Solved

password sniffing

Posted on 2010-09-15
17
746 Views
Last Modified: 2012-05-10
As a general yes/no is it practical to say:

No passwords should be transmitted across the network plain text anymore - theres always an encrypted alternative?

I am trying to determine where passwords are still being sent by clinet software/apps across a LAN in clear text and am struggling to determine where to start, as there is over 300 servers. I am thinking about picking a sample 10 servers and running something like ettercap on the servers themselves to see what passwords it gets coming in and what protocol was used to send the password over the LAN.

However, at the end of this exercise we need to do something with these results, i.e. reivew an encrypted alternative to any findings, or accept in some cases plain text is still used in most places to an extent as there is no alternative.
0
Comment
Question by:pma111
  • 9
  • 5
  • 3
17 Comments
 
LVL 6

Expert Comment

by:collins23
Comment Utility
yes.
0
 
LVL 8

Accepted Solution

by:
thetmanvn earned 250 total points
Comment Utility
So what you need, a suggestion to your work or what?

Assume that way,

1./ Surveying what's top apps that clients used
2./ Start with the most used apps like HTTP, FTP, SMTP, POP3, XMPP,.. using pre-defined apps. Wireshark is the number 1, ettercap also is excellent, but with this kind, for you reduce time to write filter, use SniffPass from nirsoft: http://www.nirsoft.net/utils/password_sniffer.html to get what you want to see
3./ Then start with other application, this time use wireshark for very flexible and deep packet/protocol inspection to find other clear-text-transmitted apps
4./ Almost standard protocol has it way to protect clear text using SSL, TLS (http://en.wikipedia.org/wiki/Transport_Layer_Security) or encrypt/hash script in apps (forum login hash script is example). With other application, you can use stunnel (www.stunnel.org) as alternative
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thanks yes, was just some input on how to approach such a task more than anything, or any experience people who had done similar could detail and do's and dont's. I thought Ettercap had a credentials type filter but I may be wrong.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
I assume you "sniff" on the application server / database server itself?
0
 
LVL 8

Expert Comment

by:thetmanvn
Comment Utility
Yes it have, ettercap is most powerful, because you can scripting in it, also and especially you can inject/modify packet realtime. Wireshark is much more packet sniffer and analyzer with very very easy GUI and filter expression building. And SniffPass or Cain & Abel Password Sniffer is dedicated application to retrieve famous protocol (HTTP, SMTP...). For example with wireshark you can filter "http contains POST" and look in to line-text data to find password, or "ftp contains USER or ftp contains PASS" to find out user/pass of ftp transaction, SniffPass simply did it for you.
0
 
LVL 6

Expert Comment

by:collins23
Comment Utility
that's right.

like thetmanvn: said.. you will have to filter for the most common protocols .

because you will capture lots of traffic.


be sure also to check your database logins are not in clear text.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Any tips on selecting which servers to sniff on, i.e. quick wins where theres a good chance of clear text communications? Just to get a feel for this more than anything. Was going to suggest:

3 x SQL Servers (where senstive data resides)
2 x Exchange Servers
1 x Domain Controller

Any other ideas to throw into the mix where we should sniff, on a "typical network".
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Print Servers?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 8

Expert Comment

by:thetmanvn
Comment Utility
1./ SQL Server 2k5 and 2k8 always make connections within an encrypted session.  There are no exceptions.  You will never see a password, of any kind, come across the network in plain text to or from SQL Server 2k5 and higher. So if you're using SQL 2k5 or 2k8, you and relieve about SQL password.

But if you have web apps run on SQL Server, it's HTTP matter, so use Wireshark with "http contains POST" filter to find

2./ Exchange, by default exchange 2k3 and above does not configure service with ssl so you will be clear text with webmail, pop3, imap and smtp service (not only username/password but all the mail body). Exchang 2k7 come with SSL in mind but remember to look at it

3./ DC, you can capture port 389 to see any cleartext LDAP connection or not

4./ Printer Servers: Which kind did you have?
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
printers (upwards of 400) installed on a windows 2003 server with printer spooler running etc....

Ok so exchange seems a good idea to test
Sql Server (2005/08) not such a good idea
DC a good idea
Print Servers maybe

Any other areas, types of infrastructure, you would suggest a capture on?
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Namely, if I use SniffPass from Nirsoft which will capture POP3, IMAP4, SMTP, FTP, and HTTP credentials, which type of servers / infrastructure would you expect to capture credentials for those protocols -- so not waste time, i.e. expecting pop3 on a SQL Server Database Server would be a waste of time etc etc...
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Are there many other clear text protocols outside: POP3, IMAP4, SMTP, FTP, and HTTP , and any tools to automatically parse the other protocols that Nirsoft wont be able to capture? Telnet etc
0
 
LVL 6

Assisted Solution

by:collins23
collins23 earned 250 total points
Comment Utility
Well i think the answer really depends on the environment.

For example i could have telnet , ftp and pop3 at my site. while you only have ftp at your site.

A good way to start would be todo a port scan of the servers to identify which ports are open ( which services are running )

Its from this that you will be able to identify the services you need to concentrate on.

I think the list you have been given here would be a good start for you though.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Good point regarding the portscans, I'll go for that approach first...
0
 
LVL 8

Expert Comment

by:thetmanvn
Comment Utility
If it's your server, it's maybe not necessary to do port scan, you can use Nirsoft's cport to find down which apps server are listen on which port. (Filter only LISTEN)
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Where are the ooportunities for a succesful capture though on a switched lan. Please can you provide feedback on my thoughts:

scenario - a user enters HTML password for a small intranet application

Subnet - a user with a workstation in the same subnet as the valid user could sniff the password using ARP poisoning
Switch - a user could compromise the switch and sniff on there
Server Subnet - a user with a workstation in the same subnet as the Itnranet server could the password using ARP poisoning
Server - a user who has compromised the Intranet server itself could capture all incoming passwords
0
 
LVL 8

Expert Comment

by:thetmanvn
Comment Utility
All cases are right, using tool like ettercap or wireshark + dsniff suite, not only clear text passwords can be captured but also SSL traffic (normal users never care about SSL certificates question, they just simply press Yes when spoof certificitates are provided)

So beside technical measures, user security awareness is the important thing to care.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

What is IRC? IRC (Internet Relay Chat) is a form of communication between multiple users. It is available freely to anyone with inernet access. IRC is a great way to communicate with others e.g. There is an IRC channel for Ubuntu Linux, which is fo…
Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now