sirgregg Posted November 16, 2009 Share Posted November 16, 2009 Hi everyone I've been having fun with capturing and analyzing packets the other day. I realized that while basic http authentication and pop connections usernames and passwords appear just as plain text in the pcap software, more advanced protocols make it more difficult, if not impossible. I started wondering that while we might not be able to decrypt the tcp stream to extract the useful data, maybe we don't need to? Since we already have the encrypted credentials (or a cookie ID, not sure if I understand perfectly how this works), maybe we could start a connection with the server and just feed it the same packet we've already got? I captured the traffic of myself logging in to some services and then used netcat to open up a connection to the hosts. I pasted the http GET requests I captured with wireshark, but all I got was unfortunately Bad Request responses :( I did fail to achieve any positive results even though I tried a lot, but I still think it's quite a good idea, and maybe some of you more savvy hak5ers could give it a go or explain to me why I'm wrong and this will never work? Quote Link to comment Share on other sites More sharing options...
Sparda Posted November 16, 2009 Share Posted November 16, 2009 A good encryption algorithm will make know plain text attacks unsuccessful. xor is an example of an algorithm that is vulnerable to such attacks. eg Our plain text is 00001111 (just because), our key is 11001100 (why not) xor = 11000011. Lets say that the first nibble is always zero and we know this, we can deduce that the first nibble of the key is 1100 because 0000 xor 1100 = 1100, we have there for, in this example, halved the remaining key length. Quote Link to comment Share on other sites More sharing options...
digininja Posted November 17, 2009 Share Posted November 17, 2009 All you need to do is to talk the same protocol as the demon you are talking to. To request a web page from a web server you would do nc target.com 80 GET / HTTP/1.1 If you wanted to pass a lot more headers, including cookies, you could do nc target.com 80 GET / HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.1.4) Gecko/20091028 Iceweasel/3.5.4 (Debian-3.5.4-1) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Cookie: cookie_name=9d1d3880a422222222222222222222222; Proxy-Connection: keep-alive Note, in both situations you need the last empty blank line. Some protocols allow you to replay traffic, others don't. HTTP and SMTP are ones that do, HTTPS doesn't. Do some reading up on protocols and you'll find out a lot. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.