This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MACflood & Telnet password

0

Hello,

I have a problem with captured telnet password using macflood attack. As you can see on the screen, there is no password, just "......".

When I use another attack (arpspoof, ...), I can see password without problems. Anybody knows where could be a problem?

Thanks.

screen

asked 28 Apr '14, 01:41

petersonn's gravatar image

petersonn
11114
accept rate: 0%

edited 28 Apr '14, 04:14


One Answer:

1

You either captured only one direction of the communication or you filtered the traffic to show only one direction (dst: 192.168.1.9). So, what you see in the screenshot is only the traffic from the telnet server to the telnet client. Why you only see half of the traffic could be related to your capture method/setup. As you did not tell us anything about that (except 'macflood') it's impossible to give you any advice.

The reason why you see dots (....) for the password is some ECHO option enabled on the telnet server. With that option it will echo certain pieces of the communication back to the client. In the case of the password, your telnet server apparently does not echo the real password. Instead it uses other characters.

http://tools.ietf.org/html/rfc857

The difference to your other capture file is (most certainly) the fact that you've captured both directions in the other capture file and thus you can see the cleartext password sent from the client to the server. You'll have the echoed password as well in the capture file (if it's the same telnet server), but you might not have noticed, as you probably did not know about that feature and thus you ignored the extra characters.

Regards
Kurt

answered 28 Apr '14, 17:06

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Yes, you're right, I captured only traffic from telnet server to telnet client. My topology is: http://s4.postimg.org/x5x0bvirh/telnet_scheme.png I run macof from attacker's PC for a few seconds to fill CAM table. After that I start capturing data on attacker's PC and then I connect Telnet client PC and make telnet connection. But I can see in the Wireshark only telnet traffic captured in one direction. Where can I find the other direction (from client to server)? If necessary, I can upload my .pcap file for you.

Thank you for answering!

Peter

(29 Apr '14, 02:39) petersonn