用FreeBSD抓取PPPoE帳號和密碼(勿用非法用途!)
一個朋友拿了一台無線路由器,讓我幫他找到用戶名和密碼,網上的文章不是太簡潔,於是有了本文。
一、安裝mpd:
FreeBSD下的mpd簡直就是撥號的神器,能做客戶端,也能做服務器端。
- pkg install mpd5
二、配置mpd,讓它接收PPPoE撥號,其實根本不麻煩,直接把/usr/local/etc/mpd5/mpd5.conf.sample復制一個mpd5.conf,然後修改一下pppoe_server和default就可以了,共五行,分別是:
1、設置默認的段;
2、去掉radius,否則會報錯;
3、設置pppoe_server名為"*",否則客戶端的包過不來;
4-5、設置接入的網卡,共有兩處;
- # cat mpd.conf
- startup:
- # configure mpd users
- set user foo bar admin
- set user foo1 bar1
- # configure the console
- set console self 127.0.0.1 5005
- set console open
- # configure the web server
- set web self 0.0.0.0 5006
- set web open
- #
- # Default configuration is "dialup"
- default:
- load pppoe_server
- common:
- # Enable multilink protocol
- set link enable multilink
- # Set bundle template to use
- set link action bundle B
- # Allow peer to authenticate us
- set link disable chap pap
- set link accept chap pap
- set auth authname MyLogin
- # Set inifinite redial attempts
- set link max-redial 0
- set modem var $DialPrefix "DT"
- set modem var $Telephone "1-415-555-1212"
- set modem script DialPeer
- pppoe_server:
- #
- # Multihomed multilink PPPoE server
- #
- # Create clonable bundle template
- create bundle template B
- # Set IP addresses. Peer address will be later replaced by RADIUS.
- set ipcp ranges 192.168.0.1/32 127.0.0.2/32
- # Create link template with common info
- create link template common pppoe
- # Enable multilink protocol
- set link enable multilink
- # Set bundle template to use
- set link action bundle B
- # Enable peer authentication
- set link disable chap pap eap
- set link enable pap
- # load radius
- set pppoe service "*"
- # Create templates for ifaces to listen using 'common' template and let them go
- create link template em0 common
- set link max-children 1000
- set pppoe iface em0
- set link enable incoming
三、啟動mpd,讓PPPoE服務器接收撥號:
- /usr/local/etc/rc.d/mpd5 onestart
四、抓包,找到帶“Name”的那行,就是用戶名和密碼,本文示例用戶名為:csh,密碼為123456:
- # tcpdump -ani em0 pppoes
- tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
- listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
- 18:09:07.901865 PPPoE [ses 0x4a] LCP, Conf-Request (0x01), id 1, length 37
- 18:09:08.942933 PPPoE [ses 0x4a] LCP, Conf-Request (0x01), id 147, length 26
- 18:09:08.943601 PPPoE [ses 0x4a] LCP, Conf-Reject (0x04), id 1, length 12
- 18:09:08.943726 PPPoE [ses 0x4a] LCP, Conf-Reject (0x04), id 147, length 8
- 18:09:08.943996 PPPoE [ses 0x4a] LCP, Conf-Request (0x01), id 2, length 22
- 18:09:08.944447 PPPoE [ses 0x4a] LCP, Conf-Request (0x01), id 148, length 24
- 18:09:08.945266 PPPoE [ses 0x4a] LCP, Conf-Ack (0x02), id 2, length 22
- 18:09:08.945282 PPPoE [ses 0x4a] LCP, Conf-Ack (0x02), id 148, length 24
- 18:09:08.946030 PPPoE [ses 0x4a] PAP, Auth-Req (0x01), id 1, Peer csh, Name 123456
- 18:09:08.947405 PPPoE [ses 0x4a] PAP, Auth-NACK (0x03), id 1, Msg Login incorrect
- 18:09:08.947938 PPPoE [ses 0x4a] LCP, Term-Request (0x05), id 3, length 6
- 18:09:08.948400 PPPoE [ses 0x4a] LCP, Term-Request (0x05), id 149, length 6
- 18:09:08.948733 PPPoE [ses 0x4a] LCP, Term-Ack (0x06), id 4, length 6
- 18:09:08.949086 PPPoE [ses 0x4a] LCP, Term-Ack (0x06), id 3, length 6
- ^C
- 14 packets captured
- 29 packets received by filter
- 0 packets dropped by kernel
五:提醒:
1、別干壞事!
2、復制本文mpd.conf配置會無效,原因是mpd.conf要求除了段名外,每行前面都要有空格,而本博客編輯器會把前置空格吃掉,具體格式看系統自帶的示例。
----end----