Capturing Credentials Submitted Through HTTP with Wireshark

Objective

Learn how to use Wireshark, a network protocol analyzer, to capture and analyze HTTP traffic to identify credentials sent in plaintext. Understand how to secure networks and applications against such vulnerabilities.

Purpose

HTTP traffic is often transmitted in plaintext, making it susceptible to interception. Wireshark enables you to analyze network traffic to demonstrate how attackers can capture sensitive information, such as login credentials, and how to mitigate such risks.

Tools Required

Kali Linux (or any system with Wireshark installed).
A test network or environment where HTTP traffic can be captured.
A web application that transmits credentials via HTTP (test environment only).

Lab Topology

Kali Linux: Running Wireshark to capture network traffic.
Target Web Application: A test website transmitting credentials over HTTP.

Walkthrough

Task 1: Setting Up Wireshark

Verify Installation:
- Wireshark is pre-installed on Kali Linux. To check:
```
wireshark --version
```
- If not installed, install it:
```
sudo apt update && sudo apt install wireshark -y
```
Run Wireshark as Root:
- Start Wireshark:
```
sudo wireshark
```
- Select the network interface connected to the target environment (e.g., eth0 or wlan0).

Task 2: Capturing HTTP Traffic

Set a Capture Filter:
- Use the following capture filter to focus on HTTP traffic:
```
tcp port 80
```
- Enter the filter in the Capture Filter field and start the capture.
Generate HTTP Traffic:
- On the target machine, navigate to a test website over HTTP (e.g., http://testsite.local).
- Submit a login form with test credentials (e.g., username: admin, password: password123).
Stop the Capture:
- In Wireshark, click the Stop button once the traffic has been generated.

Task 3: Analyzing Captured Traffic

Filter HTTP Requests:
- Use the display filter to show HTTP requests:
```
http
```
Locate the Login Request:
- Look for POST requests to the login endpoint (e.g., /login).
- Select the relevant packet and view its details in the Packet Details pane.
Extract Credentials:
- Expand the Hypertext Transfer Protocol section to find the form data.
- Example output:
```
username=admin&password=password123
```

Task 4: Securing HTTP Traffic

Use HTTPS:
- Configure web servers to enforce HTTPS using SSL/TLS certificates.
Implement Secure Authentication:
- Use secure mechanisms such as hashed passwords and token-based authentication.
Disable Plaintext Protocols:
- Prevent the use of HTTP by redirecting all traffic to HTTPS.
Monitor Networks:
- Use intrusion detection systems (IDS) to flag unencrypted traffic containing sensitive data.

Best Practices

Use Authorized Environments Only:
- Perform traffic analysis only in environments where you have explicit permission.
Encrypt All Traffic:
- Ensure all sensitive data is transmitted over secure channels (e.g., HTTPS, VPNs).
Educate Users:
- Train users to recognize insecure connections and avoid submitting credentials over HTTP.
Regularly Audit Systems:
- Conduct routine checks to ensure encryption is enforced across all endpoints.

Key Takeaways

HTTP traffic is transmitted in plaintext, making it vulnerable to interception.
Wireshark is a powerful tool for demonstrating the risks of unencrypted communications.
Enforcing HTTPS and secure practices mitigates the risk of credential interception.

Troubleshooting Tips

No Traffic Captured:
- Ensure the correct network interface is selected.
- Verify that HTTP traffic is being generated in the test environment.
Cannot Find Credentials:
- Confirm the form data is transmitted over HTTP and not HTTPS.
- Check the application’s network behavior to ensure it does not encrypt data.
Wireshark Permission Issues:
- Run Wireshark as root or ensure your user has permissions to capture packets.

By completing this lab, you now understand how to capture and analyze HTTP traffic for credentials and how to secure networks against such vulnerabilities.