Wireshark - Interception of the password. Part 2

  • In a previous article, we found out where Wireshark came from and what it is. There will be practice here, we will intercept passwords.

    Let's get started.

    We launch:

    sudo wireshark
    We choose our interface through which we plan to intercept passwords. In my case it is «enp0s29u1u6c4i2»

    We went to Wireshark.

    Next, we should go to any site where there is a "Login" and "Password".

    Log in to the site.

    And we write the filter:

    http.request.method == POST

    Press Enter.
    We click on each package, I have it wp-login.php

    Each time you check, the contents of the packages are at the bottom.

    Are looking for:

    HTML Form URL Encoded:
    Click on it.
    ) log - This is the login.

    1. pwd - This is the password.

    There are encrypted passwords.

    Use this site:


    This site determines the encoding and decrypts the password.

    Wow! We intercepted the login and password from the site, but it is on the HTTP protocol.
    What if the HTTPS protocol?

    I have 3 options for you.
    1 option.

    Connect to the disconnection of the connection between the user and the server and capture traffic at the time of establishing the connection (SSL Handshake). At the time of connection, you can intercept the session key.
    Option 2.

    You can decrypt HTTPS traffic using the session key log file written by Firefox. To do this, the browser must be configured to write these encryption keys to the log file, and you should get this log file. Essentially, you need to steal a session key file from another user's hard drive (which is illegal). Well, then capture the traffic and apply the received key to decrypt it.

    We are talking about the web browser of a person who is trying to steal a password. If we mean decrypting our own HTTPS traffic and want to practice, then this strategy will work. If you try to decrypt HTTPS traffic of other users without access to their computers, this will not work - for that it is both encryption and personal space.

    After receiving the keys in option 1 or 2.

    Go to the menu:

    Edit - Preferences - Protocols - SSL

    Set the flag:

    Reassemble SSL records spanning multiple TCP segments


    RSA keys list

    And click Edit.

    Enter the data in all the fields and prescribe the path to the file with the key.
    3 option.

    Get access to the web server used by the user and get the key. But this is even more challenging. In corporate networks, for the purpose of debugging applications or content filtering, this option is implemented on a legal basis, but not for the purpose of intercepting user passwords.

    In 3 parts, we will analyze traffic.

Log in to reply

Login in your account to Start Chat