This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to extract basic authorization details from a pcap file ?

1
1

I am currently doing pen-testing on a local proxy server that I have setup using Squid. I initiated a MITM attack to get packets from the compromised hosts. I have over hundred thousand packets in my pcap file from which I need to extract the basic proxy authorization fields of username and pass. Within the pcap file I can apply "http.authbasic" as a filter to get all the packets sent with username and pass, but how do I extract this info automatically for all the packets ,and prerably output the result to a text file ?

asked 18 Jun '15, 13:44

Backspace's gravatar image

Backspace
31347
accept rate: 0%

One Answer:

2

You can use tshark.

tshark -nr http.pcap -T fields -e frame.number -e ip.src -e ip.dst -e http.authbasic -Y "http.proxy_authorization"

Sample output:

21      172.16.101.2    172.16.101.1    user1:password1
28      172.16.101.2    172.16.101.1    user2:secret2

Please read the tshark man page and the display filter reference guide for more options and fields.

Regards
Kurt

answered 18 Jun '15, 14:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Is there a way to do this on a live packet capture stream ? the above command works perfectly for pcap files. We can also print distinct combinations using |sort |uniq

(18 Jun '15, 14:25) Backspace

please try this:

-ni eth0 instead of -nr http.cap. On Windows it's -ni <id> while <id> is the interfaces ID you'll see with dumpcap -D -M

(19 Jun '15, 04:24) Kurt Knochner ♦