This document discusses network sniffing and capturing login credentials in plain text protocols. It describes setting up a telnet server and client to experiment with sniffing username and password information using tcpdump and ngrep tools on the local network. The document recommends trying the same technique on other protocols like FTP, POP, SMTP and exploring more secure replacement protocols due to vulnerabilities in sending plain text credentials over the network.

1. Network Sniffing
Budi Rahardjo
@rahard
2016

2. Network Layers
https://technet.microsoft.com/en-us/library/cc958821.aspx
2016 BR - Network Sniffing v.1.0 2

3. APPLICATION LAYER
SNIFFING
Telnet, FTP, …
2016 BR - Network Sniffing v.1.0 3

4. Experiment Setup
Server
• Set telnet server (telnetd)
• Setup userid+pass
Client
• Execute: telnet server
• Enter: userid+password
• Execute some commands
& exit
2016 BR - Network Sniffing v.1.0 4

5. Capture with “tcpdump”
• Execute tcpdump (wireshark) on server /
client / attacker (on the same network) to
save in a file
tcpdump –n –s0 –w tcpdump.pcap port 23
(after session, ctrl-C)
• View & analyze “tcpdump.pcap”
– Follow tcpstream
– Show the captured “userid” + “password”
2016 BR - Network Sniffing v.1.0 5

6. Use “ngrep”
# ngrep 'USER|PASS'
interface: eth0 (167.205.22.128/255.255.255.224)
match: USER|PASS
##############
T 167.205.22.148:62045 -> 167.205.22.142:21 [AP]
USER kuliah..
####
T 167.205.22.148:62045 -> 167.205.22.142:21 [AP]
PASS takadayangtahu..
##############################^Cexit
48 received, 0 dropped
2016 BR - Network Sniffing v.1.0 6

7. Other Protocols
• Use the same technique for
– FTP
– POP
– SMTP
– DNS
– …
2016 BR - Network Sniffing v.1.0 7

8. Remarks
• Show how vulnerable some application
protocols
• List replacements of those protocols with
secure replacements
2016 BR - Network Sniffing v.1.0 8