Re: extracting passwords from ethereal dump

[sfml () gomor org]

On Tue, Jun 21, 2005 at 04:32:27PM +0200, Nicolas Gregoire wrote:
> Le lundi 20 juin 2005 à 19:14 +0300, Mohamed Abdel Kader a écrit :
>
> > I was on a assessment and decided to get some of the traffic moving
> > along the network. i got it using ethereal. now i want a program
> > (other than ettercap) that can take this dump and extract the
> > passwords.
>
> Hey, I just had a quasi identical situation last week. I captured 2 Gb
> of trafic while arp-spoofing some hosts (during an internal pentest) and
> I had to extract as much information as possible from my pcap files.

  Maybe the following script could be of use also. Not sure 
  if it will work on a 2Gb file, but this could be a good 
  test ;)

--8<--
#!/usr/bin/perl
use strict;
use warnings;

use Net::Pkt;

my $dump = Net::Packet::Dump->new(
   file            => $ARGV[0],
   filter          => $ARGV[1] ? $ARGV[0] : '',
   overwrite       => 1,
   unlinkOnDestroy => 0,
   noStore         => 1,
   callStart       => 1,
);

while (my $f = $dump->next) {
  if ($f->l7) {
      my $binData = $f->l7->data;
      print unpack('H*', $binData), "\n";
      # Do whatever you want with this $binData here
   }
}
--8<--

-- 
  ^  ___  ___    FreeBSD Network - http://www.GomoR.org/ <-+
  | / __ |__/          Systems & Security Engineer         |
  | \__/ |  \     ---[ zsh$ alias psed='perl -pe ' ]---    |
  +-->  Net::Packet <=> http://search.cpan.org/~gomor/  <--+