Re: extracting passwords from ethereal dump

Hello,

just a quick hint:

you can always tcpreplay -i lo capture.log  and dsniff -i lo

Using the loopback is faster and less risky than through VMWare or
replaying the traffic on a real hub.

Take care,


        Luca

On Tue, 2005-06-21 at 16:32 +0200, Nicolas Gregoire wrote:
> Le lundi 20 juin 2005 à 19:14 +0300, Mohamed Abdel Kader a écrit :
>
> > I was on a assessment and decided to get some of the traffic moving
> > along the network. i got it using ethereal. now i want a program
> > (other than ettercap) that can take this dump and extract the
> > passwords.
>
> Hey, I just had a quasi identical situation last week. I captured 2 Gb
> of trafic while arp-spoofing some hosts (during an internal pentest) and
> I had to extract as much information as possible from my pcap files.
>
> In my opinion, searching strings like "passwd" or "password" in the pcap
> files (or the output of "tethereal -V") is just non productive. You will
> not catch Unicoded text, neither X11 MIT-Cookies or SMB shared files
> containing clear text passwords.
>
> So, I've replay several times the pcap files on a private/virtual VMWare
> LAN (using tcpreplay at speed x 3), while running differents tools to
> extract data : dnsiff ("clear text" passwords), Cain & Abel (LM and NTLM
> hashes), smbspy (juicy Word and Excel files ;-), ... This solution is
> really efficient (replaying 2 hours of trafic in less than 20 minutes)
> and allows the pentester to use numerous softwares running on different
> OS (here Linux and Windows) and not supporting natively the import of
> pcap files.
>
>
> Regards,