This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Help to extract login information from captured data

0

I tried to extract login information of window application game such as login portal and login data, but I am confuse where is it located

https://drive.google.com/file/d/0Bwx9g-l32Xo0VTFWQXdEdXJJR2M/view?usp=sharing

asked 28 Jan '17, 02:14

yyk's gravatar image

yyk
6112
accept rate: 0%


One Answer:

0

A little more context might be helpful to understand what is supposed to happen. We could then focus on expectations to figure out where the information is.

The trace provided has a single TCP connection with some interesting information - if you right click on of the TCP packets and choose Follow TCP Stream (or use display filter: tcp.stream eq 0),

POST /growtopia/server_data.php HTTP/1.0
Accept: */*
Host: growtopia1.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 37

version=2%2E44&platform=0&protocol=26HTTP/1.1 200 OK Date: Sat, 28 Jan 2017 10:00:14 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Content-Length: 312 Connection: close Content-Type: text/html; charset=UTF-8

server|209.59.190.105 port|17092 type|1 #maint|Server is currently down for `4scheduled maintenance``. Sadly, this will probably take around four hours. Follow @growtopiagame.com on twitter for info! #hurryupseth beta_server|growtopiagame.com beta_port|27003 beta_type|1 meta|124.13.121.122 RTENDMARKERBS1001

I bolded the interesting piece. Is the issue that you can’t get in, so you are trying to troubleshoot? If so, this might be root cause.

If the issue is something else, please provide more detail. There is some UDP traffic to the same host as the TCP connection so I can’t discount that this may have additional information that you may be after. I would expect, however, that login occur over TCP, preferably over HTTPS for encryption, but I see regular port80 HTTP traffic here.

answered 28 Jan ‘17, 04:52

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%

Additionally, it is highly unlikely the username/password will be submitted in plain text. I am sure when the server application facilitates the login, it will do so after a TLS session is established.

(28 Jan ‘17, 13:32) Rooster_50
2
(28 Jan ‘17, 13:59) Christian_R

Hi, this http request is just load for annoucement, because I can still login even it say server is maintenance. I am not sure how it transfer the data, but there seem like no http/https request doing it, this log is start before login and stop after the game logged in so it should contain the data exchange between server and my computer.

(31 Jan ‘17, 07:06) yyk