having to install aimsniff and all of it’s dependancies when all I want is a simple text transcript. I really felt like the dsniff toolkit should have had something like this (they already have urlsnarf, filesnarf, etc) to be used for penetration testing.

The only thing aimsnarf requires is Ruby and the ruby-pcap library (which is waaay easier to install than the 10+ CPAN modules that aimsniff requires). After installing the pcap library, simply run aimsnarf.rb on the console, here’s the usage:

Use '-h' to display usage
Usage: aimsnarf.rb [ -dnv ] [ -i interface | -r file ] [ -c count ] [ -s snaplen ] [ filter ]
-n do not convert address to name
-d debug mode
-v verbose mode

Due to the way that ruby-pcap works, I don’t have control over the usage displayed, currently the only real options you should mess with are ‘-i interface‘ and ‘-r file‘, changing anything else might produce “unknown” consequences ;). If you want to see hex dumps of the AIM data, edit the script and change the line “ap.data_debug(0)” to be “ap.data_debug(1)“, this will display the hex data as it is received.

Ignore the “pcap.bundle: warning: do not use Fixnums as Symbols” warnings you get when you run the program, the warning lies with the ruby-pcap library, so it’s out of my hands to fix. When run correctly, you should see something like this:

****** --> <you>: <HTML>what're you up to?</HTML>
<you> --> ******: <HTML>doing some stuff</HTML>
****** --> <you>: <HTML>awesome</HTML>
<you> --> ******: <HTML>talkity talk talk</HTML>
etc, etc

“******” will be the screen name of the person that’s talking. Yes, AIM sends the HTML tags, I don’t put those on.

Let’s talk a little bit about how much I hate the AIM protocol :D :D
Take a look at the protocol listing as given from ethereal, you can see that each AIM packet actually holds a pretty good amount of information, turns out, AOL decided to make a ton of their fields variable length, which means a headache for me in decoding it, because the length has to be read, translated, then used to set the offset for reading the data, this is the reason the code for the script is incredibly messy, I plan on cleaning it up at a later time. In a future post, I’ll also go into more detail about how this particular script decodes the protocol (very much hackish at the moment).

Known Issues:

  • Messages received by people who are away don’t get intercepted due to the packet being different than a regular incoming message packet
  • Different clients might not work (depending on the features supported). Right now I’ve tested with GAIM/Pidgin and Adium, it looks like Trillian isn’t working correctly yet, although I’ve collected some data for analysis so I can get it working.
  • This is probably the first *useful* script I’ve written in Ruby. I am not a ruby master so the code is really messy and probably badly written, have a problem with it? Send a patch!
  • OTR encrypted chat interception doesn’t work (duh)

TODO (no particular order):

  • Clean up code to make it easier to extend to different protocol/clients
  • Fix the Trillian problem
  • Test with AOL’s AIM client
  • Fix the incoming/away message
  • Correctly detect OTR chat and do (something?) about it

Remember people, don’t send credit card numbers, social security numbers, passwords, PIN numbers, etc over IM, ESPECIALLY when you’re somewhere like a coffeeshop using public wifi.

Thanks to the HeX LiveCD team for putting out a great release, already having the tools installed for use in a system is super helpful :)

Questions? Problems? Patches? Hatemail? Email me or leave a comment below!

tags: , , , , , , , ,
posted in bsd, dsniff, linux, monitoring, pcap, ruby, script, security, sniffing, tcpdump, unix by Lee

9 Comments to "Introducing ‘aimsnarf.rb’ => A simple AIM sniffing tool written in Ruby"

  1. eqgy » Blog Archiv » Introducing ‘aimsnarf.rb’ => A simple AIM sniffing tool written in … wrote:

    […] can read the full story here Der Beitrag wurde am Monday, den 12. November 2007 um 13:06 Uhr veröffentlicht und wurde […]

  2. aimsnarf version 0.11 released « :wq wrote:

    […] Links ← Introducing ‘aimsnarf.rb’ => A simple AIM sniffing tool written in Ruby […]

  3. lamz0r wrote:

    uh, dsniff does – msgsnarf.

  4. Lee Hinman wrote:

    The problem with dsniff is that it can be a pain to install on OSX, I wanted to go with a simple, self-contained script that I could extend to support additional features in the future.

  5. hgecom » Introducing ‘aimsnarf.rb’ => A simple AIM sniffing tool written in … wrote:

    […] here for full […]

  6. Joining the Hex Network Security Monitoring LiveCD project « :wq wrote:

    […] working on extending the NBF (Network-Based Forensics) offline script to include support for my aimsnarf script. I’m excited about being able to help, hopefully I’ll be able to be useful to […]

  7. NSM Console - A framework for running things « :wq wrote:

    […] explanation’s sake, let’s call our module “aimsnarf”, after the aim-sniffing program I wrote a while back. So inside the module directory, there is another directory called “aimsnarf.module”. […]

  8. SecurityEnthusiast, enthusiastic about important things in life » Blog Archive » Aimsnarf - the other white meat…. wrote:

    […] can read more about aimsnarf’s usage in this post, if you’re […]

  9. :wq - blog » Blog Archive » Yahsnarf - Sniff Yahoo IM conversations wrote:

    […] way back, when I released Aimsnarf? Well, it turns out that people were interested in one for Yahoo IM, so I’m happy to present […]

Powered by Wordpress and MySQL. Theme by Shlomi Noach,