Started Using Wireshark

[Yitura]

Hello!    I recently started using Wireshark after looking at the tutorial.

I figured I would start small, so I tried to find my own username and password when I logged into this website.  I found the username very easily, but the password was nowhere to be found.  I'm a super-noob, but I am assuming that it's encrypted.  I see a long string of alphanumeric characters where I think my password should be.

Essentially, is there any way I can easily find my password using Wireshark?  Or, have I just missed something right in front of me? Thanks in advance.

[RedBullAddicted]

Hi Yitura,

your password is transmitted using the post method. So you need to search for the http packet with post in the info field.

POST /login2/ HTTP 1.1 ...

have a look at the packet and you will find line-based text data: application /x-www-form-urlencode
you can see your username and a hashed password. I guess its md5

A way to easily find your password? You need to know how the protocol you are looking at is working. For HTTP login you can always search for POST data.

[Nexus]

Wireshark, like any packet sniffer shows you everything on he network that passes your network card which means a good tip is learning to use filters. For example if you are using it to look at your EZ web session, simply put "http" into the filter box and hit return. Once you have identified a request that you want to look at, right click the packet and select "Follow TCP stream". This then shows you another window with all the requests in an easy to read form.

[Yitura]

Wireshark, like any packet sniffer shows you everything on he network that passes your network card which means a good tip is learning to use filters. For example if you are using it to look at your EZ web session, simply put "http" into the filter box and hit return. Once you have identified a request that you want to look at, right click the packet and select "Follow TCP stream". This then shows you another window with all the requests in an easy to read form.

I already knew what RedBullAddicted told me from the tutorial.  However, I didn't realize I could do what you said, Nexus.  Thank you both for trying to help.

But, my main question is still unanswered.  I know where to find the password and username, but the password just isn't there.  I think, if you guys attempted to do this to yourself, you would realize what I mean.  Hopefully someone can get back to me on this. 

[Nexus]

The password won't be there in clear-text in a form that you can read, it will be hashed in some way and  maybe embedded into a session cookie. The hashing type varies from forum software to forum software but will typically be something like sha1($salt.$password) or md5(md5($salt.$password)).

Edit: In this case look at Cookie:DarkEvilCookie=

[Yitura]

Alright, I will take a look at that.  Thank you so much for your help.

EDIT:  I see it.  What exactly do I do with it?

[Z3R0]

The password won't be there in clear-text in a form that you can read, it will be hashed in some way and  maybe embedded into a session cookie.

It may be in a cookie, but it most likely won't be hashed per se. The hashing itself usually takes place at the server, not the client. @OP, if you do not use the auto-sign on feature, and you manually login, your username and password will be somewhere within the stream of those packets. As stated before, look for packets that have a "HTTP/POST" header.

[Nexus]

If you logout and then login again, you will see the following POST request:

Code: [Select]

Request URL:http://evilzone.org/login2/
Request Method:POST
Status Code:302 Found
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset:ISO-8859-1,utf-8;q=0.7,*;q=0.3
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8,en-GB;q=0.6
Cache-Control:max-age=0
Connection:keep-alive
Content-Length:72
Content-Type:application/x-www-form-urlencoded
Cookie:PHPSESSID=[..]
Origin:http://evilzone.org
Referer:http://evilzone.org/index.php
User-Agent:Bond, J

user:[your username]
passwrd:[your password]
cookielength:-1
hash_passwrd:
I thought the cookie hash was related as it allows the "Login Forvever" option, but I don't code web forums and they do tend to vary a lot.

[Yitura]

Here is what I am getting:

Code: [Select]

POST /login2/ HTTP/1.1


Host: evilzone.org


Connection: keep-alive


Content-Length: 90


Cache-Control: max-age=0


...
... (((Edited stuff out here)))
...


user=Yitura&passwrd=&cookielength=-1&hash_passwrd=


[ande]

Depending on your browser and settings, you will either see a MD5 hashed password or the plain-text password.

Most login systems, including this forum uses sessions to keep track of its users. That would be the PHPSESSID/DarkEvilCookie cookie. The session is used as a token, if you have a valid token that matches the token value of an account in the database, you must be the owner of the account.

When you log into your account, your password will be hashed by javascript (before it is sent to the server), that is, if your browser supports it, else it will be sent in plain-text.
Then the server looks at the username and password and match them up with the database, if a user is found with the given username and password, the server will give you a session cookie (the token) and recognize you the next time you load a page.

When you log out, the token/session is destroyed.


So, to answer your first question directly; The 32 character long string that is at the passwords location in the HTTP POST packet in wireshark, is the MD5 hashed version of your password. If you want to read it/find it in plain-text you have to disable javascript when you login.

[Yitura]

...

So, to answer your first question directly; The 32 character long string that is at the passwords location in the HTTP POST packet in wireshark, is the MD5 hashed version of your password. If you want to read it/find it in plain-text you have to disable javascript when you login.

That was extremely informative, and it answered exactly what I wanted to know.  Thank you all so much for sharing your knowledge.