Tutorial: Password Extraction
Contents
This tutorial discusses the plugin pwX. It extracts passwords from clear text protocols such as FTP, POP3, SMTP, HTTP, Telnet, IRC, LDAP, etc.
Preparation
Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.
First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins
and compile the standard plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$
$ t2build tranalyzer2 basicFlow pwX txtSink
...
BUILD SUCCESSFUL
$
If you did not create a separate data and results directory yet, please do it now in another cmd window. It will facilitate your workflow:
$ mkdir ~/data ~/results
$
Download the sample pcap if did not do it already: ftp_fail.pcap. Now you’re all set.
pwX
We needed something fast, because we had a job at a large operator demanding to go through TB of traffic and to look online for unencrypted internal content, although having a protocol port denoting encryption. It was a pretty astonishing success and was expanded to other interesting protocols.
The configuration of pwX is listed below. To increase performance you may switch off certain protocols. Here we leave by default.
$ pwX
$ vi src/pwX.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define PWX_USERNAME 1 // Output the username
#define PWX_PASSWORD 1 // Output the password
#define PWX_FTP 1 // Extract FTP authentication
#define PWX_POP3 1 // Extract POP3 authentication
#define PWX_IMAP 1 // Extract IMAP authentication
#define PWX_SMTP 1 // Extract SMTP authentication
#define PWX_HTTP_BASIC 1 // Extract HTTP Basic Authorization
#define PWX_HTTP_PROXY 1 // Extract HTTP Proxy Authorization
#define PWX_HTTP_GET 1 // Extract HTTP GET authentication
#define PWX_HTTP_POST 1 // Extract HTTP POST authentication
#define PWX_IRC 1 // Extract IRC authentication
#define PWX_TELNET 1 // Extract Telnet authentication
#define PWX_LDAP 1 // Extract LDAP bind request authentication
#define PWX_PAP 1 // Extract PAP authentication
#define PWX_STATUS 1 // Extract authentication status (success, error, ...)
#define PWX_DEBUG 0 // Activate debug output
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...
Now execute t2
on the pcap.
$ t2 -r ~/data/ftp_fail.pcap -w ~/results/ -s
================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 35860
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
Active plugins:
01: basicFlow, 0.8.14
02: pwX, 0.8.14
03: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/ftp_fail.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1392281689.373617 sec (Thu 13 Feb 2014 08:54:49 GMT)
Dump stop : 1392281768.754155 sec (Thu 13 Feb 2014 08:56:08 GMT)
Total dump duration: 79.380538 sec (1m 19s)
Finished processing. Elapsed time: 0.001249 sec
Finished unloading flow memory. Time: 0.001501 sec
Percentage completed: 100.00%
Number of processed packets: 158
Number of processed bytes: 10665 (10.66 K)
Number of raw bytes: 10665 (10.66 K)
Number of pad bytes: 228
Number of pcap bytes: 13217 (13.22 K)
Number of IPv4 packets: 158 [100.00%]
Number of A packets: 74 [46.84%]
Number of B packets: 84 [53.16%]
Number of A bytes: 4713 (4.71 K) [44.19%]
Number of B bytes: 5952 (5.95 K) [55.81%]
Average A packet load: 63.69
Average B packet load: 70.86
--------------------------------------------------------------------------------
pwX: Number of passwords with successful/failed/unknown login: 0/11/0
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of TCP packets: 158 [100.00%]
Number of TCP bytes: 10665 (10.66 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 22
Number of processed A flows: 11 [50.00%]
Number of processed B flows: 11 [50.00%]
Number of request flows: 11 [50.00%]
Number of reply flows: 11 [50.00%]
Total A/B flow asymmetry: 0.00
Total req/rply flow asymmetry: 0.00
Number of processed packets/flows: 7.18
Number of processed A packets/flows: 6.73
Number of processed B packets/flows: 7.64
Number of processed total packets/s: 1.99
Number of processed A+B packets/s: 1.99
Number of processed A packets/s: 0.93
Number of processed B packets/s: 1.06
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 0.28
Average full raw bandwidth: 1075 b/s (1.07 Kb/s)
Average full bandwidth : 1052 b/s (1.05 Kb/s)
Max number of flows in memory: 22 [0.01%]
Memory usage: 0.01 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows
The end report tells you the status of the logins and the number of passwords extracted. In the flow file you will see all the user names and the failed login attempts.
$ cd ~/results
$ tcol ftp_fail_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto pwxType pwxUser pwxPass pwxStatus
A 1 0x0400000000004000 1392281689.373617 1392281693.223067 3.849450 1 3 eth:ipv4:tcp 00:0c:42:70:ae:9b b8:27:eb:3b:28:3d 0x0800 178.183.0.2 pl "statically assigned space" 25422 192.168.88.99 07 "Private network" 21 6 1 "anonymous" "mozilla@example.com" 2
B 1 0x0400000000004001 1392281689.373816 1392281693.179667 3.805851 1 3 eth:ipv4:tcp b8:27:eb:3b:28:3d 00:0c:42:70:ae:9b 0x0800 192.168.88.99 07 "Private network" 21 178.183.0.2 pl "statically assigned space" 25422 6 0 "" "" 0
A 2 0x0400000000004000 1392281691.525313 1392281695.161688 3.636375 1 3 eth:ipv4:tcp 00:0c:42:70:ae:9b b8:27:eb:3b:28:3d 0x0800 178.183.0.2 pl "statically assigned space" 25423 192.168.88.99 07 "Private network" 21 6 1 "anonymous" "mozilla@example.com" 2
B 2 0x0400000000004001 1392281691.525491 1392281695.129205 3.603714 1 3 eth:ipv4:tcp b8:27:eb:3b:28:3d 00:0c:42:70:ae:9b 0x0800 192.168.88.99 07 "Private network" 21 178.183.0.2 pl "statically assigned space" 25423 6 0 "" "" 0
A 4 0x0400000000004000 1392281695.129583 1392281703.337800 8.208217 1 3 eth:ipv4:tcp 00:0c:42:70:ae:9b b8:27:eb:3b:28:3d 0x0800 178.183.0.2 pl "statically assigned space" 25425 192.168.88.99 07 "Private network" 21 6 1 "tola" "jola" 2
B 4 0x0400000000004001 1392281695.129749 1392281703.297126 8.167377 1 3 eth:ipv4:tcp b8:27:eb:3b:28:3d 00:0c:42:70:ae:9b 0x0800 192.168.88.99 07 "Private network" 21 178.183.0.2 pl "statically assigned space" 25425 6 0 "" "" 0
A 3 0x0400000000004000 1392281693.179848 1392281710.519526 17.339678 1 3 eth:ipv4:tcp 00:0c:42:70:ae:9b b8:27:eb:3b:28:3d 0x0800 178.183.0.2 pl "statically assigned space" 25424 192.168.88.99 07 "Private network" 21 6 1 "admin" "admin" 2
B 3 0x0400000000004001 1392281693.180059 1392281710.484952 17.304893 1 3 eth:ipv4:tcp b8:27:eb:3b:28:3d 00:0c:42:70:ae:9b 0x0800 192.168.88.99 07 "Private network" 21 178.183.0.2 pl "statically assigned space" 25424 6 0 "" "" 0
A 5 0x0400000000004000 1392281719.421912 1392281722.795182 3.373270 1 3 eth:ipv4:tcp 00:0c:42:70:ae:9b b8:27:eb:3b:28:3d 0x0800 178.183.0.2 pl "statically assigned space" 59519 192.168.88.99 07 "Private network" 21 6 1 "anonymous" "chrome@example.com" 2
B 5 0x0400000000004001 1392281719.422118 1392281722.795499 3.373381 1 3 eth:ipv4:tcp b8:27:eb:3b:28:3d 00:0c:42:70:ae:9b 0x0800 192.168.88.99 07 "Private network" 21 178.183.0.2 pl "statically assigned space" 59519 6 0 "" "" 0
A 6 0x0400000000004000 1392281727.562162 1392281727.757768 0.195606 1 3 eth:ipv4:tcp 00:0c:42:70:ae:9b b8:27:eb:3b:28:3d 0x0800 178.183.0.2 pl "statically assigned space" 25426 192.168.88.99 07 "Private network" 21 6 1 "anonymous" "mozilla@example.com" 2
B 6 0x0400000000004001 1392281727.562351 1392281727.725601 0.163250 1 3 eth:ipv4:tcp b8:27:eb:3b:28:3d 00:0c:42:70:ae:9b 0x0800 192.168.88.99 07 "Private network" 21 178.183.0.2 pl "statically assigned space" 25426 6 0 "" "" 0
A 7 0x0400000000004000 1392281727.725101 1392281740.293332 12.568231 1 3 eth:ipv4:tcp 00:0c:42:70:ae:9b b8:27:eb:3b:28:3d 0x0800 178.183.0.2 pl "statically assigned space" 25427 192.168.88.99 07 "Private network" 21 6 1 "1" "1" 2
B 7 0x0400000000004001 1392281727.725293 1392281740.261874 12.536581 1 3 eth:ipv4:tcp b8:27:eb:3b:28:3d 00:0c:42:70:ae:9b 0x0800 192.168.88.99 07 "Private network" 21 178.183.0.2 pl "statically assigned space" 25427 6 0 "" "" 0
A 8 0x0400000000004000 1392281741.511674 1392281742.847590 1.335916 1 3 eth:ipv4:tcp 00:0c:42:70:ae:9b b8:27:eb:3b:28:3d 0x0800 178.183.0.2 pl "statically assigned space" 59520 192.168.88.99 07 "Private network" 21 6 1 "dydy" "kyky" 2
B 8 0x0400000000004001 1392281741.511916 1392281742.847898 1.335982 1 3 eth:ipv4:tcp b8:27:eb:3b:28:3d 00:0c:42:70:ae:9b 0x0800 192.168.88.99 07 "Private network" 21 178.183.0.2 pl "statically assigned space" 59520 6 0 "" "" 0
A 9 0x0400000000004000 1392281756.143022 1392281756.340042 0.197020 1 3 eth:ipv4:tcp 00:0c:42:70:ae:9b b8:27:eb:3b:28:3d 0x0800 178.183.0.2 pl "statically assigned space" 25429 192.168.88.99 07 "Private network" 21 6 1 "anonymous" "mozilla@example.com" 2
B 9 0x0400000000004001 1392281756.143203 1392281756.306635 0.163432 1 3 eth:ipv4:tcp b8:27:eb:3b:28:3d 00:0c:42:70:ae:9b 0x0800 192.168.88.99 07 "Private network" 21 178.183.0.2 pl "statically assigned space" 25429 6 0 "" "" 0
A 11 0x0400000000004000 1392281767.031965 1392281767.648826 0.616861 1 3 eth:ipv4:tcp 00:0c:42:70:ae:9b b8:27:eb:3b:28:3d 0x0800 178.183.0.2 pl "statically assigned space" 59521 192.168.88.99 07 "Private network" 21 6 1 "kyky" "dydy" 2
B 11 0x0400000000004001 1392281767.032159 1392281767.647004 0.614845 1 3 eth:ipv4:tcp b8:27:eb:3b:28:3d 00:0c:42:70:ae:9b 0x0800 192.168.88.99 07 "Private network" 21 178.183.0.2 pl "statically assigned space" 59521 6 0 "" "" 0
A 10 0x0400000000004000 1392281756.306026 1392281768.754155 12.448129 1 3 eth:ipv4:tcp 00:0c:42:70:ae:9b b8:27:eb:3b:28:3d 0x0800 178.183.0.2 pl "statically assigned space" 25430 192.168.88.99 07 "Private network" 21 6 1 "marek" "marek" 2
B 10 0x0400000000004001 1392281756.306225 1392281768.723276 12.417051 1 3 eth:ipv4:tcp b8:27:eb:3b:28:3d 00:0c:42:70:ae:9b 0x0800 192.168.88.99 07 "Private network" 21 178.183.0.2 pl "statically assigned space" 25430 6 0 "" "" 0
If you look into the packet file you will see the whole process, let’s extract only the L7 content:
$ tawk '{print $l7Content}' ftp_fail_packets.txt
220 ProFTPD 1.3.4a Server (Debian) [192.168.88.99]\r\n
USER anonymous\r\n
331 Password required for anonymous\r\n
PASS mozilla@example.com\r\n
220 ProFTPD 1.3.4a Server (Debian) [192.168.88.99]\r\n
USER anonymous\r\n
331 Password required for anonymous\r\n
PASS mozilla@example.com\r\n
530 Login incorrect.\r\n
220 ProFTPD 1.3.4a Server (Debian) [192.168.88.99]\r\n
530 Login incorrect.\r\n
220 ProFTPD 1.3.4a Server (Debian) [192.168.88.99]\r\n
220 ProFTPD 1.3.4a Server (Debian) [192.168.88.99]\r\n
USER tola\r\n
331 Password required for tola\r\n
PASS jola\r\n
530 Login incorrect.\r\n
...
Have fun fishing for passwords.