Difficulty: easy

Category: forensics

Author: xnull

Description:

### Network Traffic Capture

We captured network traffic from a user logging into a website. The credentials were sent over unencrypted HTTP.

Analyze the packet capture and extract the password.

Solution

We can use tshark to dump the HTTP traffic by following the stream:

# tshark -r capture.pcap -z follow,http,ascii,0
    1   0.000000 192.168.1.100 → 192.168.1.1  TCP 54 80 0 54321 → 80 [SYN] Seq=0 Win=8192 Len=0
    2   0.000322  192.168.1.1 → 192.168.1.100 TCP 54 54321 0 80 → 54321 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0
    3   0.000526 192.168.1.100 → 192.168.1.1  TCP 54 80 0 54321 → 80 [ACK] Seq=1 Ack=1 Win=8192 Len=0
    4   0.000725 192.168.1.100 → 192.168.1.1  HTTP 218 80 0 POST /login HTTP/1.1  (application/x-www-form-urlencoded)
    5   0.001045  192.168.1.1 → 192.168.1.100 HTTP 147 54321 0 HTTP/1.1 200 OK  (text/html)
    6   0.001364 192.168.1.50 → 8.8.8.8      DNS 70   Standard query 0x0000 A google.com
    7   0.001842 192.168.1.50 → 8.8.8.8      DNS 72   Standard query 0x0000 A facebook.com
    8   0.002237 192.168.1.50 → 8.8.8.8      DNS 70   Standard query 0x0000 A reddit.com
    9   0.002632 192.168.1.50 → 8.8.8.8      DNS 77   Standard query 0x0000 A stackoverflow.com
   10   0.003015 42:48:65:b0:3f:d2 → fe:f8:80:d8:60:26 ARP 42   Who has 192.168.1.1? Tell 192.168.1.100
   11   0.003201 42:48:65:b0:3f:d2 → fe:f8:80:d8:60:26 ARP 42   192.168.1.1 is at 00:11:22:33:44:55
   12   0.003383 192.168.1.75 → 8.8.8.8      ICMP 42   Echo (ping) request  id=0x0000, seq=0/0, ttl=64
   13   0.003756      8.8.8.8 → 192.168.1.75 ICMP 42   Echo (ping) reply    id=0x0000, seq=0/0, ttl=64 (request in 12)
   14   0.004018 192.168.1.100 → 142.250.185.46 TCP 54 443 1 54322 → 443 [SYN] Seq=0 Win=8192 Len=0
   15   0.004205 142.250.185.46 → 192.168.1.100 TCP 54 54322 1 443 → 54322 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0
   16   0.004405 192.168.1.100 → 142.250.185.46 TCP 54 443 1 54322 → 443 [ACK] Seq=1 Ack=1 Win=8192 Len=0
   17   0.004590 192.168.1.100 → 192.168.1.2  HTTP 125 80 2 GET / HTTP/1.1
   18   0.004915 192.168.1.100 → 192.168.1.10 TCP 54 22 3 54324 → 22 [SYN] Seq=0 Win=8192 Len=0
   19   0.005101 192.168.1.10 → 192.168.1.100 TCP 54 54324 3 22 → 54324 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0

===================================================================
Follow: http,ascii
Filter: tcp.stream eq 0
Node 0: 192.168.1.100:54321
Node 1: 192.168.1.1:80
112
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 52


52
username=admin&password=ENDLM{p4ck3ts_d0nt_l13_7c8a}
	64
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 28


	28
<html>Login successful</html
===================================================================

Flag: ENDLM{p4ck3ts_d0nt_l13_7c8a}

Solution#

Solution