Penetration Testing mailing list archives

Re: sniffing X traffic.

From: Mike Craik <bovine () btinternet com>
Date: Mon, 13 Aug 2001 02:07:09 +0100

Power Steve wrote:


Anyone know if you can meaningfully sniff Exceed ( I guess it's the same as
X) traffic?  Im being a bit lame, my personal test lab is down atm, and I
cant find anything on the net re sniffing and interpreting X traffic.


You can have quite a bit of 'fun' with X11.

i.e.

If someone running an unprotected X server - not using MIT Magic Cookies
or xhost authentication properly for example (they have issued 'xhost +'
...) - then you can easily grab a screenshot of their X display
(remotely).

Grab:

/usr/X/bin/xwd x11user.victum.com:0 -root -out /tmp/i_can_see_you.dmp

(:0 indicates the first X display - this listens on port 6000, :1 would
be port 6001 etc.)

View:

/usr/X/bin/xwud -in /tmp/i_can_see_you.dmp

Out of the box, The Exceed X11 server places no restrictions on remote
connections... :-(


xspy - http://www.acm.vt.edu/~jmaxwell/programs/xspy/xspy.html - can be
used to capture keystrokes from an X server. You don't need much of an
imagination to realize what sort of thing it can be used for :-).

Pretty much any packet sniffer can grab X11 packets. AFAIK dsniff will
sniff MIT Magic cookies.

Cheers,
Mike.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

sniffing X traffic. Power Steve (Aug 12)
- Re: sniffing X traffic. Mike Craik (Aug 13)
- Re: sniffing X traffic. Anders Thulin (Aug 13)
- Re: sniffing X traffic. Don Bailey (Aug 15)
- <Possible follow-ups>
- RE: sniffing X traffic. Lodin, Steven {GZ-Q~Mannheim} (Aug 13)
- RE: sniffing X traffic. Joshua Wright (Aug 13)
  - Re: sniffing X traffic. BS (Aug 14)