Tcpdump
tcpdump is an extremely handy little utility that will "sniff" traffic on a particular network interface, match it against a set of criteria, and then output a summary of it to screen (or a dump of it to a file).
Just tonight, I discovered that while I had login information for an FTP site I hadn't touched in years saved in my Windows FTP client, I didn't remember what that password WAS, and I needed it to give to somebody else. I looked in the data store for the FTP client, but unfortunately the passwords were stored as hashes. Rather than try to figure out the encryption algorithm used and then find a brute force cracker somewhere, I just shelled into my firewall and set up a tcpdump session to capture the packets:
ph34r# tcpdump -pw /home/jimbo/ftpsniff.tcpdump.bin -i xl0 dst port 21 tcpdump: listening on xl0
Now my firewall is monitoring all traffic through its inside interface, and dumping any packets headed out to an FTP server to the file /home/jimbo/ftpsniff.tcpdump.bin. So I fire up my Windows FTP client, connect to the FTP site and let it authenticate, and then immediately hit CTRL-C in ph34r to interrupt the tcpdump session:
ph34r# tcpdump -pw /home/jimbo/ftpsniff.tcpdump.bin -i xl0 dst port 21 tcpdump: listening on xl0 ^C 38 packets received by filter 0 packets dropped by kernel
And hex editing the raw tcp dump (I cheated and used UltraEdit on my windows box; I don't have a good hex editor for *nix yet. Anyone got any recommendations?) and searching for PASS led me to this snippet:
PASS V9xo3Pr1
Ta-da! Now I know the password for that FTP site. (Obviously you could use the same technique to find out OTHER people's passwords, if you ran the firewall they used to get out to the 'net... starting to see why the crypto geeks keep yelling about using secure authentication instead of plaintext?)