-->

Sniffing for Passwords with Wireshark

Installing the Wireshark Packet Sniffer

What you need for this task:
  • A computer with Internet access. You need administrator privileges.
  • I wrote the instructions with Windows 7
Open a Web browser and go to WireShark.org

Download and install the latest version of Wireshark. The installer will also install WinPCap.

Reboot the machine to load the WinPCap driver

Note: If you have problems with WinPCap under Windows 10, get the driver from http://www.win10pcap.org/

Starting a Packet Capture


Start Wireshark.

In the Capture menu, select Options

clip_image002

Make sure your interfaces are in promiscuous mode. Press Manage Interfaces.

clip_image004



In the Manage Interfaces windows, select the desired interface where you want to capture traffic

clip_image006

Back to the starting windows, double click on the interface to start the capture

clip_image008

You should see packets being captured and scrolling by, as shown below on this page. Every packet sent from or to your machine is shown here. But it shows a lot more information than you usually want to know.

clip_image010

 

Sending a password to a test site


Open a Web browser and go to:

http://testphp.acunetix.com/login.php

or

http://testasp.vulnweb.com/Login.asp?RetURL=%2FDefault%2Easp%3F

Enter a Username of YOURNAME@SOMEDOMAIN.LOCAL (using your own name, not the literal string "YOURNAME") and a password like topsecretpassword, as shown below:

clip_image011

Click the "login" button.

The login will fail but that is not important.

In the Wireshark window click on the red square button to stop the capture

clip_image013
 

Finding the password in Wireshark


In the Wireshark window, in the Filter bar, type as filter some of the text you entered as username, as shown below:

frame contains rumos.local

clip_image014

Wireshark shows an HTTP packet containing the searched text. In the upper pane of Wireshark, right-click the HTTP packet and click "Follow/TCP Stream", as shown below.

clip_image016

Expand the "Follow TCP Stream" box so that you can see YOURNAME and the topsecretpassword, as shown below.

clip_image018
 

Conclusion:


When login into plain http websites, your credentials are sent in plaintext and can be easily captured and discovered.

 

Using a secure website


Start another packet capture by going to Wireshark’s menu bar, click Capture, Start (or click the blue fin button on the top left. A pops up asks "Do you want to save the captured packets before starting a new capture?" Click "Continue without saving".

In a Web browser, go to http://gmail.com. Notice you are immediately redirected to https://accounts.google.com. (You can go to any safe website, it doesn’t have to be on GMail)

Enter a valid Gmail account and the same password topsecretpassword, as shown below.

Click the "Sign in" button.

clip_image019

Gmail will reject the credentials, just like the other website did.

In the Wireshark window, click Capture/Stop.
 

Searching for the password in Wireshark


In the Wireshark menu, click Edit/Find Packet.

clip_image020

In the "Wireshark: Find Packet" box, click the String button.

Enter a search string of secret, as shown below.

clip_image021

In the "Search In" section, click "Packet bytes". Click Find.

clip_image022

A message appears briefly in the status bar at the bottom of the Wireshark window, saying "No packet contained that string", as shown below. This means the password text cannot be found in any of the captured packets because the information exchange with Gmail’s website was properly encrypted.

clip_image024
 

Conclusion:

When login into secure websites, user credentials are encrypted by the SSL/TLS protocol and although the packet sniffers manages to captures the traffic, it’s virtually impossible to see the content of the encrypted information exchanged with the secure website

0 comments: