Capture of telnet login with tcpdump

In this version the first, third, fifth, seventh, ninth and eleventh packets are the ones which contain the symbols from the password sent from Moe to Larry, and the second, fourth, sixth, eightth, tenth and twelveth packets are the responces, respectively. That is why we have only annotated the packets containing the symbols from the password (the request packets from Moe to Larry.)

The packets shown by tcpdump contain the following data: IP headers and IP data portion. The IP data contains a TCP packet, that is, it contains a TCP header and a TCP data portion. We have used the following typographical notation:

underlined for IP headers,
bold for TCP headers, and
italic for TCP data.

We have chosen to annotate only the first packet sent from Moe to Curly and the first acknowledgement packet, but you can easily extract the data from the rest of the packets. If you choose to do so, you might want to take a look at the TCP and IP packet formats, as well as the ASCII table. Here is the printout of the dumped packets:

Packet 1:
23:54:22.940104 moe.baylor.edu.1048 > larry.baylor.edu.telnet: P 219469296:219469297(1) ack 438978963 win 32120 <nop,nop,timestamp 71657873 71751057> (DF)
    45000035 051f 4000 4006 0b6c 813e 93dd
    813e 93de 0418 0017 0d14 d5f0 1a2a 4993
    8018 7d78 0c64 0000 0101 080a 0445 6991
    0446 d591 30

As you can see, the data of the TCP packet contains a single byte, 30 hexadecimal, or 48 decimal, which is the numerical value of the character '0' (zero.) Likewise, in the following packets from Moe to Larry (packets 3, 5, 7, and 11) you can see the characters 31, 32, 33, 34, and 2e, which are the numerical representations for the characters '1', '2', '3', '4', and '.' which is the password we tried to capture. This example shows that if a person has root (admin) access rights on a router machine on the Internet, he/she could easily capture the user names and passwords of people who use telnet sessions to connect to remote site, provided their packets pass accross this machine (Larry in our case.)

Additional information that is readily available from the IP header:

        4   Version 4
        5   Internet Header Length - 5 32-bit words.
       00   Type of Service - Normel Delay, Normal Throughput, Normal Reliability
     0035   Total Length - the whole packet is 35 hex (51 decimal) bytes long
       40   Time To Live - 64 hops
       06   Protocol - TCP
813e 93dd   Source Address - 129.62.147.221 - 81 hex is 129 dec, 3e is 62, 93 is 147 and dd is 221.
813e 93de   Destination Address - 129.62.147.222

Packet 2:
23:54:22.959976 larry.baylor.edu.telnet > moe.baylor.edu.1048: . ack 1 win 32120 <nop,nop,timestamp 71751392 71657873> (DF)
    4500 0034 bff8 4000 4006 5093 813e 93de
    813e 93dd 0017 0418 1a2a 4993 0d14 d5f1
    8010 7d78 3b1d 0000 0101 080a 0446 d6e0
    0445 6991

This is the acknowledgement packet sent in response to the key '0'. It only contains an IP header a TCP header, but no TCP data.

Packet 3:
23:54:23.281805 moe.baylor.edu.1048 > larry.baylor.edu.telnet: P 1:2(1) ack 1 win 32120 <nop,nop,timestamp 71657908 71751392> (DF)
    4500 0035 0520 4000 4006 0b6b 813e 93dd
    813e 93de 0418 0017 0d14 d5f1 1a2a 4993
    8018 7d78 09f1 0000 0101 080a 0445 69b4
    0446 d6e0 31

Packet 4:
23:54:23.299964 larry.baylor.edu.telnet > moe.baylor.edu.1048: . ack 2 win 32120 <nop,nop,timestamp 71751426 71657908> (DF)
    4500 0034 bff9 4000 4006 5092 813e 93de
    813e 93dd 0017 0418 1a2a 4993 0d14 d5f2
    8010 7d78 3ad7 0000 0101 080a 0446 d702
    0445 69b4

Packet 5:
23:54:23.634633 moe.baylor.edu.1048 > larry.baylor.edu.telnet: P 2:3(1) ack 1 win 32120 <nop,nop,timestamp 71657943 71751426> (DF)
    4500 0035 0521 4000 4006 0b6a 813e 93dd
    813e 93de 0418 0017 0d14 d5f2 1a2a 4993
    8018 7d78 08ab 0000 0101 080a 0445 69d7
    0446 d702 32

Packet 6:
23:54:23.649963 larry.baylor.edu.telnet > moe.baylor.edu.1048: . ack 3 win 32120 <nop,nop,timestamp 71751461 71657943> (DF)
    4500 0034 bffa 4000 4006 5091 813e 93de
    813e 93dd 0017 0418 1a2a 4993 0d14 d5f3
    8010 7d78 3a90 0000 0101 080a 0446 d725
    0445 69d7

Packet 7:
23:54:23.915691 moe.baylor.edu.1048 > larry.baylor.edu.telnet: P 3:4(1) ack 1 win 32120 <nop,nop,timestamp 71657971 71751461> (DF)
    4500 0035 0522 4000 4006 0b69 813e 93dd
    813e 93de 0418 0017 0d14 d5f3 1a2a 4993
    8018 7d78 076b 0000 0101 080a 0445 69f3
    0446 d725 33

Packet 8:
23:54:23.929964 larry.baylor.edu.telnet > moe.baylor.edu.1048: . ack 4 win 32120 <nop,nop,timestamp 71751489 71657971> (DF)
    4500 0034 bffb 4000 4006 5090 813e 93de
    813e 93dd 0017 0418 1a2a 4993 0d14 d5f4
    8010 7d78 3a57 0000 0101 080a 0446 d741
    0445 69f3

Packet 9:
23:54:24.131806 moe.baylor.edu.1048 > larry.baylor.edu.telnet: P 4:5(1) ack 1 win 32120 <nop,nop,timestamp 71657993 71751489> (DF)
    4500 0035 0523 4000 4006 0b68 813e 93dd
    813e 93de 0418 0017 0d14 d5f4 1a2a 4993
    8018 7d78 0638 0000 0101 080a 0445 6a09
    0446 d741 34

Packet 10:
23:54:24.149963 larry.baylor.edu.telnet > moe.baylor.edu.1048: . ack 5 win 32120 <nop,nop,timestamp 71751511 71657993> (DF)
    4500 0034 bffc 4000 4006 508f 813e 93de
    813e 93dd 0017 0418 1a2a 4993 0d14 d5f5
    8010 7d78 3a2a 0000 0101 080a 0446 d757
    0445 6a09

Packet 11:
23:54:24.626419 moe.baylor.edu.1048 > larry.baylor.edu.telnet: P 5:6(1) ack 1 win 32120 <nop,nop,timestamp 71658042 71751511> (DF)
    4500 0035 0524 4000 4006 0b67 813e 93dd
    813e 93de 0418 0017 0d14 d5f5 1a2a 4993
    8018 7d78 0bf0 0000 0101 080a 0445 6a3a
    0446 d757 2e

Packet 12:
23:54:24.639970 larry.baylor.edu.telnet > moe.baylor.edu.1048: . ack 6 win 32120 <nop,nop,timestamp 71751560 71658042> (DF)
    4500 0034 bffd 4000 4006 508e 813e 93de
    813e 93dd 0017 0418 1a2a 4993 0d14 d5f6
    8010 7d78 39c7 0000 0101 080a 0446 d788
    0445 6a3a