Re: [PEN-TEST] snoop ona live telnet session?

[Andre Delafontaine <andre.delafontaine () ECHOSTAR COM>]

Following is a stupid gawk script that converts the hex output of
tcpdump into ASCII.

All parameters are passed as filters to tcpdump:
netdump host _client_ and _server_ and port 23

There are much better ways to do this: some versions of tcpdump have a
"dump in ASCII format" flag.

Also, snort (http://www.snort.org/) and dsniff
(http://www.monkey.org/~dugsong/dsniff/) can write the content of
sessions and/or account/passwords.

My script is inefficient and clumsy, but it can be pasted in a terminal
on a cracked host containing tcpdump, even if there is no simple way to
transfer a file or there is no compiler available on that platform.

Andre

--- cut here ---
#! /bin/sh

tcpdump -lnqxs 2000 "$@" | \
  gawk '
    BEGIN {
      hexstr= "0123456789abcdef"
      line= ""
    }

    ! /^        / {
      line= substr( line, length( line ) - line_len )
      if ( line != "." )
        print line
      print "\n" $0
      close ( "/dev/stdout" )
      line= ""
      line_len= $6
    }

    /^  / {
      for ( i= 1 ; i <= NF ; i++ ) {
        for ( j= 0 ; j < 2 ; j++ ) {
          ch= substr( $i, j * 2 + 1, 2 )
          ch_val= ( index( hexstr, substr( ch, 1, 1 ) ) - 1 ) * 16 \
                + ( index( hexstr, substr( ch, 2, 1 ) ) - 1 )

          if ( ch_val < 31 || ch_val >= 127 )
          {
            line= line "."
          } else {
            line= line sprintf( "%c", ch_val )
          }
        }
      }
    }
  '
--- cut here ---
Cats are smarter than dogs.  You can't make eight cats pull a sled
through
the snow.

             andre.delafontaine at echostar.com

  F20 DSS: BD75 66D9 5B2C 66CE 9158  BB27 B199 59CE D117 4E9F
   F16 RSA: F8 04 FE 50 02 B5 03 02  F6 87 C7 8D F9 2E B8 58