Home / Hacking / Hack website password using WireShark

Hack website password using WireShark

Did you knew every time you fill in your username and password on a website and press ENTER, you are sending your password. Well, of course you know that. How else you’re going to authenticate yourself to the website?? But, (yes, there’s a small BUT here).. when a website allows you to authenticate using HTTP (PlainText), it is very simple to capture that traffic and later analyze that from any machine over LAN (and even Internet). That means someone can hack website password for any site that is using HTTP protocol for authentication. Well, to do it over Internet, you need to be able to sit on a Gateway or central HUB (BGP routers would do – if you go access and the traffic is routed via that).

But to do it from a LAN is easy and at the same time makes you wonder, how insecure HTTP really is. You could be doing to to your roommate, Work Network or even School, College, University network assuming the network allows broadcast traffic and your LAN card can be set to promiscuous mode.

So lets try this on a simple website. I will hide part of the website name (just for the fact that they are nice people and I respect their privacy.). For the sake of this guide, I will just show everything done on a single machine. As for you, try it between two VirtualBox/VMWare/Physical machines.

p.s. Note that some routers doesn’t broadcast traffic, so it might fail for those particular ones.

 

[toc+]

 

Step 1: Start Wireshark and capture traffic

In Kali Linux you can start Wireshark by going to

ApplicationKali Linux > Top 10 Security Tools > Wireshark

In Wireshark go to Capture > Interface and tick the interface that applies to you. In my case, I am using a Wireless USB card, so I’ve selected wlan0.

 

Hack website password using WireShark - darkMORE Ops -1

 

Ideally you could just press Start button here and Wireshark will start capturing traffic. In case you missed this, you can always capture traffic by going back to Capture > Interface > Start

Hack website password using WireShark - darkMORE Ops -2

 

Step 2: Filter captured traffic for POST data

At this point Wireshark is listening to all network traffic and capturing them. I opened a browser and signed in a website using my username and password. When the authentication process was complete and I was logged in, I went back and stopped the capture in Wireshark.

Usually you see a lot of data in Wireshark. However are are only interested on POST data.

 

Why POST only?

Because when you type in your username, password and press the Login button, it generates a a POST method (in short – you’re sending data to the remote server).

To filter all traffic and locate POST data, type in the following in the filter section

http.request.method == "POST"

See screenshot below. It is showing 1 POST event.

Hack website password using WireShark - darkMORE Ops -3

 

Step 3: Analyze POST data for username and password

Now right click on that line and select Follow TCP Steam

Hack website password using WireShark - darkMORE Ops -4

 

This will open a new Window that contains something like this:

 

HTTP/1.1 302 Found 
Date: Mon, 10 Nov 2014 23:52:21 GMT 
Server: Apache/2.2.15 (CentOS) 
X-Powered-By: PHP/5.3.3 
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" 
Set-Cookie: non=non; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ 
Set-Cookie: password=e4b7c855be6e3d4307b8d6ba4cd4ab91; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ 
Set-Cookie: scifuser=sampleuser; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/ 
Location: loggedin.php 
Content-Length: 0 
Connection: close 
Content-Type: text/html; charset=UTF-8

I’ve highlighted the user name and password field.

So in this case,

  1. username: sampleuser
  2. password: e4b7c855be6e3d4307b8d6ba4cd4ab91

But hang on, e4b7c855be6e3d4307b8d6ba4cd4ab91 can’t be a real password. It must be a hash value.

 

Note that some website’s doesn’t hash password’s at all even during sign on. For those, you’ve already got the username and password. In this case, let’s go bit far and identify this hash value

 

Step 4: Identify hash type

I will use hash-identifier to find out which type of hash is that. Open terminal and type in hash-identifier and paste the hash value. hash-identifier will give you possible matches.

See screenshot below:

Hack website password using WireShark - darkMORE Ops -6

 

Now one thing for sure, we know it’s not a Domain Cached Credential. So it must be a MD5 hash value.

I can crack that using hashcat or cudahashcat. There’s an extensive guide on how to do that here.

 

Step 5: Cracking MD5 hashed password

I can easily crack this simple password using hashcat or similar softwares.

root@kali:~# hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
(or)
root@kali:~# cudahashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
(or)
root@kali:~# cudahashcat32 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt
(or)
root@kali:~# cudahashcat64 -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt

 

Because this was a simple password that existed in my password list, hashcat cracked it very easily.

Cracking password hashes

 

Hack website password using WireShark - darkMORE Ops -7

 

Out final outcome looks like this:

  1. username: sampleuser
  2. password: e4b7c855be6e3d4307b8d6ba4cd4ab91:simplepassword

 

Conclusion

Well, to be honest it’s not possible for every website owner to implement SSL to secure password, proper SSL’s cost you upto 1500$ per URL. But the least website owners (public ones where anyone can register) should do is to implement hashing during login-procedures. In that way, at least the password is hashed and that adds one more hurdle for someone else can hack website password so easily.

Enjoy and use this guide responsibly.

23 comments

  1. SSL certs cost $15/year. Anyone not using SSL on their site deserves what they get.

  2. Your Grade School English Teacher

    QUOTE website’s doesn’t hash password’s UNQUOTE

    In English, plurals are most often formed by simple adding an “s” to the end of the word, eg cat, cats and dog, dogs, not “cat’s” and “dog’s”

    Apostrophe “s” generally denotes the the possessive form as in “the cat’s milk” and “the dog’s bone”, but most notably not in the case of “it’s” , for which you should look at

    http://www.yalerecord.com/bob-the-angry-flower-its-vs-it-is/

    And since the subkect word “websites” is plural, the form of the verb must also be plural ie “do”, and not the singular “does”.

    So this should have been written as “websites do not hash passwords”.

    And in the very opening sentence there is an error: “Did you knew every time you”. should be “Did you know that every time …”

    English is not an easy language to speak and write correctly, and I hope this information helps you to improve your writing skills.

  3. “proper SSL’s cost you upto 1500$ per URL. ”

    Could you please elaborate? I purchased a business validated SSL wildcard for $450/year from GeoTrust.

    • 2048 bit EV SSL signed with SHA-256 is now fast becoming standard. Also a good CA certifier would validate 3 or more factors (Name, address, Business registration, website details) before signing someone up. I referred to Verisign ( now Symantec ) when I said 1500$. That’s just for a single url.

      You need to make sure that the SSL is trusted by most browsers. Otherwise it defeats the purpose of users convenience. I mean if a user gets security alert, then it’s bad for business.

      Look up EV SSL for details. I’ll check GeoTrust SSL and give you a definitive response. There are few sites that can check/validate SSL for you.

      Sorry for late reply, got lost in the flames!

      • “2048 bit EV SSL signed with SHA-256 is now fast becoming standard.”

        Can I get a weblink to the research saying so? Or is it just your personal opinion?

        I think I should say that I had to generate/purchase/renew several dozens of SSL certificates in my life (VeriSign, GeoTrust, COMODO, Thawte).

        2048 bit is for RSA key pair when you generate the key. This has nothing to do with the price of the SSL certificate AFAIK.

        SHA-256 is for SSL, the server key is used only to transmit a random 256-bit key. This has nothing to do with the price of the SSL certificate AFAIK.

        Therefore I only see an Extended Validation (EV) as a possible argument. I can get an EV SSL certificate from GeoTrust for $299/year. How is this not a proper SSL certificate? It’s 5 times cheaper compared to your $1500/year.

        According to Google, GeoTrust is the second most trusted CA in the world, straight after VeriSign.

        My work experience shows that EV certificates are mainly for banks and enterprises. Business validated certificates are more than enough for SMBs.

        Perhaps your sentence should have sounded something like:

        “one of the most expensive premium business-class VeriSign EV SSLs can cost you up to 1500$ per URL”.

        • “one of the most expensive premium business-class VeriSign EV SSLs can cost you up to 1500$ per URL”. 《— Hmm, you’re right. . I guess my statement can be interpreted like this.

          SSL industry is very competitive and it’s hard to find an un-biased research link.

          I’ve read this article(link below), but like I said. . hard to find un-biased opinions. As for me, I’ve only had to use Verizon, VeriSign, Cybertrust, Baltimore (Cybertrust merged with Baltimore. I had issues with one of their intermediate’s recently) and Thawte (Premium, Code signing and EV). So I guess my opinion would be leaning towards them in some way or another. Wikipedia article regarding EV SSL contains some interesting opinions as well.

          SHA1 got vulnerabilities and will be phased out. If I remember right, Chrome will stop supporting it from end of 2015. But that’s a different issue.

          http://www.symantec.com/connect/blogs/extended-validation-solutions-smb-ecommerce-success-secure128

  4. I knew that. I also knew that is “Did you know”, not “Did you knew”.

  5. I read your privacy policy and it states that “We collect personally identifiable information, like names, postal addresses, email addresses, etc” and “share information with governmental agencies or other companies” I would not like any of my information shared with anyone especially. Its disgusting to know that people are selling such information for profit. You have not right to even collect my information without a Court Order as per the IT Act of 2000. This illegal just like hacking.

    • I don’t sell anything SK from Unixmen. I’m however obliged to provide server logs if requested by legitimate authority, exactly like any server admin (yes, that includes Unixmen and every server in US soil). I have no registration for users, neither I collect names. You can browse or post comments anonymously, under pseudo name, using proxy or tor, using any method you see fit to hide your identity. You don’t even have to use email address to comment. You are here just to promote your website.

      • “You are here just to promote your website.”

        My thoughts exactly. If you don’t agree with T&C, leave the site. But no, you post a comment instead and provide a link to your website. Says it all doesn’t it?

      • Please don’t create comments from Fake usernames and use your Real name and photo to posts comments, unless you have something to hide. I understand you sharing info with authorities based on a court order hopefully, But why do you have to share information with Private Companies? The only reason i can think of is to make money as you said this site does not run ads so it needs to make an income even though illegally. I have taken a screenshot of your policy, I will be posting it in privacy forums and my site, lets see what users of the internet have to say.

        • Oh dear… SK, did you even read the Privacy Policy properly or simply started shouting before finished? It says the following:

          “We may share information with governmental agencies or other companies assisting us in fraud prevention or investigation”

          The keywords are OTHER COMPANIES ASSISTING US IN FRAUD PREVENTION OR INVESTIGATION. Purposely or not, you cut the last bit and posted: “share information with governmental agencies or other companies”.

          If there is a company assisting darkmoreops.com in fraud prevention, they will share the details with them. This is clearly stated. Do you see the difference?

          You may want to read properly before posting. Much appreciated. All the best.

    • What a jackass, this site doesn’t even run advertising that collects cookies. Maybe just jealous cause all of this SK joker’s posts were copy pasted without even mentioning sources.
      Oh and look at this, I just used a fake name, set my email as whatever@torrules.xy..

    • UNIXMEN writers are such bully. This is a small website and the writer is very polite. Reading back all the negative comments, it almost feels like written by the same bully named SK. Any website such as blogspot.com, wordpress.com, tumblr.com MUST handover logs to government agencies. Otherwise you end up in jail like Pirate Bay founders. I think it was honest to put that in disclaimer up front specially when a website is serving hacking related guides. It’s a shame to see large websites bullying a smaller one.

  6. can we use wireshark to acsess an account like yahooo, gmail?? though they use https but isn’t there any way to crack passowrds???

  7. May be thanks is not enough to express the grateful one might be;i want to compliment you not only for the job;but for the kindness as well.

x

Check Also

Announcing some security treats to protect you from attackers’ tricks

A New Chapter for OSS-Fuzz

Posted by Matt Ruhstaller, TPM and Oliver Chang, Software Engineer, Google Security Team Open Source ...