A tool for recovering credentials from sniffed PPPoE, RADIUS and L2TPv2 CHAP authentications (forked from theclam/dechap)
This fork is to try and improve its performace. And maybe add some new features. The original repository had only tar.gz files of all versions. They are all uncompressed here as tags. 😉
dechap is a tool which attempts to recover login credentials from captured PPPoE, RADIUS and L2TP CHAP authentications plus MD5 authenticated OSPF or BGP traffic. It strips away any 802.1Q tags and / or MPLS labels which are present to get to the good stuff and then runs a dictionary attack against any authentications it finds.
Please see Foeh Mannay blog [Bringing Up a PPPoE Session - The Theory] (http://networkingbodges.blogspot.com/2013/01/bringing-up-pppoe-session-theory.html) and [Recovering CHAP Passwords from Sniffed PPPoE Sessions] (http://networkingbodges.blogspot.com.br/2013/01/recovering-chap-passwords-from-sniffed.html) for more information on the theory behind this if you are interested.
As simple as running make... 😉
There are only two parameters and both are mandatory. You must specify your capture file (original pcap format) with the -c flag and your word list (one per line) with the -w flag. Here's an example:
~/dechap$ ./dechap -w mywords.txt -c someauths.cap
Found password "tangerine" for user [email protected].
Unable to find a password for user [email protected].
Found password "password1" for user [email protected].
Found password "Africa" for user [email protected].
Found password "Frankenstein" for user [email protected].
Found password "s3cr3tk3y" for OSPF host 10.1.1.1 key 1.
Found password "t1nt3rn3t" for TCP from 10.0.0.2 to 10.0.0.1.
~/dechap$