tcpdump script
Gerald Combs
gerald at ethereal.com
Thu May 29 19:48:16 CDT 2003
On 29 May 2003, brad wrote:
> I have an ISP that does not have a record of their user's passwords and
> we are converting them over to our system in a month. I need to run a
> script that will capture all pop3 passwords over the next month so I can
> have a good record to enter into our system. I started out using
> tcpdump port 110 -w <file> and then use strings on the file. I can see
> all the USER lines and the PASS lines, but I don't know how to rework
> the file to get USER/PASS in a readable and matched form. I also need
> to keep the file from storin all the other lines it captures so that my
> file doesn't grow so large. Any ideas?
Tcpdump isn't quite suited to a task like this. You might try using
dsniff, ngrep, or any of the password-specific tools listed at
http://neworder.box.sk/codebox.links.php?&key=sniff
You could also run John the Ripper on the shadow file directly (assuming
they have a shadow file, of course):
http://www.openwall.com/john/
More information about the Kclug
mailing list