Results 1 to 10 of 10

Thread: User credentials are not encrypted when they are transmitted?!

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jan 2011
    Posts
    11

    Default User credentials are not encrypted when they are transmitted?!

    I just built the website and then made the security scan by Acunetix Web Vulnerability Scanner which identified some hole in my website: "User credentials are not encrypted when they are transmitted". I guess that it means that someone who is able to monitor my website is able to capture someone's else username as well as password.

    I would like to check this issue myself. Can you recommend me which tools I have to use in order to check this issue?!

    I would like to check from a different computer, run some tools, and then log in with my personal computer in order to see if I can capture the credentials or not?!

  2. #2
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re: User credentials are not encrypted when they are transmitted?!

    I don't know what you call "monitoring your website" but the message means that creds are sent in plain text. A simple Mitm attack or decrypting wpa/wep packets, or capturing packet on an open wifi network would show them clearly.

    You should use ssh to protect them. Well... Even that can be broken with sslstrip.

    Hope this helps !
    Running both KDE and GNOME BT5 flawlessly. Thank you !

  3. #3
    Just burned his ISO
    Join Date
    Jan 2011
    Posts
    11

    Default Re: User credentials are not encrypted when they are transmitted?!

    Which tools can I use in order to get a gateway of my uploaded website? Again, I would like to check if someone can do it from a different IP address?!

  4. #4
    Member macphail's Avatar
    Join Date
    Jun 2010
    Location
    East Coast, USA
    Posts
    164

    Default Re: User credentials are not encrypted when they are transmitted?!

    Quote Originally Posted by alex198555 View Post
    Which tools can I use in order to get a gateway of my uploaded website? Again, I would like to check if someone can do it from a different IP address?!
    Which tools can you use to get "what" again?
    -----------
    ~peace
    MacPhail

  5. #5
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    23

    Default Re: User credentials are not encrypted when they are transmitted?!

    The simple tool traceroute can help you figure out what exactly your gateway is from the website. And simply watching the link actions while logging in will tell you whether or not encryption is activated. If "https" pops up during log in, then it's there. But I'm guessing you won't see it there because of the scanner you used. And it's probably not that hard to turn on encryption, but I've never put one up.

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: User credentials are not encrypted when they are transmitted?!

    First I suggest using your eyes and brain. Does the login form require the use of SSL (HTTPS) or is it available without SSL (HTTP)? Does the login form action require the use of SSL (HTTPS) or is it available without SSL (HTTP)?

    Second, fireup wireshark or ettercap, access the site via HTTP (not HTTPS) and record yourself logging in, then do a string search on the captured traffic for your username or password.
    Last edited by thorin; 04-26-2011 at 12:51 PM.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  7. #7
    Just burned his ISO
    Join Date
    Jan 2011
    Posts
    11

    Default Re: User credentials are not encrypted when they are transmitted?!

    OK! Let's say I have my own website who has IP of AAAA.AAAA.AAAA.AAAA.

    I check my website with some security scanner and it was figured out that "# User credentials are not encrypted when they are transmitted?!".

    So, my laptop IP has the different IP address from my website like BBBB.BBBB.BBBB.BBBB.

    The question is which tools may I use in order to capture the user credentials?! Which set of tools can be used to check or pen-test if my website is secure?!

    So, I should be able to capture the user credentials from website's IP (AAAA one) by using laptop's IP(BBBB ones).

    Waiting for your recommendations?!

  8. #8
    Just burned his ISO
    Join Date
    Apr 2011
    Posts
    4

    Default Re: User credentials are not encrypted when they are transmitted?!

    Quote Originally Posted by alex198555 View Post
    OK! Let's say I have my own website who has IP of AAAA.AAAA.AAAA.AAAA.

    I check my website with some security scanner and it was figured out that "# User credentials are not encrypted when they are transmitted?!".

    So, my laptop IP has the different IP address from my website like BBBB.BBBB.BBBB.BBBB.

    The question is which tools may I use in order to capture the user credentials?! Which set of tools can be used to check or pen-test if my website is secure?!

    So, I should be able to capture the user credentials from website's IP (AAAA one) by using laptop's IP(BBBB ones).

    Waiting for your recommendations?!
    If your website is safe or not, will depend on the privileges of the hacked account. Maybe just the account will be compromised.

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: User credentials are not encrypted when they are transmitted?!

    @alex198555 try reading! Answers to your questions appear in posts 6, 2, and to some degree 5.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #10
    Good friend of the forums comaX's Avatar
    Join Date
    Feb 2010
    Location
    Paris, France
    Posts
    338

    Default Re : User credentials are not encrypted when they are transmitted?!

    Answer has already been given (cf. my previous post, and other's as well). Maybe it's time for some googling
    Running both KDE and GNOME BT5 flawlessly. Thank you !

Similar Threads

  1. Cached credentials and their salt
    By Kx499 in forum Beginners Forum
    Replies: 6
    Last Post: 02-03-2011, 04:22 AM
  2. Credentials For Using Backtrack
    By hitmen in forum Beginners Forum
    Replies: 3
    Last Post: 07-12-2010, 02:49 PM
  3. Windows 7 User Credentials
    By noopie in forum Experts Forum
    Replies: 1
    Last Post: 04-12-2010, 01:57 PM
  4. Replies: 11
    Last Post: 03-31-2010, 08:22 PM
  5. Cannot user startx with newly created user
    By imported_Zer0|Day in forum OLD BT3final Support
    Replies: 1
    Last Post: 06-25-2008, 01:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •