Jump to content

Faking credentials


Recommended Posts

Hi everyone

I've been having fun with capturing and analyzing packets the other day. I realized that while basic http authentication and pop connections usernames and passwords appear just as plain text in the pcap software, more advanced protocols make it more difficult, if not impossible.

I started wondering that while we might not be able to decrypt the tcp stream to extract the useful data, maybe we don't need to? Since we already have the encrypted credentials (or a cookie ID, not sure if I understand perfectly how this works), maybe we could start a connection with the server and just feed it the same packet we've already got?

I captured the traffic of myself logging in to some services and then used netcat to open up a connection to the hosts. I pasted the http GET requests I captured with wireshark, but all I got was unfortunately Bad Request responses :( I did fail to achieve any positive results even though I tried a lot, but I still think it's quite a good idea, and maybe some of you more savvy hak5ers could give it a go or explain to me why I'm wrong and this will never work?

Link to comment
Share on other sites

A good encryption algorithm will make know plain text attacks unsuccessful. xor is an example of an algorithm that is vulnerable to such attacks.

eg Our plain text is 00001111 (just because), our key is 11001100 (why not) xor = 11000011. Lets say that the first nibble is always zero and we know this, we can deduce that the first nibble of the key is 1100 because 0000 xor 1100 = 1100, we have there for, in this example, halved the remaining key length.

Link to comment
Share on other sites

All you need to do is to talk the same protocol as the demon you are talking to. To request a web page from a web server you would do

nc target.com 80
GET / HTTP/1.1

If you wanted to pass a lot more headers, including cookies, you could do

nc target.com 80
GET / HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv: Gecko/20091028 Iceweasel/3.5.4 (Debian-3.5.4-1)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Cookie: cookie_name=9d1d3880a422222222222222222222222;
Proxy-Connection: keep-alive

Note, in both situations you need the last empty blank line.

Some protocols allow you to replay traffic, others don't. HTTP and SMTP are ones that do, HTTPS doesn't.

Do some reading up on protocols and you'll find out a lot.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...