I’m taking SANS’ “SEC503 Intrusion Detection In-Depth” class here in Brussels.
One of the exercises consisted of extracting the passwords from a capture file of a FTP password dictionary attack.
I was at an advantage for this exercise 😉 I have a Lua script for Wireshark that extracts credentials (HTTP and FTP in this release).
Notice that some entries have no username. A closer look at the capture file with Wireshark revealed missing segments (with the USER admin FTP command).
wireshark-tools-v0_0_1.zip (https)
MD5: 30232A81CBD0DEE275C2A3CDAF7E333C
SHA256: E45CE8AF5417A8A1C857FDF84F2FD92860738CF2E723A64A730F606D2C495064
Didier Stevens 