Re: extracting passwords from ethereal dump

From: Tim E (xmin0s@gmail.com)
Date: Tue Jun 21 2005 - 13:38:48 EDT

• Next message: Burnett, Robert: "RE: nessus to PCI"
• Previous message: Joshua Wright: "Re: wireless WEP crack."
• In reply to: Nicolas Gregoire: "Re: extracting passwords from ethereal dump"
• Next in thread: Noname: "Re: extracting passwords from ethereal dump"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I found myself wondering the same thing after I dumped a 10 minute
capture on our network, it ended up being around 3 gigs worth of data
and I wanted to find out exactly what was plain text. After much
googling I found a plug in (which I could never get to work I might
add) for Dsniff that does just that, it runs through a Pcap file. Link
to the patch is found here: http://www.sephail.net/patches/dsniff/
Here is another method (again this didn't work for me either)
http://seclists.org/lists/pen-test/2001/Jul/0070.html

I never was able to get this to work (short of replaying the session
on a hub, which DID work)
But I think a program that does this would be a great thing to run
agaist my 20gigs of Pcap files I have sitting around.
Tim
On 6/21/05, Nicolas Gregoire <ngregoire@exaprobe.com> wrote:
> Le lundi 20 juin 2005 à 19:14 +0300, Mohamed Abdel Kader a écrit :
>
> > I was on a assessment and decided to get some of the traffic moving
> > along the network. i got it using ethereal. now i want a program
> > (other than ettercap) that can take this dump and extract the
> > passwords.
>
> Hey, I just had a quasi identical situation last week. I captured 2 Gb
> of trafic while arp-spoofing some hosts (during an internal pentest) and
> I had to extract as much information as possible from my pcap files.
>
> In my opinion, searching strings like "passwd" or "password" in the pcap
> files (or the output of "tethereal -V") is just non productive. You will
> not catch Unicoded text, neither X11 MIT-Cookies or SMB shared files
> containing clear text passwords.
>
> So, I've replay several times the pcap files on a private/virtual VMWare
> LAN (using tcpreplay at speed x 3), while running differents tools to
> extract data : dnsiff ("clear text" passwords), Cain & Abel (LM and NTLM
> hashes), smbspy (juicy Word and Excel files ;-), ... This solution is
> really efficient (replaying 2 hours of trafic in less than 20 minutes)
> and allows the pentester to use numerous softwares running on different
> OS (here Linux and Windows) and not supporting natively the import of
> pcap files.
>
>
> Regards,
> --
> Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
> ngregoire@exaprobe.com ------[ ExaProbe ]------ http://www.exaprobe.com/
> PGP KeyID:CA61B44F FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F
>
>

• Next message: Burnett, Robert: "RE: nessus to PCI"
• Previous message: Joshua Wright: "Re: wireless WEP crack."
• In reply to: Nicolas Gregoire: "Re: extracting passwords from ethereal dump"
• Next in thread: Noname: "Re: extracting passwords from ethereal dump"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:26 EDT