This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to capture and decode/decrypt packets sent between other laptop and firewall ?

0

Hello,

I'm totaly new here and also new to Wireshark. I don't speak English natively, so my apologies for my bad English.

As ICT employee at an elementary school I recently discovered unauthorized access (unknown MAC - not from a school pc) to our firewall through one of the admin accounts. Using Wireshark I have been able to track down the packets sent during this unauthorized access, but unfortunately Wireshark couldn't retrieve the credentials so I don't know which admin account is compromised. I encountered the output "application/x-www-form-urlencoded". Regrettably I haven't been able yet to find out how to unveil the used login and password.

Can somebody please tell me how to decode or decrypt the "application/x-www-form-urlencoded" output in Wireshark ?

edit: cropped screenshot removed due to security reasons.

Thanks a lot in advance.

Kind regards.

asked 30 Nov '16, 11:58

Ikke's gravatar image

Ikke
6113
accept rate: 0%

edited 04 Dec '16, 09:03


One Answer:

0

Assuming that the username and password entered are in the form items "un" and "pw" respectively, they look like Base64 encoded values to me.

Decoding them is trivial, e.g. using this Base 64 decoder. I won't post the actual values here in case you still need to secure the account, but anyone else looking at your image could easily do so, so best to secure that account ASAP.

Whatever system is producing these login pages seems very insecure to me (hopefully it's protected by a TLS tunnel) as Base64 encoding is NOT encrypting the credentials.

answered 30 Nov '16, 12:29

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Insecure indeed. Anyone with a Dutch (Flemisch) dictionary attack would get in.

(30 Nov '16, 22:41) Jaap ♦

Hello,

@grahamb Thanks for the quick reply. After reading the links in your answer, I can confirm that the username and password are indeed Base64 encoded. Since the used credentials are different from my login credentials I'm sure mine are not compromised. The login page belongs to a juniper ssg5 firewall (indeed protected by a TLS tunnel).

@grahamb and @Jaap I know this is very insecure. I have already reported this to the ICT administrator. He promised me to take care of it. Since nor our wan ip nor our mac address are posted here, should I remove the cropped screenshot in my initial post ? My biggest question is now: How has the unauthorized "visitor" managed to give himself a admin login ?

Thanks in advance.

Kind regards.

(01 Dec '16, 11:41) Ikke

@Ikke, it's a judgement call for you whether you leave the image up, personally I wouldn't as it does leak sensitive info about your site. If you do remove it, please edit your question to indicate what has happened for others.

(02 Dec '16, 02:44) grahamb ♦