Penetration Testing mailing list archives
Re: extracting passwords from ethereal dump
From: Tim E <xmin0s () gmail com>
Date: Tue, 21 Jun 2005 12:38:48 -0500
I found myself wondering the same thing after I dumped a 10 minute capture on our network, it ended up being around 3 gigs worth of data and I wanted to find out exactly what was plain text. After much googling I found a plug in (which I could never get to work I might add) for Dsniff that does just that, it runs through a Pcap file. Link to the patch is found here: http://www.sephail.net/patches/dsniff/ Here is another method (again this didn't work for me either) http://seclists.org/lists/pen-test/2001/Jul/0070.html I never was able to get this to work (short of replaying the session on a hub, which DID work) But I think a program that does this would be a great thing to run agaist my 20gigs of Pcap files I have sitting around. Tim On 6/21/05, Nicolas Gregoire <ngregoire () exaprobe com> wrote:
Le lundi 20 juin 2005 à 19:14 +0300, Mohamed Abdel Kader a écrit :I was on a assessment and decided to get some of the traffic moving along the network. i got it using ethereal. now i want a program (other than ettercap) that can take this dump and extract the passwords.Hey, I just had a quasi identical situation last week. I captured 2 Gb of trafic while arp-spoofing some hosts (during an internal pentest) and I had to extract as much information as possible from my pcap files. In my opinion, searching strings like "passwd" or "password" in the pcap files (or the output of "tethereal -V") is just non productive. You will not catch Unicoded text, neither X11 MIT-Cookies or SMB shared files containing clear text passwords. So, I've replay several times the pcap files on a private/virtual VMWare LAN (using tcpreplay at speed x 3), while running differents tools to extract data : dnsiff ("clear text" passwords), Cain & Abel (LM and NTLM hashes), smbspy (juicy Word and Excel files ;-), ... This solution is really efficient (replaying 2 hours of trafic in less than 20 minutes) and allows the pentester to use numerous softwares running on different OS (here Linux and Windows) and not supporting natively the import of pcap files. Regards, -- Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information ngregoire () exaprobe com ------[ ExaProbe ]------ http://www.exaprobe.com/ PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F
Current thread:
- extracting passwords from ethereal dump Mohamed Abdel Kader (Jun 20)
- Re: extracting passwords from ethereal dump Nicolas Gregoire (Jun 21)
- Re: extracting passwords from ethereal dump Tim E (Jun 21)
- Re: extracting passwords from ethereal dump Noname (Jun 22)
- Re: extracting passwords from ethereal dump sfml (Jun 27)
- <Possible follow-ups>
- Re: extracting passwords from ethereal dump David Eduardo Acosta Rodríguez (Jun 20)
- RE: extracting passwords from ethereal dump Todd Towles (Jun 20)
- RE: extracting passwords from ethereal dump Steve A (Jun 20)
- Re: extracting passwords from ethereal dump andre protas (Jun 20)
- RE: extracting passwords from ethereal dump Kyle Starkey (Jun 21)
- Re: extracting passwords from ethereal dump Nicolas Gregoire (Jun 21)