Post Connection Attacks: Sniffing Login Information with Wireshark

When we finally have the network password, it is time to actually start capture & analyze data and to implement your own attacks. One of the easier ways is to start up Wireshark and start listening to the network.

Start by putting your wlan adapter to monitor mode and open up Wireshark. Choose your adapter that is in monitor mode and start capturing packets.

wire-adapter-e1526129041710.png

Since our access point is running a WPA2 protection, we need to give Wireshark the password that we found out in our previous chapters in order for Wireshark to be able to decrypt the captured packets.

At the top left corner choose edit and then preferences, a small window should pop up.

wire-preferences.png

Now head to the protocols tab on the leftside column and expand it. Scroll down to around half way until you find IEEE 802.11 and choose it. Click on the edit button next to decryption keys text.

wire-ieee-2.png

By pressing + button we can add a new decryption key. We want to choose the wpa-pwd as in wpa password and just type your access points password in the key field. Click OK twice and you are done.

wire-wpa-key-2.png

Now on your client machine head over to a website that uses does not have HTTPS secure login page. In our example we used OnePlus 5T phone and tried to login in to a random finnish floorball forums

phone-salibandy-2-login1.jpg

 

The username and password can be anything really, there is no need to actually register into the site you are trying to access.

Now head back to Wireshark and apply a filter to Wireshark by typing HTTP in the filter field, so it only shows us HTTP packets. After that we want to click edit and choose find packet. Additional bar will pop up on top side, choose “String” from the display filter drop down list and type POST next to it.

wire string post 2

Click the highlighted packet and at the middle frame open up HTML Form URL Encoded drop down list and you will find your login information in plain text.

wire-plain-text-pw.png

Keep in mind this only works with HTTP sites that are not running TLS or SSL protection (HTTPS). Also if you are using a switched network where your router is a switch, router does not reflect traffic between two ports, so you can’t see traffic between your devices unless it is broadcast packets or your own.

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s