Using gpackcount you can sniff passwords on your network.
A practical example is shown below (in the transcript we do not show the USER and PASS POP3 commands, because this is a public article); this can be useful to debug problems, or to assert whether someone is trying to break your POP3 accounts. POP3 is a good example, because without SSL support, authentication is made on plain text. If you plan to use a POP3 service for your network server, think twice: instead of local sniffing, someone between your POP3 client and your network server might be running a similar tool
With this example it is assumed you know POP3 (without SSL) protocol runs over TCP, on port 110; you can see the raw output produced by the gpackcount utility.
Transcript:
[root@fuji root]# gpackcount packets -g 0,110,110,0 -v
{TCP/IP} (size=0, str=0) luisa.prized:2503 => 0.0.0.0:110
{TCP/IP} (size=0, str=0) 0.0.0.0:110 => luisa.prized:2503
{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]
{TCP/IP} (size=82, str=94) 0.0.0.0:110 => luisa.prized:2503 +OK Teapop [5B]0.3.7[5D] - Teaspoon stirs around again <1207351688.25c7c716@llywellyn>[0D][0A]
{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]
{TCP/IP} (size=6, str=12) luisa.prized:2503 => 0.0.0.0:110 rset[0D][0A]
{TCP/IP} (size=54, str=60) 0.0.0.0:110 => luisa.prized:2503 -ERR rset? I'm not quite sure what you mean, Master.[0D][0A]
{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]
{TCP/IP} (size=6, str=12) luisa.prized:2503 => 0.0.0.0:110 quit[0D][0A]
{TCP/IP} (size=55, str=61) 0.0.0.0:110 => luisa.prized:2503 +OK I hope you will be back for your mail later, Sir.[0D][0A]
{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]
{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]
Friday, April 4, 2008
Subscribe to:
Comments (Atom)
