If you have a website that requires you to enter a username and password then you will need to make sure that all traffic to this form is using HTTPS, in other words ensure that all data is encrypted with a certificate.
Why? Well if you take the login box for my website which is shown below:
JAWS LOGIN
If you then make use of a program like WireShark which is a ethernet packet sniffer you will see the immediate issue shown below:
1. This is the raw packet capture data which can be detected by any network monitor or sniffer, this shows the flow of data from www.a6n.co.uk to the remote computer.....
0 host_ip external_ip TCP 4912 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
0.00123 external_ip host_ip TCP http > 4912 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1402
0.001264 host_ip external_ip TCP 4912 > http [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
0.001301 host_ip external_ip HTTP POST /cms/admin.php HTTP/1.1 (application/x-www-form-urlencoded)
0.134971 external_ip host_ip TCP http > 4912 [ACK] Seq=1 Ack=742 Win=64794 Len=0
0.232414 external_ip host_ip TCP [TCP segment of a reassembled PDU]
0.232788 external_ip host_ip TCP [TCP segment of a reassembled PDU]
0.232813 host_ip external_ip TCP 4912 > http [ACK] Seq=742 Ack=2805 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
0.234099 external_ip host_ip HTTP HTTP/1.1 200 OK (text/html)
0.483833 host_ip external_ip TCP 4912 > http [ACK] Seq=742 Ack=3699 Win=64641 [TCP CHECKSUM INCORRECT] Len=0
5.759593 external_ip host_ip TCP http > 4912 [FIN, ACK] Seq=3699 Ack=742 Win=64794 Len=0
5.75963 host_ip external_ip TCP 4912 > http [ACK] Seq=742 Ack=3700 Win=64641 [TCP CHECKSUM INCORRECT] Len=0
2. Find the section where the data is going to be located.....which in my case in the TCP segment section....
0.232414 external_ip host_ip TCP [TCP segment of a reassembled PDU]
0.232788 external_ip host_ip TCP [TCP segment of a reassembled PDU]
3. Hidden in the bytes extracted from the packet capture is the following information:
input type="text" name=" username" id="username" value="Admin" title="Username"/>.
Why? Well if you take the login box for my website which is shown below:
JAWS LOGIN
If you then make use of a program like WireShark which is a ethernet packet sniffer you will see the immediate issue shown below:
1. This is the raw packet capture data which can be detected by any network monitor or sniffer, this shows the flow of data from www.a6n.co.uk to the remote computer.....
0 host_ip external_ip TCP 4912 > http [SYN] Seq=0 Win=65535 Len=0 MSS=1460
0.00123 external_ip host_ip TCP http > 4912 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1402
0.001264 host_ip external_ip TCP 4912 > http [ACK] Seq=1 Ack=1 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
0.001301 host_ip external_ip HTTP POST /cms/admin.php HTTP/1.1 (application/x-www-form-urlencoded)
0.134971 external_ip host_ip TCP http > 4912 [ACK] Seq=1 Ack=742 Win=64794 Len=0
0.232414 external_ip host_ip TCP [TCP segment of a reassembled PDU]
0.232788 external_ip host_ip TCP [TCP segment of a reassembled PDU]
0.232813 host_ip external_ip TCP 4912 > http [ACK] Seq=742 Ack=2805 Win=65535 [TCP CHECKSUM INCORRECT] Len=0
0.234099 external_ip host_ip HTTP HTTP/1.1 200 OK (text/html)
0.483833 host_ip external_ip TCP 4912 > http [ACK] Seq=742 Ack=3699 Win=64641 [TCP CHECKSUM INCORRECT] Len=0
5.759593 external_ip host_ip TCP http > 4912 [FIN, ACK] Seq=3699 Ack=742 Win=64794 Len=0
5.75963 host_ip external_ip TCP 4912 > http [ACK] Seq=742 Ack=3700 Win=64641 [TCP CHECKSUM INCORRECT] Len=0
2. Find the section where the data is going to be located.....which in my case in the TCP segment section....
0.232414 external_ip host_ip TCP [TCP segment of a reassembled PDU]
0.232788 external_ip host_ip TCP [TCP segment of a reassembled PDU]
3. Hidden in the bytes extracted from the packet capture is the following information:
input type="text" name=" username" id="username" value="Admin" title="Username"/>.
.Password:
4. Login using the remote credentials.....
WARNING : Yes, this is my website but no I do not use (cuz thats stupid) Admin and Password so do not try this otherwise your IP will be blocked
Username : Admin
Password : password
Polite Note : The TCP port 4192 is the dymanic remote Apache port that my server assigns to web traffic, so this means that the remote computer (you) has a source HTTP port of TCP:4192 and the destination port is always TCP:80...so no you cannot hack TCP:4192 as this is dymanically opened and closed!
4. Login using the remote credentials.....
WARNING : Yes, this is my website but no I do not use (cuz thats stupid) Admin and Password so do not try this otherwise your IP will be blocked
Username : Admin
Password : password
Polite Note : The TCP port 4192 is the dymanic remote Apache port that my server assigns to web traffic, so this means that the remote computer (you) has a source HTTP port of TCP:4192 and the destination port is always TCP:80...so no you cannot hack TCP:4192 as this is dymanically opened and closed!
Tags
IT Security