Tcpdump examples to capture passwords

Tcpdump examples to capture passwords

I used to use tcpdump on my system to diagnose issues with ftp. To check if users are typing
in their usernames and password correctly. You can use it as well for work or just for fun as long as it is Legal.

Install tcpdump

Ubuntu
sudo apt-get install tcpdump 

Fedora/Centos/Red hat
sudo yum install tcpdump

Let’s look at some Tcpdump examples

- To display the Standard tcpdump output:

tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

- Network interfaces available for the capture:

 tcpdump -D

1.eth1
2.any (Pseudo-device that captures on all interfaces)
3.lo

- Capture the traffic of a particular interface:

 tcpdump -i eth0

- To capture the UDP traffic:

tcpdump udp

- To capture the TCP port 80 traffic:

 tcpdump port http

- To capture the traffic from a filter stored in a file:

 tcpdump -F file_name

To create a file where the filter is configured (here it is TCP 80 port)

vim file_name
port 80

- To send the capture output in a file instead of directly on the screen:

tcpdump -w capture.log

- To read a capture file:

tcpdump -r capture.log

- To display the packets having “tcpdumpexamples.com” as their source or destination address:

tcpdump host tcpdumpexamples.com

- To display the FTP packets coming from 192.168.1.100 to 192.168.1.2:

tcpdump src 192.168.1.100 and dst 192.168.1.2 and port ftp

- To display the packets content i.e capture the passwords:

tcpdump -A port ftp 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ath0, link-type EN10MB (Ethernet), capture size 96 bytes
20:53:24.872785 IP local.40205 > 192.168.1.2.ftp: S 4155598838:4155598838(0) win 5840
….g………………..
…………
20:53:24.879473 IP local.40205 > 192.168.1.2.ftp: . ack 1228937421 win 183
….g.I@………….
……..
20:53:24.881654 IP local.40205 > 192.168.1.2.ftp: . ack 43 win 183
….g.I@…….8…..
……EN
20:53:26.402046 IP local.40205 > 192.168.1.2.ftp: P 0:10(10) ack 43 win 183
….g.I@……`$…..
…=..ENUSER amateur

20:53:26.403802 IP local.40205 > 192.168.1.2.ftp: . ack 76 win 183
….h.I@………….
…>..E^
20:53:29.169036 IP local.40205 > 192.168.1.2.ftp: P 10:25(15) ack 76 win 183
….h.I@……#c…..
……E^PASS test123

20:53:29.171553 IP local.40205 > 192.168.1.2.ftp: . ack 96 win 183
….h.I@.,………..
……Ez
20:53:29.171649 IP local.40205 > 192.168.1.2.ftp: P 25:31(6) ack 96 win 183
….h.I@.,………..
……EzSYST

20:53:29.211607 IP local.40205 > 192.168.1.2.ftp: . ack 115 win 183
….h.I@.?…..j…..
……Ez
20:53:31.367619 IP local.40205 > 192.168.1.2.ftp: P 31:37(6) ack 115 win 183
….h.I@.?………..
……EzQUIT

20:53:31.369316 IP local.40205 > 192.168.1.2.ftp: . ack 155 win 183
….h.I@.g………..
……E.
20:53:31.369759 IP local.40205 > 192.168.1.2.ftp: F 37:37(0) ack 156 win 183
….h.I@.h…..e…..
……E.

The packets can only be captured during a clear text session.

In this capture we can see the FTP username (amateur) and password (hosting).
You can use this incase you forget your ftp password and have stored it in your ftp client.

Also read how to setup your firewall with Config server

Please note that this should not be used for anything illegal and this blog will not be responsible for any actions that lead to illegal use

Follow me

Leo G

Is a linux enthusiast and hobbyist, he has over 8 years experience in IT management, support and operations. He works with opensource software and wants to see more enterprises move towards the same
Follow me

Similar Posts
Top 25 most used passwords
I used to use tcpdump on my system to diagnose issues with ftp. To check if users are typing in...
Google Dorks to find free .pdf, .mp3, .avi and other files
I used to use tcpdump on my system to diagnose issues with ftp. To check if users are typing in...

6 Comments

Leave a Reply


Name (required)

Email (required)

Website

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>