Looking for clear text authentication with tcpdump

Login services not using encryption, is unfortunately still often seen in the wild. I started out in the IT business around 2000, and even back then, clear text authentication was bad, but still we see it today.

Examples of services using clear text authentication is: HTTP, FTP and telnet. Don’t ever authenticate using any of these protocols, unless you know exactly what you are doing.

Sometimes you may want to verify, if the password is actually sent in clear text, and one of the tools to use is tcpdump. Tcpdump is the default network analyse tool on most Linux distributions, and it’s very easy to get started with. Maybe you just want to know if your network changes is routing traffic to your server, you can use tcpdump to verify.

When sniffing for clear text passwords, we need to give the parameters -s 0 and -A and then we can give the destination port the service is listening on with dst port. So the full command would look like this:

tcpdump -s 0 -A dst port xxx

You can also specify the interface to listen on, by using the -i option. If your interface is enp0s31f6, then it would look like.

tcpdump -i enp0s31f6 -s 0 -A dst port xxx

Another option is the “and” and the “not” keyword. Imagine you are logged in with SSH, and looking for ssh traffic, but you don’t want to see your own traffic. The you can use and not host ${your own IP address}, like this

tcpdump -i enp0s31f6 dst port 22 and not host xx.xx.xx.xx

In the last example i have removed the -s 0 and the -A option, since i don’t need it just to see if traffic is getting to my server.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.