Chris Adams

Ettercap is a popular network security tool which allows you to perform both active and passive password gathering. You can leave a daemonized version running (e.g. ettercap -NCzqs -i en2 --logtofile) and it will produce a file containing hosts, usernames and passwords for a number of different protocols:

18:03:20  172.16.70.170:56784 <--> 172.16.70.55:110           pop3

USER: test
PASS: **********

18:03:39  172.16.70.170:56786 <--> 216.239.57.99:80           http

USER: foo
PASS: *******

http://www.google.com

Unfortunately this isn't really what non-nefarious users want: I just need to know who's using an unsafe protocol on my network so I can periodically send them reminders to switch to something secure and, if necessary, provide proof that this is a real security threat rather than a hypothetical problem.

A little bit of perl later and I have ettercap-insecurity-reporter.

ettercap-insecurity-reporter< logfile will produce a quick report. ettercap-insecurity-reporter --format=html < logfile produces an HTML report. (use --format=html_table if you want to embed the output in other pages)

If you're planning to put your logs anywhere public or are [wisely] concerned about storing sensitive information ettercap-log-sanitizerlogfile will replace passwords with asterisks - suitable for running out of cron on your monitoring host before the script which produces the report.

Future Plans

• Improved HTML output: links to whois / IP block info, preservation of the original URL, etc.
• Automatic emails: reverse DNS and walk up the hierarchy until you get a valid MX record and send an warning to user@mx.
• Report protocols over non-standard ports