Sumber : http://www.darkmoreops.com/
Step 1: Start Wireshark and capture traffic
In Kali Linux you can start Wireshark by going to
Application > Kali Linux > Top 10 Security Tools > Wireshark
In Wireshark go to
Capture > Interface and tick the interface that applies to you. In my case, I am using a Wireless USB card, so I’ve selected wlan0.
Ideally you could just press Start button here and Wireshark will start capturing traffic. In case you missed this, you can always capture traffic by going back to
Capture > Interface > Start
Step 2: Filter captured traffic for POST data
At this point Wireshark is listening to all network traffic and capturing them. I opened a browser and signed in a website using my username and password. When the authentication process was complete and I was logged in, I went back and stopped the capture in Wireshark.
Usually you see a lot of data in Wireshark. However are are only interested on POST data.
Why POST only?
Because when you type in your
username, password and press the Login button, it generates a a POST method (in short – you’re sending data to the remote server).
To filter all traffic and locate POST data, type in the following in the filter section
http.request.method == "POST"
See screenshot below. It is showing 1 POST event.
Step 3: Analyze POST data for username and password
Now right click on that line and select
Follow TCP Steam
This will open a new Window that contains something like this:
HTTP/1.1 302 FoundDate: Mon, 10 Nov 2014 23:52:21 GMTServer: Apache/2.2.15 (CentOS)P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"X-Powered-By: PHP/5.3.3Set-Cookie: non=non; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/Set-Cookie: password=e4b7c855be6e3d4307b8d6ba4cd4ab91; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/Set-Cookie: scifuser=sampleuser; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/Location: loggedin.php Content-Length: 0Content-Type: text/html; charset=UTF-8Connection: close
I’ve highlighted the user name and password field.
So in this case,
- username:
sampleuser - password:
e4b7c855be6e3d4307b8d6ba4cd4ab91
But hang on,
e4b7c855be6e3d4307b8d6ba4cd4ab91 can’t be a real password. It must be a hash value.
Note that some website’s doesn’t hash password’s at all even during sign on. For those, you’ve already got the username and password. In this case, let’s go bit far and identify this hash value
Step 4: Identify hash type
I will use hash-identifier to find out which type of hash is that. Open terminal and type in hash-identifier and paste the hash value. hash-identifier will give you possible matches.
See screenshot below:
Now one thing for sure, we know it’s not a Domain Cached Credential. So it must be a MD5 hash value.
I can crack that using hashcat or cudahashcat. There’s an extensive guide on how to do that here.
Step 5: Cracking MD5 hashed password
I can easily crack this simple password using hashcat or similar softwares.
root@kali:~# hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt(or)root@kali:~# cudahashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt(or)(or)root@kali:~# cudahashcat32 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txtroot@kali:~# cudahashcat64 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
Because this was a simple password that existed in my password list, hashcat cracked it very easily.
Cracking password hashes
Out final outcome looks like this:
- username:
sampleuser - password:
e4b7c855be6e3d4307b8d6ba4cd4ab91:simplepassword
Conclusion
Well, to be honest it’s not possible for every website owner to implement SSL to secure password, proper SSL’s cost you upto 1500$ per URL. But the least website owners (public ones where anyone can register) should do is to implement hashing during login-procedures. In that way, at least the password is hashed and that adds one more hurdle for someone else can hack website password so easily.
Enjoy and use this guide responsibly.
0 comments:
Post a Comment