I’m taking SANS’ “SEC503 Intrusion Detection In-Depth” class here in Brussels.
One of the exercises consisted of extracting the passwords from a capture file of a FTP password dictionary attack.
I was at an advantage for this exercise ;-) I have a Lua script for Wireshark that extracts credentials (HTTP and FTP in this release).
Notice that some entries have no username. A closer look at the capture file with Wireshark revealed missing segments (with the USER admin FTP command).