We help IT Professionals succeed at work.

password sniffing

pma111 asked
Last Modified: 2012-05-10
As a general yes/no is it practical to say:

No passwords should be transmitted across the network plain text anymore - theres always an encrypted alternative?

I am trying to determine where passwords are still being sent by clinet software/apps across a LAN in clear text and am struggling to determine where to start, as there is over 300 servers. I am thinking about picking a sample 10 servers and running something like ettercap on the servers themselves to see what passwords it gets coming in and what protocol was used to send the password over the LAN.

However, at the end of this exercise we need to do something with these results, i.e. reivew an encrypted alternative to any findings, or accept in some cases plain text is still used in most places to an extent as there is no alternative.
Watch Question

Unlock this solution and get a sample of our free trial.
(No credit card required)


Thanks yes, was just some input on how to approach such a task more than anything, or any experience people who had done similar could detail and do's and dont's. I thought Ettercap had a credentials type filter but I may be wrong.


I assume you "sniff" on the application server / database server itself?
Yes it have, ettercap is most powerful, because you can scripting in it, also and especially you can inject/modify packet realtime. Wireshark is much more packet sniffer and analyzer with very very easy GUI and filter expression building. And SniffPass or Cain & Abel Password Sniffer is dedicated application to retrieve famous protocol (HTTP, SMTP...). For example with wireshark you can filter "http contains POST" and look in to line-text data to find password, or "ftp contains USER or ftp contains PASS" to find out user/pass of ftp transaction, SniffPass simply did it for you.
that's right.

like thetmanvn: said.. you will have to filter for the most common protocols .

because you will capture lots of traffic.

be sure also to check your database logins are not in clear text.


Any tips on selecting which servers to sniff on, i.e. quick wins where theres a good chance of clear text communications? Just to get a feel for this more than anything. Was going to suggest:

3 x SQL Servers (where senstive data resides)
2 x Exchange Servers
1 x Domain Controller

Any other ideas to throw into the mix where we should sniff, on a "typical network".


Print Servers?
1./ SQL Server 2k5 and 2k8 always make connections within an encrypted session.  There are no exceptions.  You will never see a password, of any kind, come across the network in plain text to or from SQL Server 2k5 and higher. So if you're using SQL 2k5 or 2k8, you and relieve about SQL password.

But if you have web apps run on SQL Server, it's HTTP matter, so use Wireshark with "http contains POST" filter to find

2./ Exchange, by default exchange 2k3 and above does not configure service with ssl so you will be clear text with webmail, pop3, imap and smtp service (not only username/password but all the mail body). Exchang 2k7 come with SSL in mind but remember to look at it

3./ DC, you can capture port 389 to see any cleartext LDAP connection or not

4./ Printer Servers: Which kind did you have?


printers (upwards of 400) installed on a windows 2003 server with printer spooler running etc....

Ok so exchange seems a good idea to test
Sql Server (2005/08) not such a good idea
DC a good idea
Print Servers maybe

Any other areas, types of infrastructure, you would suggest a capture on?


Namely, if I use SniffPass from Nirsoft which will capture POP3, IMAP4, SMTP, FTP, and HTTP credentials, which type of servers / infrastructure would you expect to capture credentials for those protocols -- so not waste time, i.e. expecting pop3 on a SQL Server Database Server would be a waste of time etc etc...


Are there many other clear text protocols outside: POP3, IMAP4, SMTP, FTP, and HTTP , and any tools to automatically parse the other protocols that Nirsoft wont be able to capture? Telnet etc
Unlock this solution and get a sample of our free trial.
(No credit card required)


Good point regarding the portscans, I'll go for that approach first...
If it's your server, it's maybe not necessary to do port scan, you can use Nirsoft's cport to find down which apps server are listen on which port. (Filter only LISTEN)


Where are the ooportunities for a succesful capture though on a switched lan. Please can you provide feedback on my thoughts:

scenario - a user enters HTML password for a small intranet application

Subnet - a user with a workstation in the same subnet as the valid user could sniff the password using ARP poisoning
Switch - a user could compromise the switch and sniff on there
Server Subnet - a user with a workstation in the same subnet as the Itnranet server could the password using ARP poisoning
Server - a user who has compromised the Intranet server itself could capture all incoming passwords
All cases are right, using tool like ettercap or wireshark + dsniff suite, not only clear text passwords can be captured but also SSL traffic (normal users never care about SSL certificates question, they just simply press Yes when spoof certificitates are provided)

So beside technical measures, user security awareness is the important thing to care.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.