PDA

View Full Version : Sniff web server traffic - is this possible?



dxi5t
06-27-2008, 06:00 AM
We have a webserver and I've discovered (and informed the relevant ppl in my company) that the login credentials are being passed in clear text over HTTP.

I demonstrated this by running wireshark on my laptop and logging into the site - capturing the submitted details. I suppose if I want to demo further I would ask a colleague to login using a different laptop and i would either sniff the wireles traffic or use ettercap if necessary and catch the details again.

My question is (and I hope it's not a daft one!) is how does this vulnerability exist on the internet i.e. if I was at home behind my home ISP router and I know the IP address of our web server - is it feasable to sniff the traffic going to and from the web server? - if so, how would you do it? :confused:

If it's not possible then where is the vulnerability?

Thanks

Nico

imported_=Tron=
06-27-2008, 06:44 AM
My question is (and I hope it's not a daft one!) is how does this vulnerability exist on the internet i.e. if I was at home behind my home ISP router and I know the IP address of our web server - is it feasable to sniff the traffic going to and from the web server? - if so, how would you do it?

The short answer to your question is that to successfully sniff packets using wireshark or ettercap you will normally have to be on the inside of the network, meaning that you will not be able to intercept the packets sent to and from your web server from behind your home ISP router.

For the longer version of the answer you might want to read up on GRE sniffing/tunnelling first. But basically what this refers to is creating a tunnel between your router at home and the one at your work through which all packets will be forwarded to you at home.

imported_wyze
06-27-2008, 06:57 AM
We have a webserver and I've discovered (and informed the relevant ppl in my company) that the login credentials are being passed in clear text over HTTP.

That doesn't sound very bright to have a non SSL login system in place :confused:



My question is (and I hope it's not a daft one!) is how does this vulnerability exist on the internet i.e. if I was at home behind my home ISP router and I know the IP address of our web server - is it feasable to sniff the traffic going to and from the web server?

MITM... and this could be done on either side of the connection (i.e., you're with a hosting company with a lazy net admin, who could care less that the server next to yours is sniffing promiscuously :().


For the longer version of the answer you might want to read up on GRE sniffing/tunnelling first. But basically what this refers to is creating a tunnel between your router at home and the one at your work through which all packets will be forwarded to you at home.

YES... ^^ this is the answer - set up a VPN.

dxi5t
06-27-2008, 07:09 AM
Ok thanks guys.

I have to admit, I thought there would be a bigger threat from the internet from the likes of say you guys (knowledgeable), but that appears not to be the case. :rolleyes:

I don't want to set up VPN or anything, I just want to identify all the risks as is.

So unless I am on the network and sniffing from there? - or I set up a VPN from home?, then there isn't really a big risk from the casual script kiddie of being able to sniff one of these logon credentials?

Nico

cbservices
07-03-2008, 08:13 AM
Ok thanks guys.

So unless I am on the network and sniffing from there? - or I set up a VPN from home?, then there isn't really a big risk from the casual script kiddie of being able to sniff one of these logon credentials?

Nico

There are probably a half dozen or more routers between your laptop and the web server. If any of these are compromised, your credentials can be sniffed. If any computer on any subnet between you and the server is compromised, it can be promiscuously sniffing or ARP poisoning, and could sniff your credentials.
If somebody cracks the wireless network at your workplace, they could ARP poison and sniff credentials, or just capture all traffic using wireless monitor mode.
If the server admin is an idiot, and has a virus on his laptop that he plays games with when he should be working, it could be capturing credentials.

etc.
etc.
etc.

There are dozens, if not hundreds of possibilities of ways to sniff user/pass combinations, and saying "There is no risk because you can't compromise me in this specific way" is the most dangerous attitude possible in the security field.

SBerry
07-03-2008, 10:28 AM
Get the boss to go to Verisign and get himself a cert and mug of ssl:D

Korupt
07-06-2008, 12:59 PM
why can't I see the first 5 posts in this topic?

EDIT: ohh never mind im sorry it's backwards my bad

imported_=Tron=
07-06-2008, 01:01 PM
why can't I see the first 5 posts in this topic?

EDIT: ohh never mind im sorry it's backwards my bad

Just change the settings under your personal profile if you find the current sorting too confusing ;)

Korupt
07-06-2008, 01:19 PM
Just change the settings under your personal profile if you find the current sorting too confusing ;)

did it, looks much better now thanks :)

thorin
07-07-2008, 11:31 AM
The issue isn't just "skriddies" it comes down to trust, can you trust:

1) You ISP at home?
2) The SysAdmins of all the links your traffic traverses?
3) The SysAdmins at work?
4) A disgruntled co-worker?
5) Everyone how has access to your home network?

If the answer to any of those is "No" then your plaintext traffic may be at risk.