Wednesday, September 28, 2011

Sniffing credentials and images with Wireshark

In this post I will demonstrate one way to sniff weak user credentials as well as images a user viewed in their browser. The set up is an Apache web server running a basic page that requires users to authenticate to view the restricted area of the site. The authentication is done by Apache's Authtype Basic method.

With Wireshark running on the webserver, we access the site from another machine on the network and are presented with the basic login form, dependent on which browser you use.

As you can see, the user inputs his username and password to request access to the protected area of the site.

Once the request is sent, Apache authenticates the user and directs him to the protected area of the site. If we take a quick look at the corresponding packet in Wireshark we can see that the credentials are sent in clear text across the network.

Now that we have acquired the users credentials, lets look at what he did while he was on the site. If you see that the user has requested and viewed images from a web server, Wireshark is able to export those as well.

Click File, Export, Objects, and then HTTP

Wireshark will take any reassembled objects in the HTTP stream and allow you to save them to disk. It is able to save images, documents, executables, and anything else that can be sent over HTTP.

Wireshark is definitely a powerful tool. This is not even scratching the surface of what Wireshark can do. For more of its functionality check out their users guide.

As you can see, sniffing is a powerful attack vector, especially when credentials are not even encrypted when being passed across the network. Moral of the story is, when dealing with sensitive information, make sure that you are using a reliable, encrypted method of communication such as SSL. You never know who could be on your network.

No comments:

Post a Comment