Russ in the newsgroup picked up a new SBS client and they didn’t write down the POP connector password.  He asked “Anyone know of password programs that unhide password in 2003?  All I can find are the ones for XP?”

As Russ found out it wasn’t even that hard.  Load up a little Ethereal program, sniff the tcp/ip packets and that password will travel from the server to the pop box at the ISP in clear text.  You see a ‘elho’ command and then the lovely phrase ‘password’ and it’s pretty obvious what the password is. 

Remember, physical access means the ultimate lack of security.  With physical access I can even reset the local admin password [only do this on desktops, not on the server]

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore


2 Responses to Sniffin’ a bit of a password tonight

  1. Gabriel Zabal says:

    Hi Susan, I follow your blog almost daily, I’m MCSE, SBS’er and Security enthusiast.

    If you want to capture passwords easily, you should use Dsniff, it’s a tool that capture the packets on the wire, and it looks for the packtes with usernames or passwords for the most commont protocols.

    From the website:

    "dsniff : simple password sniffer. handles FTP, Telnet, HTTP, POP, NNTP, IMAP, SNMP, LDAP, Rlogin, NFS, SOCKS, X11, IRC, AIM, CVS, ICQ, Napster, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, and Oracle SQL*Net auth info. goes beyond most sniffers in that it minimally parses each application protocol, only saving the "interesting" bits. uses Berkeley DB as its output file format, logging only unique auth info. supports full TCP/IP reassembly, courtesy of libnids (all of the following tools do, as well)."

    It works nice to show the problem of the weak protocols.

    Gabriel Zabal

  2. bradley says:

    Hi Susan,
    I’ve used that password reset utility to recover a SBS2k3 server that had the admin password set by a disgruntled ex-employee. It involved resetting the local admin password, booting into domain controller recovery mode, then doing a few other things to hack out the domain admin’s password. It was time consuming (less than a full reload) but it did work.