Monday, April 07, 2008

One line password sniffer

My wife asked me if I could help her update her website last night, only there was one problem -- she couldn't for the life of her remember the password she assigned to the FTP access... Luckily the password was locked inside of Dreamweaver, so we could get at the files that way, but we needed to use it for more sophisticated access to get her new WordPress blog online. Also, Dreamweaver was hiding the password with the classic "********" display (see previous post on how to obscure passwords in text boxes), so you could use it within Dreamweaver, but not export it beyond. We needed to get that password! Well, FTP happens to be the least secure protocol that remains popular on the net. It is so bad, I would call it a "password broadcast" protocol. Basically any password you type into a FTP client gets blabbed all over the web in the easiest to understand form.

Here is a one line command that will sniff FTP passwords as they come across the local network:
sudo tcpdump -A -s 0 -i eth0 -l -e port ftp | grep -e "Welcome\|USER\|PASS"

To use this on OSX, just switch the eth0 interface above with en1.

Here is the output as an unknowing user on a different machine on the LAN logs into ftp.kernel.org with their ultra-secret anonymous/secret user/pass pair...
v......>220 Welcome to ftp.kernel.org.
...ev...USER anonymous
...xv./.PASS secret

So there are many lessons here:

  • 1) Don't use "good" passwords with FTP -- expect any FTP password to be compromised...
  • 2) Use SSL whenever possible (it makes casual sniffing like this much harder)
  • 3) Remember your passwords! Well, this is a much bigger problem -- keychain software needs to get better and more popular.


So I ran the one line sniffer above on my machine, asked Dreamweaver to login to the site from her machine, and oula! The password was revealed! After all that, what was this impossible to crack password? It turned out to be the classic "hand-off" password when you don't want to share your secrets with someone who is helping you -- it was the first name of the developer who last helped my wife upload her website. ;)
Posted by l8rz at 12:27 AM
Labels: ,

1 comments:

SBTVD said...

Hello. This post is likeable, and your blog is very interesting, congratulations :-). I will add in my blogroll =). If possible gives a last there on my blog, it is about the SBTVD, I hope you enjoy. The address is http://sbtvd.blogspot.com. A hug.

8:28 AM

Post a Comment

Subscribe to: Post Comments (Atom)