Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

password sniffing

Posted on 2010-09-15
17
Medium Priority
?
780 Views
Last Modified: 2012-05-10
As a general yes/no is it practical to say:

No passwords should be transmitted across the network plain text anymore - theres always an encrypted alternative?

I am trying to determine where passwords are still being sent by clinet software/apps across a LAN in clear text and am struggling to determine where to start, as there is over 300 servers. I am thinking about picking a sample 10 servers and running something like ettercap on the servers themselves to see what passwords it gets coming in and what protocol was used to send the password over the LAN.

However, at the end of this exercise we need to do something with these results, i.e. reivew an encrypted alternative to any findings, or accept in some cases plain text is still used in most places to an extent as there is no alternative.
0
Comment
Question by:pma111
  • 9
  • 5
  • 3
17 Comments
 
LVL 6

Expert Comment

by:collins23
ID: 33681487
yes.
0
 
LVL 8

Accepted Solution

by:
thetmanvn earned 1000 total points
ID: 33681592
So what you need, a suggestion to your work or what?

Assume that way,

1./ Surveying what's top apps that clients used
2./ Start with the most used apps like HTTP, FTP, SMTP, POP3, XMPP,.. using pre-defined apps. Wireshark is the number 1, ettercap also is excellent, but with this kind, for you reduce time to write filter, use SniffPass from nirsoft: http://www.nirsoft.net/utils/password_sniffer.html to get what you want to see
3./ Then start with other application, this time use wireshark for very flexible and deep packet/protocol inspection to find other clear-text-transmitted apps
4./ Almost standard protocol has it way to protect clear text using SSL, TLS (http://en.wikipedia.org/wiki/Transport_Layer_Security) or encrypt/hash script in apps (forum login hash script is example). With other application, you can use stunnel (www.stunnel.org) as alternative
0
 
LVL 3

Author Comment

by:pma111
ID: 33681646
Thanks yes, was just some input on how to approach such a task more than anything, or any experience people who had done similar could detail and do's and dont's. I thought Ettercap had a credentials type filter but I may be wrong.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 3

Author Comment

by:pma111
ID: 33681677
I assume you "sniff" on the application server / database server itself?
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33681705
Yes it have, ettercap is most powerful, because you can scripting in it, also and especially you can inject/modify packet realtime. Wireshark is much more packet sniffer and analyzer with very very easy GUI and filter expression building. And SniffPass or Cain & Abel Password Sniffer is dedicated application to retrieve famous protocol (HTTP, SMTP...). For example with wireshark you can filter "http contains POST" and look in to line-text data to find password, or "ftp contains USER or ftp contains PASS" to find out user/pass of ftp transaction, SniffPass simply did it for you.
0
 
LVL 6

Expert Comment

by:collins23
ID: 33681714
that's right.

like thetmanvn: said.. you will have to filter for the most common protocols .

because you will capture lots of traffic.


be sure also to check your database logins are not in clear text.
0
 
LVL 3

Author Comment

by:pma111
ID: 33681828
Any tips on selecting which servers to sniff on, i.e. quick wins where theres a good chance of clear text communications? Just to get a feel for this more than anything. Was going to suggest:

3 x SQL Servers (where senstive data resides)
2 x Exchange Servers
1 x Domain Controller

Any other ideas to throw into the mix where we should sniff, on a "typical network".
0
 
LVL 3

Author Comment

by:pma111
ID: 33681836
Print Servers?
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33681962
1./ SQL Server 2k5 and 2k8 always make connections within an encrypted session.  There are no exceptions.  You will never see a password, of any kind, come across the network in plain text to or from SQL Server 2k5 and higher. So if you're using SQL 2k5 or 2k8, you and relieve about SQL password.

But if you have web apps run on SQL Server, it's HTTP matter, so use Wireshark with "http contains POST" filter to find

2./ Exchange, by default exchange 2k3 and above does not configure service with ssl so you will be clear text with webmail, pop3, imap and smtp service (not only username/password but all the mail body). Exchang 2k7 come with SSL in mind but remember to look at it

3./ DC, you can capture port 389 to see any cleartext LDAP connection or not

4./ Printer Servers: Which kind did you have?
0
 
LVL 3

Author Comment

by:pma111
ID: 33682128
printers (upwards of 400) installed on a windows 2003 server with printer spooler running etc....

Ok so exchange seems a good idea to test
Sql Server (2005/08) not such a good idea
DC a good idea
Print Servers maybe

Any other areas, types of infrastructure, you would suggest a capture on?
0
 
LVL 3

Author Comment

by:pma111
ID: 33682223
Namely, if I use SniffPass from Nirsoft which will capture POP3, IMAP4, SMTP, FTP, and HTTP credentials, which type of servers / infrastructure would you expect to capture credentials for those protocols -- so not waste time, i.e. expecting pop3 on a SQL Server Database Server would be a waste of time etc etc...
0
 
LVL 3

Author Comment

by:pma111
ID: 33682236
Are there many other clear text protocols outside: POP3, IMAP4, SMTP, FTP, and HTTP , and any tools to automatically parse the other protocols that Nirsoft wont be able to capture? Telnet etc
0
 
LVL 6

Assisted Solution

by:collins23
collins23 earned 1000 total points
ID: 33682256
Well i think the answer really depends on the environment.

For example i could have telnet , ftp and pop3 at my site. while you only have ftp at your site.

A good way to start would be todo a port scan of the servers to identify which ports are open ( which services are running )

Its from this that you will be able to identify the services you need to concentrate on.

I think the list you have been given here would be a good start for you though.
0
 
LVL 3

Author Comment

by:pma111
ID: 33682278
Good point regarding the portscans, I'll go for that approach first...
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33682348
If it's your server, it's maybe not necessary to do port scan, you can use Nirsoft's cport to find down which apps server are listen on which port. (Filter only LISTEN)
0
 
LVL 3

Author Comment

by:pma111
ID: 33689441
Where are the ooportunities for a succesful capture though on a switched lan. Please can you provide feedback on my thoughts:

scenario - a user enters HTML password for a small intranet application

Subnet - a user with a workstation in the same subnet as the valid user could sniff the password using ARP poisoning
Switch - a user could compromise the switch and sniff on there
Server Subnet - a user with a workstation in the same subnet as the Itnranet server could the password using ARP poisoning
Server - a user who has compromised the Intranet server itself could capture all incoming passwords
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33689477
All cases are right, using tool like ettercap or wireshark + dsniff suite, not only clear text passwords can be captured but also SSL traffic (normal users never care about SSL certificates question, they just simply press Yes when spoof certificitates are provided)

So beside technical measures, user security awareness is the important thing to care.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question