Many users do not realize that by filling out a login and password when registering or authorizing on a closed Internet resource and pressing ENTER, this data can easily be intercepted. Very often they are transmitted over the network in an unsecured form. Therefore, if the site you are trying to log into uses the HTTP protocol, then it is very easy to capture this traffic, analyze it using Wireshark, and then use special filters and programs to find and decrypt the password.
The best place to intercept passwords is the core of the network, where the traffic of all users goes to closed resources (for example, mail) or in front of the router to access the Internet, when registering on external resources. We set up a mirror and we are ready to feel like a hacker.
Step 1. Install and launch Wireshark to capture traffic
Sometimes, to do this, it is enough to select only the interface through which we plan to capture traffic and click the Start button. In our case, we are capturing over a wireless network.
Traffic capture has begun.
Step 2. Filtering captured POST traffic
We open the browser and try to log in to some resource using a username and password. Once the authorization process is complete and the site is opened, we stop capturing traffic in Wireshark. Next, open the protocol analyzer and see a large number of packets. This is where most IT professionals give up because they don't know what to do next. But we know and are interested in specific packages that contain POST data that is generated on our local machine when filling out a form on the screen and sent to remote server when you click the “Login” or “Authorization” button in the browser.
We enter a special filter in the window to display captured packets: http.request.method == “POST"
And we see, instead of thousands of packages, only one with the data we are looking for.
Step 3. Find the user's login and password
Quickly right-click and select the item from the menu Follow TCP Steam
After this, text will appear in a new window that restores the contents of the page in code. Let's find the fields “password” and “user”, which correspond to the password and username. In some cases, both fields will be easily readable and not even encrypted, but if we are trying to capture traffic when accessing very well-known resources such as Mail.ru, Facebook, VKontakte, etc., then the password will be encrypted:
HTTP/1.1 302 Found
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: password= ; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/
Location: loggedin.php
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Thus, in our case:
Username: networkguru
Password:
Step 4. Determine the encoding type to decrypt the password
For example, go to the website http://www.onlinehashcrack.com/hash-identification.php#res and enter our password in the identification window. I was given a list of encoding protocols in order of priority:
Step 5. Decrypting the user password
At this stage we can use the hashcat utility:
~# hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
At the output we received a decrypted password: simplepassword
Thus, with the help of Wireshark we can not only solve problems in the operation of applications and services, but also try ourselves as a hacker, intercepting passwords that users enter in web forms. You can also find out passwords for mailboxes users using simple filters to display:
- The POP protocol and filter looks like this: pop.request.command == "USER" || pop.request.command == "PASS"
- IMAP protocol and the filter will be: imap.request contains "login"
- The protocol is SMTP and you will need to enter the following filter: smtp.req.command == "AUTH"
and more serious utilities for decrypting the encoding protocol.
Step 6: What if the traffic is encrypted and uses HTTPS?
There are several options to answer this question.
Option 1. Connect when the connection between the user and the server is broken and capture traffic at the moment the connection is established (SSL Handshake). When a connection is established, the session key can be intercepted.
Option 2: You can decrypt HTTPS traffic using the session key log file recorded by Firefox or Chrome. To do this, the browser must be configured to write these encryption keys to a log file (FireFox based example) and you should receive that log file. Essentially, you need to steal the session key file from hard drive another user (which is illegal). Well, then capture the traffic and use the resulting key to decrypt it.
Clarification. We're talking about the web browser of a person whose password they're trying to steal. If we mean decrypting our own HTTPS traffic and want to practice, then this strategy will work. If you are trying to decrypt the HTTPS traffic of other users without access to their computers, this will not work - that is both encryption and privacy.
After receiving the keys according to option 1 or 2, you need to register them in WireShark:
- Go to the menu Edit - Preferences - Protocols - SSL.
- Set the flag “Reassemble SSL records spanning multiple TCP segments”.
- “RSA keys list” and click Edit.
- Enter the data in all fields and write the path in the file with the key
Wireshark is a powerful network analyzer that can be used to analyze traffic passing through network interface your computer. You may need it to detect and solve network problems, debug your web applications, network programs or sites. Wireshark allows you to fully view the contents of a packet at all levels, so you can better understand how the network works at a low level.
All packets are captured in real time and provided in an easy-to-read format. The program supports very powerful system filtering, color highlighting, and other features that will help you find the packages you need. In this tutorial, we'll look at how to use Wireshark to analyze traffic. Recently, the developers began working on the second branch of the Wireshark 2.0 program, many changes and improvements were made to it, especially for the interface. This is what we will use in this article.
Before moving on to considering ways to analyze traffic, you need to consider what features the program supports in more detail, what protocols it can work with and what it can do. Here are the main features of the program:
- Capture packets in real time from wired or any other type of network interfaces, as well as read from a file;
- The following capture interfaces are supported: Ethernet, IEEE 802.11, PPP and local virtual interfaces;
- Packets can be filtered based on many parameters using filters;
- All known protocols are highlighted in the list in different colors, for example TCP, HTTP, FTP, DNS, ICMP and so on;
- Support for capturing VoIP call traffic;
- Decryption of HTTPS traffic is supported if a certificate is available;
- Decryption of WEP and WPA traffic wireless networks with a key and handshake;
- Displaying network load statistics;
- View package contents for all network layers;
- Displays the time of sending and receiving packages.
The program has many other features, but these were the main ones that might interest you.
How to use Wireshark
I assume that you already have the program installed, but if not, you can install it from the official repositories. To do this, type the command in Ubuntu:
sudo apt install wireshark
After installation, you can find the program in the main menu of the distribution. You need to run Wireshark with superuser rights, because otherwise it will not be able to analyze network packets. This can be done from the main menu or via the terminal using the command for KDE:
And for Gnome/Unity:
The main window of the program is divided into three parts: the first column contains a list of network interfaces available for analysis, the second - options for opening files, and the third - help.
Network traffic analysis
To start analysis, select a network interface, for example eth0, and click the button Start.
After this, the following window will open, already with a stream of packets that pass through the interface. This window is also divided into several parts:
- Top part- these are menus and panels with various buttons;
- List of packages- then the flow of network packets that you will analyze is displayed;
- Package Contents- just below is the contents of the selected package, it is divided into categories depending on the transport level;
- Real performance- at the very bottom the contents of the package are displayed in real form, as well as in HEX form.
You can click on any package to analyze its contents:
Here we see a DNS request packet to get the site's IP address, in the request itself the domain is sent, and in the response packet we receive our question as well as the answer.
For more convenient viewing, you can open the package in a new window by double-clicking on the entry:
Wireshark filters
Manually going through packages to find the ones you need is very inconvenient, especially with an active thread. Therefore, for this task it is better to use filters. There is a special line under the menu for entering filters. You can click Expression to open the filter designer, but there are a lot of them, so we’ll look at the most basic ones:
- ip.dst- target IP address;
- ip.src- sender's IP address;
- ip.addr- IP of the sender or recipient;
- ip.proto- protocol;
- tcp.dstport- port of destination;
- tcp.srcport- sender port;
- ip.ttl- TTL filter, determines the network distance;
- http.request_uri- the requested site address.
To specify the relationship between a field and a value in a filter, you can use the following operators:
- == - equals;
- != - not equal;
- < - less;
- > - more;
- <= - less or equal;
- >= - more or equal;
- matches- regular expression;
- contains- contains.
To combine multiple expressions you can use:
- && - both expressions must be true for the package;
- || - one of the expressions may be true.
Now let's take a closer look at several filters using examples and try to understand all the signs of relationships.
First, let's filter all packets sent to 194.67.215.. Type a string in the filter field and click Apply. For convenience, Wireshark filters can be saved using the button Save:
ip.dst == 194.67.215.125
And in order to receive not only sent packets, but also those received in response from this node, you can combine two conditions:
ip.dst == 194.67.215.125 || ip.src == 194.67.215.125
We can also select transferred large files:
http.content_length > 5000
By filtering the Content-Type, we can select all the pictures that have been uploaded; Let's analyze Wireshark traffic, packets that contain the word image:
http.content_type contains image
To clear the filter, you can press the button Clear. It happens that you do not always know all the information necessary for filtering, but just want to explore the network. You can add any field of a package as a column and view its contents in the general window for each package.
For example, I want to display the TTL (time to live) of a packet as a column. To do this, open the package information, find this field in the IP section. Then call context menu and select the option Apply As Column:
In the same way, you can create a filter based on any desired field. Select it and bring up the context menu, then click Apply as filter or Prepare as filter, then select Selected to display only the selected values, or Not selected to remove them:
The specified field and its value will be applied or, in the second case, inserted into the filter field:
In this way, you can add a field of any package or column to the filter. There is also this option in the context menu. To filter protocols, you can use more simple conditions. For example, let's analyze Wireshark traffic for the HTTP and DNS protocols:
Another interesting feature of the program is the use of Wireshark to track a specific session between the user's computer and the server. To do this, open the context menu for the package and select Follow TCP stream.
A window will then open in which you will find all the data transferred between the server and the client:
Diagnosing Wireshark problems
You may be wondering how to use Wireshark 2.0 to detect problems on your network. To do this, there is a round button in the lower left corner of the window; when you click on it, a window opens Expet Tools. In it, Wireshark collects all error messages and network problems:
The window is divided into tabs such as Errors, Warnings, Notices, Chats. The program can filter and find many network problems, and here you can see them very quickly. Wireshark filters are also supported here.
Wireshark traffic analysis
You can very easily understand what users downloaded and what files they viewed if the connection was not encrypted. The program does a very good job of extracting content.
To do this, you first need to stop traffic capture using the red square on the panel. Then open the menu File -> Export Objects -> HTTP:
On decryption and analysis of data transmitted in networks of telecom operators in real time. The departments are currently studying possible technical solutions to implement this proposal.
One of the decryption options being discussed is to install equipment on operator networks capable of performing a MITM attack (Man in the Middle). To analyze unencrypted and already decrypted traffic, it is proposed to use DPI systems, which are already used by telecom corporations to filter prohibited sites.
Literally immediately after this information appeared, the initiative was criticized by the Internet community. In particular, the “profile” ombudsman in a conversation with a radio station "Moscow speaks" called decryption of user traffic unacceptable.
Founder of the Internet Defense Society in his Facebook account analyzed in detail the methods proposed by the authorities.
“MITM is a type of hacker attack that involves attacker P inserting himself into an encrypted channel between subscribers A and B, and when A and B think they are encrypting messages to each other, they are actually encrypting them all to P. which opens messages, then re-encrypts them and sends them on,” the expert explained.
The problem for performing this task, as Volkov writes, is the fact that for the Internet used software an attempt to spoof a certificate to re-encrypt content looks like fraud. When operating system or the browser detects that a fake certificate is presented, they will immediately block it.
In a conversation with Gazeta.Ru, Volkov noted that the departments’ fresh initiative looks more realistic than complete data storage, but “is still far from being feasible right here and now.”
In turn, the leading virus analyst at ESET Russia believes that from a technical point of view, the proposals of the FSB, the Ministry of Telecom and Mass Communications and the Ministry of Industry and Trade are real. “So far, initiatives are limited to analyzing unencrypted traffic and collecting basic information about users. The new proposal may require providers and users to install a special digital certificate to analyze encrypted traffic, for example HTTPS,” he told Gazeta.Ru.
Encrypted Aliens
The director of the information and analytical agency TelecomDaily told Gazeta.Ru that decrypting traffic is not an easy process. “The ministries that take on this task do not fully understand that they may not be able to cope with this,” he added.
The analyst noted that the issue of the activities of foreign companies responsible for user communications is still unresolved. First of all, we are talking about messengers with end-to-end encryption.
“I don’t see any changes in terms of working with organizations that, from a legal point of view, are not in Russia. But it’s easier with our companies; you can always put pressure on them,” Kuskov noted.
In addition to telecom operators, the anti-terrorism package of amendments talks about the so-called organizers of information dissemination. Since 2014, Russian legislation has provided for them their own register, which is maintained by .
Currently, the list includes about 70 items. Among them social media"VKontakte", "Odnoklassniki", "My Circle", and "Rambler", storage facilities "Yandex.Disk", "[email protected]", portals "Khakhbrahabr". “Roem”, dating site “Mamba”, video service RuTube, blog platform LiveInternet, image board “Dvach” and others.
During the entire period of its operation, not a single foreign portal or messenger was included in the register.
“If such plans of the authorities begin to be implemented, then the appearance of messengers containing additional protection from MITM attacks. For example, mixing a secret key into encryption and distributing it between subscribers. Simply put, the password that the participants in the correspondence agree on,” the director of the security division of the Softline group of companies told Gazeta.Ru.
How to break HTTPS
A well-known encryption method is not only end-to-end, but also HTTPS, a secure protocol used by websites.
At the same time, later, talking with "Swarming", head of the Information Democracy Foundation, which deals with issues of IT independence of the Runet within the Islamic Republic of Iran, called such an idea “nonsense.”
Kuskov, in a conversation with Gazeta.Ru, also called a possible step towards complete import substitution unlikely.
“Cellular communications are currently 100% imported. These are not just base stations, but a hardware and software complex. At the moment, it is impossible to replace all this.
Until a serious step is taken from the Ministry of Telecom and Mass Communications and the Ministry of Industry and Trade, nothing good is expected in this direction. I don’t see real actions that would allow us to say that Russia can switch to domestic equipment in the near future,” the telecom expert concluded.
Operators mobile communications declined to comment. The Ministry of Telecom and Mass Communications did not respond to Gazeta.Ru’s request.
HTTP compression, which is used by most sites to reduce the size of data transferred, can become a serious security risk if the site uses HTTPS. This was stated by security experts Dimitris Karakostas and Dionysis Zindros. Researchers managed to improve the exploitation of a long-known flaw that allows speeding up the decryption of HTTPS traffic, and used an attack against block ciphers in an SSL/TLS connection.
The attack, called BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext), exploits flaws in the gzip/DEFLATE compression algorithm. The attack first became known back in 2013. At the Black Hat USA conference, researchers Angelo Prado, Neal Harris, and Yoel Gluck talked about attacks on SSL/TLS stream ciphers such as RC4.
Demonstration of a new approach to operation implemented in an open-source framework source code Rupture, presented at Black Hat Asia last week.
During the report, experts demonstrated two successful attacks on Gmail and Facebook chat.
To carry out a BREACH attack, the attacker must be able to intercept the victim's network traffic. This can be done through Wi-Fi networks, or through access to the equipment of the Internet provider. The attacker would also need to discover a vulnerable part of the application that accepts input via parameter URLs and returns that data in an encrypted response.
In the case of Gmail, such an application turned out to be a search on the site for mobile devices. If search query carried out on behalf of an authorized user, an authentication token is also attached to the response. This token will be encrypted inside the response. However, each time the search string matches part of the token, the size of the response to the client will be smaller, since identical strings in the response will be compressed.
An attacker could force the client application to send a large number of requests and thus guess all the characters in the authentication token.
The Rupture framework allows you to inject special code into each unencrypted HTTP request, opened by browser victims. The injected code causes the client browser to make connections to the vulnerable HTTPS application in background. This is required to carry out a successful attack on block ciphers, which create a lot of “noise” when encrypting data. To eliminate garbage, the researchers sent the same requests several times in a row and analyzed the difference in the size of the responses received. The experts also managed to use parallelization on the browser side, which significantly speeded up the attack against block ciphers in TLS connections.
