This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark 1.6.2 doesn’t catch http: login. Why not?

0

Hi, I'm trying to catch the packet that contains the data for my home page login. I get the 401 not authorised page and Chrome/IE offer the login box. I put in my username and password but Wireshark doesn't seem to catch it. Can anyone explain please?

asked 06 Oct '11, 09:52

turnbui's gravatar image

turnbui
1111
accept rate: 0%

How do you know that "Wireshark doesn't seem to catch it"?

(06 Oct '11, 10:26) Jaap ♦

because i can't find a packet with my username/password in it. it isn't https so i expect clear text. also i check the frame number then press login then heck frame umber again only to find there re no new frames.

(06 Oct '11, 12:54) turnbui

One Answer:

0

The browser has several methods to proof the user's identity. In most cases the credentials are somewhat obfuscated with one of these methods:

  • Username and password can be encoded in BASE64. Wireshark can decode the credentials. Use the search function and search for a string in the packet details.
  • In a Windows domain you might have Windows integrated authentication. In this configuration the credentials can be send as NTLM hash or even as Kerberos ticket.

These items are found in the clients HTTP request header.

Another option is to trigger a Javascript, that obfuscates the username and password before sending it with a POST to the server. From a security perspective this is quite silly.

Good hunting!

answered 06 Oct '11, 15:52

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

thanks for the info.

(06 Oct '11, 23:45) turnbui