Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: wireshark question

  1. #1
    Junior Member
    Join Date
    Nov 2006
    Posts
    37

    Default wireshark question

    ok I've been messing around with wireshark for awhile now and I had a question about some sites i was having problems with pulling user names and passwords from. I get the info i need from a lot of other sites, like this site encrypts passwords with md5, but what about other sites like myspace does anyone know what encryption they use or some of the common, post form encryptions that other sites are using

  2. #2
    Itssid
    Guest

    Default

    You have to use the MITM attack (man or monkey in the middle using some other tool like ettercap or arpspoof and then capture the data in wireshark) there is a good thread here that has a tutorial on this.

  3. #3
    Junior Member
    Join Date
    Nov 2006
    Posts
    37

    Default

    i was running ettercap with commands, check unified sniffing ctrl-s, mitm arp poisoning, sniff remote, start sniffing, then i opened up wireshark, configed my adapter setting added wep key and started getting http packets i looked in the post packets and at the data line and it says username= real name passwords=asfdasdfhuehgtjdshgusdgtfuegugs, i know this isnt the real passwords because it is my account, i just dont know how their encrypting it

    p.s. that s not the real username and password that i got out of wireshark i just made it up

  4. #4
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by escabar View Post
    i was running ettercap with commands, check unified sniffing ctrl-s, mitm arp poisoning, sniff remote, start sniffing, then i opened up wireshark, configed my adapter setting added wep key and started getting http packets i looked in the post packets and at the data line and it says username= real name passwords=asfdasdfhuehgtjdshgusdgtfuegugs, i know this isnt the real passwords because it is my account, i just dont know how their encrypting it

    p.s. that s not the real username and password that i got out of wireshark i just made it up
    If you wanna view your capture with wireshark, and read it correctly...you MUST use airdecap-ng to strip off the encryption so you can see the "real" passwords.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  5. #5
    Junior Member
    Join Date
    Nov 2006
    Posts
    37

    Default

    ok so i did a capture with airodump-ng -w out -c 6
    then did airdecap-ng -e **** -w***** out-01.cap
    then opened in wireshark i didnt see anything different than when i just did the whole thing with just wireshark, did i miss something

  6. #6
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Here you go.

    http://www.security-freak.net/tools/...rdecap-ng.html


    pureh@te = supa spoon feeda

  7. #7
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    Quote Originally Posted by pureh@te View Post
    Here you go.

    http://www.security-freak.net/tools/...rdecap-ng.html


    pureh@te = supa spoon feeda
    Should change your name to PureFeeda! haha j/k
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

  8. #8
    Junior Member
    Join Date
    Nov 2006
    Posts
    37

    Default

    thanks supa spoon feeda haha, but i think we might have had a miscommunication. I would like to give up on this because its not that important, but i don't work that way now i have to figure this out or it will drive me crazy for the rest of my days. i checked out the link you posted but it didn't really help i have already done that, i also checked out a real good vid on the milworm site on ettercap. Im just restating what ive done maybe i left something out last time or miss worded it:
    ok i used ettercap and did the arp stuff, and i did it successfully i was able to capture my facebook, hotmail, yahoo mail, and a few others however i noticed it didnt work with myspace, because obviously it doesnt use https, i guess they just use an ecryption in their sign in form or something im not sure, so i opened wireshark and then entered my wep key into the i802.1 protocol config and started my capture i went to a webpage with a known non encryption and caught it the data line clearly outputted my real user name and password in plain text, so i did it with myspace and the data line clearly output my user name in clear text but the password was encrypted giving me the conclusion that myspace login form encrypts the password but not user name, meaning to me that i can use decap all i want but its not going to decrypt that password, with that being said, could you give me any more pointers, im not looking to be spoon feed (that still pretty funny to me) just a little help thats all, and i was wondering if you had tried this with myspace, i saw in some of the tuts that they said it worked with my space but i think they might of redone their webpage after the tut was posted or something.

    p.s. sorry for such a long post about this subject but its driving me crazy

  9. #9
    Member
    Join Date
    Nov 2007
    Posts
    220

    Default

    Cant find it at a quick glance so cant post link but I read something a bit back, thought it was on irongeek but could be wrong.

    In a sense they cracked encrypted passwords by cheating, what they did was alter the form on the page going to the victim, the form now has a username field, a password field (that is encrypted using javascript on each keypress) and a hidden text field. They also altered the javascript by adding a function so that when the password field box experienced a keypress the hidden text box received the character but normally.

    When the 'victim' submitted the form they sent back the username, encrypted password and a seperate html hidden input with password in clear text.

    Then on way out I presume they stripped out the hidden field but thats a guess, cant remember that bit.

    Just split up from a 5 1/2 relationship so not in mood to go searching but you get the idea.

    I think i'm ok to post this if not by all means delete post.
    wtf?

  10. #10
    Junior Member
    Join Date
    Nov 2006
    Posts
    37

    Default

    thanks, for the input, i knew they were doing it with java just not sure how. the home page source code for the login is a javascript. now just gotta figure out java is encrypting it!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •