tcpdump script
christopher downs
cdowns at drippingdead.com
Thu May 29 19:06:54 CDT 2003
dude run etterpcap without the ncurses interface, it will log all to a
file and this is a std feature within the app. If thats not what you
want I would suggest using ngrep
ngrep -d eth0 -Wia2 'user|pass' -s 1514 -t dst port 110 >>
/home/username/mail.passwords
sample:
cdowns at cipher:~/Wargames/amap-2.1$ sudo ngrep -d eth0 -i 'user|pass' -s
1514 -t dst port 110
interface: eth0 (216.62.95.128/255.255.255.248)
filter: ip and ( dst port 110 )
match: user|pass
####
T 2003/05/29 14:06:29.269094 216.62.95.130:56918 -> 66.30.102.129:110 [AP]
USER
cdowns..
##
T 2003/05/29 14:06:33.561888 216.62.95.130:56918 -> 66.30.102.129:110 [AP]
PASS
xxxxxxxxxxxxxxxxxxxx..
###
This will capture all and grep on user | pass combos and then will dump
time it found it at as well, just
simple one liner, or just write a quick perl script and log to a file
everytime one is found.
~!>D
brad wrote:
>I have an ISP that does not have a record of their user's passwords and
>we are converting them over to our system in a month. I need to run a
>script that will capture all pop3 passwords over the next month so I can
>have a good record to enter into our system. I started out using
>tcpdump port 110 -w <file> and then use strings on the file. I can see
>all the USER lines and the PASS lines, but I don't know how to rework
>the file to get USER/PASS in a readable and matched form. I also need
>to keep the file from storin all the other lines it captures so that my
>file doesn't grow so large. Any ideas?
>
>Thanks in advance,
>
>Brad
>
>
>
>
>
>
>
>
>
More information about the Kclug
mailing list