This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Password not visible in an http connection

Hello,

i'm little late in this conversation but i need some help. i tried today to connect to my Box outside from my network & realized that the connection is in http:// once come home i tried the same from a VM & captured the traffic to see if the password is " clear text " the problem is that i don't know in which frame to see. (which ones contains login / password ?) Tried "frame contains abc123 " > doesn't work (why ? it's http:// , why would be crypted ?) Tried "http.request.method == "POST" shows something & finaly tried frame contains "password". I got the frame which contains Key: Password and it's crypted.

8b7cc159a165e6d1dc23c96a83e4822690d737cb

base64 give's me this result ñ¾Üs^}k^¹{§uuÍ·sÞšów¸ómº÷G{ß·

and that's no my password.

have the same probleme with capturing email / password (in a hoeme lab)

thanks for your help

password http

asked 24 Sep '15, 05:28

tome80
11●2●2●6
accept rate: 0%

edited 28 Sep '15, 10:05

Kurt Knochner ♦
24.8k●10●39●237

One Answer:

If you are using HTTP the password will be within a POST request method. Since you know the password, follow the relevant tcp stream and search for it. It can be that the password is hashed. The one in your description looks like SHA1. If you want us to have a look, create a test account and upload a packet capture to cloudshark or similar.

answered 24 Sep '15, 06:30

Roland
764●2●4●15
accept rate: 13%

It would be worth determining if the authentication uses one of the browser schemes or if it's an application-based mechanism. If it's browser based you should see an HTTP status code 401 as a response to the first access to the host.

If you see the 401 you will be using:

Basic authentication
MD5 hash
One of the Integrated Windows Authentication mechanisms - see Wikipedia

If you have no 401s then the web app is handling authentication. This may still use a hash and I must admit your password value looks like a hash such as MD5. Unfortunately you would need to find the seed value to generate say an MD5 hash from yor password. You may be able to work it out from the login page source code or included Javascript.

(24 Sep '15, 10:47) PaulOfford

You can't upload the file here, use cloudshark or some file hosting service.

(25 Sep '15, 12:57) Roland

Hello,

I will close the post, seems to much for me but i'll retry properly and follow your advice. if need some help i'll be back.

thank's a lot.

(28 Sep '15, 01:23) tome80

If a question has been solved for your, please don't mark the title with '[resolves]'!

Instead please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(28 Sep '15, 10:06) Kurt Knochner ♦