用FreeBSD抓取PPPoE帳號和密碼（勿用非法用途！）

用FreeBSD抓取PPPoE帳號和密碼（勿用非法用途！）

一個朋友拿了一台無線路由器，讓我幫他找到用戶名和密碼，網上的文章不是太簡潔，於是有了本文。

一、安裝mpd：
　　FreeBSD下的mpd簡直就是撥號的神器，能做客戶端，也能做服務器端。

1. pkg install mpd5

二、配置mpd，讓它接收PPPoE撥號，其實根本不麻煩，直接把/usr/local/etc/mpd5/mpd5.conf.sample復制一個mpd5.conf，然後修改一下pppoe_server和default就可以了，共五行，分別是：
　1、設置默認的段；
2、去掉radius，否則會報錯；
　3、設置pppoe_server名為"*"，否則客戶端的包過不來；
4-5、設置接入的網卡，共有兩處；

1. # cat mpd.conf
2. startup:
3. # configure mpd users
4. set user foo bar admin
5. set user foo1 bar1
6. # configure the console
7. set console self 127.0.0.1 5005
8. set console open
9. # configure the web server
10. set web self 0.0.0.0 5006
11. set web open
12. 
    
13. #
14. # Default configuration is "dialup"
15. 
    
16. default:
17. load pppoe_server
18. 
    
19. common:
20. # Enable multilink protocol
21. set link enable multilink
22. # Set bundle template to use
23. set link action bundle B
24. # Allow peer to authenticate us
25. set link disable chap pap
26. set link accept chap pap
27. set auth authname MyLogin
28. # Set inifinite redial attempts
29. set link max-redial 0
30. set modem var $DialPrefix "DT"
31. set modem var $Telephone "1-415-555-1212"
32. set modem script DialPeer
33. 
    
34. pppoe_server:
35. #
36. # Multihomed multilink PPPoE server
37. #
38. 
    
39. # Create clonable bundle template
40. create bundle template B
41. # Set IP addresses. Peer address will be later replaced by RADIUS.
42. set ipcp ranges 192.168.0.1/32 127.0.0.2/32
43. 
    
44. # Create link template with common info
45. create link template common pppoe
46. # Enable multilink protocol
47. set link enable multilink
48. # Set bundle template to use
49. set link action bundle B
50. # Enable peer authentication
51. set link disable chap pap eap
52. set link enable pap
53. # load radius
54. set pppoe service "*"
55. 
    
56. # Create templates for ifaces to listen using 'common' template and let them go
57. create link template em0 common
58. set link max-children 1000
59. set pppoe iface em0
60. set link enable incoming

三、啟動mpd，讓PPPoE服務器接收撥號：

1. /usr/local/etc/rc.d/mpd5 onestart

四、抓包，找到帶“Name”的那行，就是用戶名和密碼，本文示例用戶名為：csh，密碼為123456：

1. # tcpdump -ani em0 pppoes
2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
3. listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
4. 18:09:07.901865 PPPoE [ses 0x4a] LCP, Conf-Request (0x01), id 1, length 37
5. 18:09:08.942933 PPPoE [ses 0x4a] LCP, Conf-Request (0x01), id 147, length 26
6. 18:09:08.943601 PPPoE [ses 0x4a] LCP, Conf-Reject (0x04), id 1, length 12
7. 18:09:08.943726 PPPoE [ses 0x4a] LCP, Conf-Reject (0x04), id 147, length 8
8. 18:09:08.943996 PPPoE [ses 0x4a] LCP, Conf-Request (0x01), id 2, length 22
9. 18:09:08.944447 PPPoE [ses 0x4a] LCP, Conf-Request (0x01), id 148, length 24
10. 18:09:08.945266 PPPoE [ses 0x4a] LCP, Conf-Ack (0x02), id 2, length 22
11. 18:09:08.945282 PPPoE [ses 0x4a] LCP, Conf-Ack (0x02), id 148, length 24
12. 18:09:08.946030 PPPoE [ses 0x4a] PAP, Auth-Req (0x01), id 1, Peer csh, Name 123456
13. 18:09:08.947405 PPPoE [ses 0x4a] PAP, Auth-NACK (0x03), id 1, Msg Login incorrect
14. 18:09:08.947938 PPPoE [ses 0x4a] LCP, Term-Request (0x05), id 3, length 6
15. 18:09:08.948400 PPPoE [ses 0x4a] LCP, Term-Request (0x05), id 149, length 6
16. 18:09:08.948733 PPPoE [ses 0x4a] LCP, Term-Ack (0x06), id 4, length 6
17. 18:09:08.949086 PPPoE [ses 0x4a] LCP, Term-Ack (0x06), id 3, length 6
18. ^C
19. 14 packets captured
20. 29 packets received by filter
21. 0 packets dropped by kernel

五：提醒：
　1、別干壞事！
　2、復制本文mpd.conf配置會無效，原因是mpd.conf要求除了段名外，每行前面都要有空格，而本博客編輯器會把前置空格吃掉，具體格式看系統自帶的示例。








----end----