But to exercise it from a LAN is slowly in addition to at the same fourth dimension makes you lot wonder, how insecure HTTP actually is. You could live doing to to your roommate, Work Network or fifty-fifty School, College, University network assuming the network allows broadcast traffic in addition to your LAN carte tin strength out live laid to promiscuous mode.
So lets try this on a unproblematic website. I volition enshroud purpose of the website mention (just for the fact that they are dainty people in addition to I abide by their privacy.). For the sake of this guide, I volition simply demonstrate everything done on a unmarried machine. As for you, try it betwixt 2 VirtualBox/VMWare/Physical machines.
p.s. Note that approximately routers doesn’t broadcast traffic, hence it mightiness neglect for those detail ones.
Step 1: Start Wireshark in addition to capture traffic
In Kali Linux you lot tin strength out kickoff Wireshark past times going to
Application > Kali Linux > Top 10 Security Tools > Wireshark
In Wireshark teach to Capture > Interface in addition to tick the interface that applies to you. In my case, I am using a Wireless USB card, hence I’ve selected wlan0.
Ideally you lot could simply press Start push clit hither in addition to Wireshark volition kickoff capturing traffic. In representative you lot missed this, you lot tin strength out ever capture traffic past times going dorsum to Capture > Interface > Start
Step 2: Filter captured traffic for POST data
At this betoken Wireshark is listening to all network traffic in addition to capturing them. I opened a browser in addition to signed inward a website using my username in addition to password. When the authentication physical care for was consummate in addition to I was logged in, I went dorsum in addition to stopped the capture inward Wireshark.
Usually you lot come across a lot of information inward Wireshark. However are are exclusively interested on POST data.
Why POST only?
Because when you lot type inward your username, password in addition to press the Login button, it generates a a POST method (in curt – you’re sending information to the remote server).
To filter all traffic in addition to locate POST data, type inward the next inward the filter section
http.request.method == “POST”
See screenshot below. It is showing 1 POST event.
Step 3: Analyze POST information for username in addition to password
Now correct click on that employment in addition to select Follow TCP Steam
This volition opened upwards a novel Window that contains something similar this:
HTTP/1.1 302 Found
Date: Mon, 10 November 2014 23:52:21 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: non=non; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/
Set-Cookie: password=e4b7c855be6e3d4307b8d6ba4cd4ab91; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/
Set-Cookie: scifuser=sampleuser; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/
Location: loggedin.php
Content-Length: 0
Connection: unopen
Content-Type: text/html; charset=UTF-8
I’ve highlighted the user mention in addition to password field.
So inward this case,
- username: sampleuser
- password: e4b7c855be6e3d4307b8d6ba4cd4ab91
But hang on, e4b7c855be6e3d4307b8d6ba4cd4ab91 can’t live a existent password. It must live a hash value.
Note that approximately website’s doesn’t hash password’s at all fifty-fifty during sign on. For those, you’ve already got the username in addition to password. In this case, let’s teach fighting far in addition to position this hash value
Step 4: Identify hash type
I volition exercise hash-identifier to uncovering out which type of hash is that. Open terminal in addition to type inward hash-identifier in addition to glue the hash value. hash-identifier volition give you lot possible matches.
See screenshot below:
Now i affair for sure, nosotros know it’s non a Domain Cached Credential. So it must live a MD5 hash value.
I tin strength out crevice that using hashcat or cudahashcat. There’s an extensive lead on how to exercise that here.
Step 5: Cracking MD5 hashed password
I tin strength out easily crevice this unproblematic password using hashcat or similar softwares.
root@kali: # hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
(or)
root@kali: # cudahashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
(or)
root@kali: # cudahashcat32 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
(or)
root@kali: # cudahashcat64 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
Because this was a unproblematic password that existed inward my password list, hashcat cracked it really easily.
Cracking password hashes
Out lastly outcome looks similar this:
- username: sampleuser
- password: e4b7c855be6e3d4307b8d6ba4cd4ab91:simplepassword
Conclusion
Well, to live honest it’s non possible for every website possessor to implement SSL to secure password, approximately SSL’s toll you lot upto 1500$ per URL (well, you lot tin strength out teach 10$ ones also but I personally never used those hence I can’t actually comment). But the to the lowest degree website owners (public ones where anyone tin strength out register) should exercise is to implement hashing during login-procedures. In that way, at to the lowest degree the password is hashed in addition to that adds i to a greater extent than hurdle for someone from hacking website password easily. Actually it’s a big i every bit SSL encryption (theoretically) tin strength out accept 100+years fifty-fifty amongst the best SuperComputer of today.
Enjoy in addition to exercise this lead responsibly. Please Share in addition to RT. Thanks.
