Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

password sniffing

Posted on 2010-09-15
17
Medium Priority
?
775 Views
Last Modified: 2012-05-10
As a general yes/no is it practical to say:

No passwords should be transmitted across the network plain text anymore - theres always an encrypted alternative?

I am trying to determine where passwords are still being sent by clinet software/apps across a LAN in clear text and am struggling to determine where to start, as there is over 300 servers. I am thinking about picking a sample 10 servers and running something like ettercap on the servers themselves to see what passwords it gets coming in and what protocol was used to send the password over the LAN.

However, at the end of this exercise we need to do something with these results, i.e. reivew an encrypted alternative to any findings, or accept in some cases plain text is still used in most places to an extent as there is no alternative.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
  • 3
17 Comments
 
LVL 6

Expert Comment

by:collins23
ID: 33681487
yes.
0
 
LVL 8

Accepted Solution

by:
thetmanvn earned 1000 total points
ID: 33681592
So what you need, a suggestion to your work or what?

Assume that way,

1./ Surveying what's top apps that clients used
2./ Start with the most used apps like HTTP, FTP, SMTP, POP3, XMPP,.. using pre-defined apps. Wireshark is the number 1, ettercap also is excellent, but with this kind, for you reduce time to write filter, use SniffPass from nirsoft: http://www.nirsoft.net/utils/password_sniffer.html to get what you want to see
3./ Then start with other application, this time use wireshark for very flexible and deep packet/protocol inspection to find other clear-text-transmitted apps
4./ Almost standard protocol has it way to protect clear text using SSL, TLS (http://en.wikipedia.org/wiki/Transport_Layer_Security) or encrypt/hash script in apps (forum login hash script is example). With other application, you can use stunnel (www.stunnel.org) as alternative
0
 
LVL 3

Author Comment

by:pma111
ID: 33681646
Thanks yes, was just some input on how to approach such a task more than anything, or any experience people who had done similar could detail and do's and dont's. I thought Ettercap had a credentials type filter but I may be wrong.
0
Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

 
LVL 3

Author Comment

by:pma111
ID: 33681677
I assume you "sniff" on the application server / database server itself?
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33681705
Yes it have, ettercap is most powerful, because you can scripting in it, also and especially you can inject/modify packet realtime. Wireshark is much more packet sniffer and analyzer with very very easy GUI and filter expression building. And SniffPass or Cain & Abel Password Sniffer is dedicated application to retrieve famous protocol (HTTP, SMTP...). For example with wireshark you can filter "http contains POST" and look in to line-text data to find password, or "ftp contains USER or ftp contains PASS" to find out user/pass of ftp transaction, SniffPass simply did it for you.
0
 
LVL 6

Expert Comment

by:collins23
ID: 33681714
that's right.

like thetmanvn: said.. you will have to filter for the most common protocols .

because you will capture lots of traffic.


be sure also to check your database logins are not in clear text.
0
 
LVL 3

Author Comment

by:pma111
ID: 33681828
Any tips on selecting which servers to sniff on, i.e. quick wins where theres a good chance of clear text communications? Just to get a feel for this more than anything. Was going to suggest:

3 x SQL Servers (where senstive data resides)
2 x Exchange Servers
1 x Domain Controller

Any other ideas to throw into the mix where we should sniff, on a "typical network".
0
 
LVL 3

Author Comment

by:pma111
ID: 33681836
Print Servers?
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33681962
1./ SQL Server 2k5 and 2k8 always make connections within an encrypted session.  There are no exceptions.  You will never see a password, of any kind, come across the network in plain text to or from SQL Server 2k5 and higher. So if you're using SQL 2k5 or 2k8, you and relieve about SQL password.

But if you have web apps run on SQL Server, it's HTTP matter, so use Wireshark with "http contains POST" filter to find

2./ Exchange, by default exchange 2k3 and above does not configure service with ssl so you will be clear text with webmail, pop3, imap and smtp service (not only username/password but all the mail body). Exchang 2k7 come with SSL in mind but remember to look at it

3./ DC, you can capture port 389 to see any cleartext LDAP connection or not

4./ Printer Servers: Which kind did you have?
0
 
LVL 3

Author Comment

by:pma111
ID: 33682128
printers (upwards of 400) installed on a windows 2003 server with printer spooler running etc....

Ok so exchange seems a good idea to test
Sql Server (2005/08) not such a good idea
DC a good idea
Print Servers maybe

Any other areas, types of infrastructure, you would suggest a capture on?
0
 
LVL 3

Author Comment

by:pma111
ID: 33682223
Namely, if I use SniffPass from Nirsoft which will capture POP3, IMAP4, SMTP, FTP, and HTTP credentials, which type of servers / infrastructure would you expect to capture credentials for those protocols -- so not waste time, i.e. expecting pop3 on a SQL Server Database Server would be a waste of time etc etc...
0
 
LVL 3

Author Comment

by:pma111
ID: 33682236
Are there many other clear text protocols outside: POP3, IMAP4, SMTP, FTP, and HTTP , and any tools to automatically parse the other protocols that Nirsoft wont be able to capture? Telnet etc
0
 
LVL 6

Assisted Solution

by:collins23
collins23 earned 1000 total points
ID: 33682256
Well i think the answer really depends on the environment.

For example i could have telnet , ftp and pop3 at my site. while you only have ftp at your site.

A good way to start would be todo a port scan of the servers to identify which ports are open ( which services are running )

Its from this that you will be able to identify the services you need to concentrate on.

I think the list you have been given here would be a good start for you though.
0
 
LVL 3

Author Comment

by:pma111
ID: 33682278
Good point regarding the portscans, I'll go for that approach first...
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33682348
If it's your server, it's maybe not necessary to do port scan, you can use Nirsoft's cport to find down which apps server are listen on which port. (Filter only LISTEN)
0
 
LVL 3

Author Comment

by:pma111
ID: 33689441
Where are the ooportunities for a succesful capture though on a switched lan. Please can you provide feedback on my thoughts:

scenario - a user enters HTML password for a small intranet application

Subnet - a user with a workstation in the same subnet as the valid user could sniff the password using ARP poisoning
Switch - a user could compromise the switch and sniff on there
Server Subnet - a user with a workstation in the same subnet as the Itnranet server could the password using ARP poisoning
Server - a user who has compromised the Intranet server itself could capture all incoming passwords
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 33689477
All cases are right, using tool like ettercap or wireshark + dsniff suite, not only clear text passwords can be captured but also SSL traffic (normal users never care about SSL certificates question, they just simply press Yes when spoof certificitates are provided)

So beside technical measures, user security awareness is the important thing to care.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question