Project 3: Stealing Passwords with a Packet Sniffer (15 points)

What You Need for This Project

Purpose

When you send data to Web sites, it travels through many devices--switches, routers, wireless networks, and servers. And it can be seen at any of those points.

In this project you see how to steal passwords if they are sent unencrypted, and how HTTPS encryption protects your data.

Installing the Wireshark Packet Sniffer

Open a Web browser and go to http://wireshark.org

Download and install the latest version of Wireshark. The installer will also install WinPCap.

Starting a Capture in Promiscuous Mode

Click Start. In the Search bar, type WIRESHARK. Click Wireshark.

From the Wireshark menu bar, click Capture, Interfaces.

Find the Interface with an increasing number of packets. That's the interface that connects to the Internet. Click the Options button in that interface's line.

In the Wireshark Capture Options box, click the Start button.

If you see a message saying "Save capture file before starting a new capture?", click "Continue Without Saving".

Sending a Test Password to Wikipedia

Open Firefox and go to http://wikipedia.com

Click English

On the top right of the screen, click "Log In".

Enter a Username of joe and a Password of topsecretpassword as shown below.

Do NOT put in your real user name and password! As you will see, this Web page is not secure. After this lab, you might not want to use it anymore!

Click the "Log In" button. If you see a message asking whether to remember the password, click "Not Now". The password will be rejected. That's fine. The point of the project is to see how it was transmitted to Wikipedia.

In the Wireshark window, box, click Capture, Stop.

Observing the Password in Wireshark

In the Wireshark window, box, click Edit, "Find Packet".

In the "Wireshark: Find Packet" box, click the String button. Enter a search string of secret, as shown below. Click Find.

Wireshark finds the text. It highlights a packet with a Protocol of HTTP, as shown below on this page.

In the bottom pane of the Wireshark window the raw packet data is shown in hexadecimal on the left and in ASCII on the right. The password is visible on the right side, as shown in the figure below.

Saving a Screen Image

Make sure the captured password is visible, as shown above.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

Paste the image into Paint and save it with the filename "YOUR NAME Proj 3a", replacing "YOUR NAME" with your real name.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Observing a Secure Password Transmission

Open a browser and go to http://gmail.com

Enter the fake name JoeUser and password topsecretpassword, as shown below, but don't click the "Sign in" button yet.

In the Wireshark window, click Capture, Start. Click "Continue without Saving".

Quickly return to the Gmail window and click the "Sign in" button. Wait until Gmail shows you a message saying "The username or password you entered is incorrect".

In the Wireshark window, click Capture, Stop.

In the Wireshark window, click Edit, "Find Packet". In the By line, click the String button. Enter a string of pass and click the Find button. No match is found—the string pass does not appear in the packets at all.

Look in the Info column and find Client Hello, then Server Hello, then Certificate, as shown below. Those exchanges are parts of the SSL Handshake that prepared an encrypted layer to send your username and password.

Look at the packets that appear below "Server Hello". Find a packet labeled "SSLv3 Application Data" or "TLSv1 Application Data", like packet 22 in the image below on this page, and click on it in the top pane to select it.

Details about the packet will appear in the middle pane. Click the +s sign to expand Secure Socket Layer.

Expand the layer inside (labeled "SSLv3 Record Layer" or "TLSv1 Record Layer"), so that the Encrypted Application Data is visible, as shown at the bottom of the image below on this page. Your user name and password are concealed in that encrypted data. Even though the packet sniffer can see the data go by, it cannot be read. This is how SSL protects you--all Web logons should use SSL.

Saving a Screen Image

Make sure the "Encrypted Application Data" is visible, as shown above.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

Paste the image into Paint and save it with the filename "YOUR NAME Proj 3b", replacing "YOUR NAME" with your real name.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Turning in Your Project

Email the images to me as attachments to an e-mail message. Send it to: cnit.123@gmail.com with a subject line of "Proj 3 From YOUR NAME", replacing "YOUR NAME" with your real name.

Send a Cc to yourself.

Last Modified: 9:17 am 6-2-13