Results 1 to 10 of 10

Thread: Sniff web server traffic - is this possible?

  1. #1
    Just burned his ISO dxi5t's Avatar
    Join Date
    Feb 2010
    Posts
    15

    Default Sniff web server traffic - is this possible?

    We have a webserver and I've discovered (and informed the relevant ppl in my company) that the login credentials are being passed in clear text over HTTP.

    I demonstrated this by running wireshark on my laptop and logging into the site - capturing the submitted details. I suppose if I want to demo further I would ask a colleague to login using a different laptop and i would either sniff the wireles traffic or use ettercap if necessary and catch the details again.

    My question is (and I hope it's not a daft one!) is how does this vulnerability exist on the internet i.e. if I was at home behind my home ISP router and I know the IP address of our web server - is it feasable to sniff the traffic going to and from the web server? - if so, how would you do it?

    If it's not possible then where is the vulnerability?

    Thanks

    Nico

  2. #2
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    My question is (and I hope it's not a daft one!) is how does this vulnerability exist on the internet i.e. if I was at home behind my home ISP router and I know the IP address of our web server - is it feasable to sniff the traffic going to and from the web server? - if so, how would you do it?
    The short answer to your question is that to successfully sniff packets using wireshark or ettercap you will normally have to be on the inside of the network, meaning that you will not be able to intercept the packets sent to and from your web server from behind your home ISP router.

    For the longer version of the answer you might want to read up on GRE sniffing/tunnelling first. But basically what this refers to is creating a tunnel between your router at home and the one at your work through which all packets will be forwarded to you at home.
    -Monkeys are like nature's humans.

  3. #3
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by Nico View Post
    We have a webserver and I've discovered (and informed the relevant ppl in my company) that the login credentials are being passed in clear text over HTTP.
    That doesn't sound very bright to have a non SSL login system in place

    Quote Originally Posted by Nico View Post
    My question is (and I hope it's not a daft one!) is how does this vulnerability exist on the internet i.e. if I was at home behind my home ISP router and I know the IP address of our web server - is it feasable to sniff the traffic going to and from the web server?
    MITM... and this could be done on either side of the connection (i.e., you're with a hosting company with a lazy net admin, who could care less that the server next to yours is sniffing promiscuously ).

    Quote Originally Posted by =Tron= View Post
    For the longer version of the answer you might want to read up on GRE sniffing/tunnelling first. But basically what this refers to is creating a tunnel between your router at home and the one at your work through which all packets will be forwarded to you at home.
    YES... ^^ this is the answer - set up a VPN.
    dd if=/dev/swc666 of=/dev/wyze

  4. #4
    Just burned his ISO dxi5t's Avatar
    Join Date
    Feb 2010
    Posts
    15

    Default

    Ok thanks guys.

    I have to admit, I thought there would be a bigger threat from the internet from the likes of say you guys (knowledgeable), but that appears not to be the case.

    I don't want to set up VPN or anything, I just want to identify all the risks as is.

    So unless I am on the network and sniffing from there? - or I set up a VPN from home?, then there isn't really a big risk from the casual script kiddie of being able to sniff one of these logon credentials?

    Nico

  5. #5
    Just burned his ISO
    Join Date
    Jun 2006
    Posts
    11

    Default Never say never.....

    Quote Originally Posted by Nico View Post
    Ok thanks guys.

    So unless I am on the network and sniffing from there? - or I set up a VPN from home?, then there isn't really a big risk from the casual script kiddie of being able to sniff one of these logon credentials?

    Nico
    There are probably a half dozen or more routers between your laptop and the web server. If any of these are compromised, your credentials can be sniffed. If any computer on any subnet between you and the server is compromised, it can be promiscuously sniffing or ARP poisoning, and could sniff your credentials.
    If somebody cracks the wireless network at your workplace, they could ARP poison and sniff credentials, or just capture all traffic using wireless monitor mode.
    If the server admin is an idiot, and has a virus on his laptop that he plays games with when he should be working, it could be capturing credentials.

    etc.
    etc.
    etc.

    There are dozens, if not hundreds of possibilities of ways to sniff user/pass combinations, and saying "There is no risk because you can't compromise me in this specific way" is the most dangerous attitude possible in the security field.

  6. #6
    Junior Member SBerry's Avatar
    Join Date
    Dec 2007
    Posts
    94

    Default

    Get the boss to go to Verisign and get himself a cert and mug of ssl

  7. #7
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    22

    Default

    why can't I see the first 5 posts in this topic?

    EDIT: ohh never mind im sorry it's backwards my bad

  8. #8
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by Korupt View Post
    why can't I see the first 5 posts in this topic?

    EDIT: ohh never mind im sorry it's backwards my bad
    Just change the settings under your personal profile if you find the current sorting too confusing
    -Monkeys are like nature's humans.

  9. #9
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    22

    Default

    Quote Originally Posted by =Tron= View Post
    Just change the settings under your personal profile if you find the current sorting too confusing
    did it, looks much better now thanks

  10. #10
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    The issue isn't just "skriddies" it comes down to trust, can you trust:

    1) You ISP at home?
    2) The SysAdmins of all the links your traffic traverses?
    3) The SysAdmins at work?
    4) A disgruntled co-worker?
    5) Everyone how has access to your home network?

    If the answer to any of those is "No" then your plaintext traffic may be at risk.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •