Project 17: Sniffing Passwords with Wireshark (20 pts.)

What You Need

A Linux machine, configured to be an HTTPS Web server, which you made in the previous project.
A Windows machine with Wireshark, such as the Server 2008 machine you got in class.

Finding the Server's IP Address

On your Linux server, in a Terminal window, execute this command:

ifconfig

Find your server's IP address and make a note of it.

Viewing the HTTPS Page

On your Windows machine, open Firefox.

Enter this URL, replacing the IP address with the correct address of your Linux server. Then press Enter:

https://192.168.119.190

A warning page appears, saying "This Connection is Untrusted". That's happening because your SSL certificate is self-signed, rather than purchased from a real Certificate Authority like Verisign.

Click "I Understand the Risks".

Click the "Add Exception" button.

Click the "Confirm Security Exception" button.

Your secure web page opens, as shown below:

Adding an HTTP Login Form to the Web Server

On your Linux machine, in a Terminal window, execute this command:

nano /var/www/login.htm

In the nano window, enter this HTML text, as shown below:

<html>
<body>
<form method="post" action="login.php">
Password: <input type="text" name="pw">
<p>
<input type="submit" value="submit" name="submit">
</form>
</body>
</html>

Press Ctrl+X, Y, Enter to save the file.

Adding a Login Script to the Web Server

On your Linux machine, in a Terminal window, execute this command:

nano /var/www/login.php

In the nano window, enter this PHP text, as shown below:

<?php
$p = $_POST['pw'];
if ($p == 'P@ssw0rd') {
   echo "<h2>Password correct!</h2>"; }
else {
   echo "<h2>Password incorrect!</h2>"; }
?>

Press Ctrl+X, Y, Enter to save the file.

Viewing the HTTP Login Page

On your Windows machine, in Firefox, enter this URL, replacing the IP address with the correct address of your Linux server. Then press Enter:

http://192.168.119.190/login.htm

An HTTP login page opens, as shown below:

Enter a password of P@ssw0rd and click submit.

You should see a message saying "Password correct!".

Adding an HTTPS Login Form to the Web Server

On your Linux machine, in a Terminal window, execute this command:

cp /var/www/login.* /var/www-ssl

This makes an identical login form on the HTTPS portion of the server.

Viewing the HTTPS Login Page

On your Windows machine, in Firefox, enter this URL, replacing the IP address with the correct address of your Linux server. Then press Enter:

https://192.168.119.190/login.htm

An HTTPS login page opens, as shown below:

Enter a password of P@ssw0rd and click submit.

You should see a message saying "Password correct!", as shown below.

Saving the Screen Image

Make sure the URL starts with https, and that the "Password correct!" message is visible, as shown above.

Press PrntScrn to capture the whole desktop.

YOU MUST SUBMIT AN IMAGE OF YOUR WHOLE DESKTOP TO GET FULL CREDIT

Save a screen capture with a filename of "Proj 17a from YOUR NAME".

Capturing a HTTP Password with Wireshark

On your Windows machine, start Wireshark.

From the Wireshark menu bar, click Capture, Interfaces.

In the "Wireshark: Capture Interfaces" box, click the box next to "Local Area Connection", as shown below:

Click the Start button.

Logging in with HTTP

On your Windows machine, in Firefox, enter this URL, replacing the IP address with the correct address of your Linux server. Then press Enter:

http://192.168.119.190/login.htm

An HTTP login page opens, as shown below:

Enter a password of P@ssw0rd and click submit.

You should see a message saying "Password correct!".

Stopping the Packet Capture

In Wireshark, click Capture, Stop.

Finding the Password in Wireshark

In Wireshark, click Edit, "Find Packet".

In the "Wireshark: Find Packet" window, do these four things, as shown below:

In the "By:" line, click the String button
In the next line, type w0rd
In the "Search In" section, click the "Packet Bytes" button
Click the Find button.

Wireshark should move to a packet labelled "POST /login.php HTTP/1.1" in the Info column, as shown below.

In the center pane, expand the "Line-based text data" section to reveal the password, as shown at the bottom of the screen below:

Saving the Screen Image

Make sure the password of P%40ssw0rd is visible, as shown above.

Press PrntScrn to capture the whole desktop.

YOU MUST SUBMIT AN IMAGE OF YOUR WHOLE DESKTOP TO GET FULL CREDIT

Save a screen capture with a filename of "Proj 17b from YOUR NAME".

Starting Another Packet Capture

On your Windows machine, start Wireshark.

From the Wireshark menu bar, click Capture, Start.

In the box that pops up, click the "Continue without Saving" button.

Logging in with HTTPS

On your Windows machine, in Firefox, enter this URL, replacing the IP address with the correct address of your Linux server. Then press Enter:

https://192.168.119.190/login.htm

An HTTPS login page opens, as shown below:

Enter a password of P@ssw0rd and click submit.

You should see a message saying "Password correct!".

Stopping the Packet Capture

In Wireshark, click Capture, Stop.

Searching for the Password in Wireshark

In Wireshark, click Edit, "Find Packet".

In the "Wireshark: Find Packet" window, verify that the settings remain unchanged, as shown below:

In the "By:" line, click the String button
In the next line, type w0rd
In the "Search In" section, click the "Packet Bytes" button

Click the Find button.

Look at the lower left of the Wireshark window. A message appears briefly, saying "No packet contained that string", as shown below:

This is a much safer way to send data, because it's encrypted.

Turning In Your Project

Email the image to cnit.120@gmail.com with a subject of "Project 17 from YOUR NAME".

Sources

http://www.tc.umn.edu/~brams006/selfsign.html

Last modified: 7-27-13 8 pm