Today on HakTip, Shannon explains how to tell in Wireshark if a site is transmitting your username and password in plain text when you log in.
When I log into twitter, everything is supposed to go through SSL HTTPS encryption. If this is so, then I shouldn't see any plain text passwords roaming about in Wireshark. Plain Text is referred to a site whenever said site is serving up your passwords for all to see, with no encryption. A website should NEVER do this, but the general public has no way of telling if they do, so I always recommend using a password manager for most sites and using a different randomly generated password for every site.
When I log into Wireshark, I get a bunch of TCP transactions. I know these are from Twitter, because I did a quick 'whois' lookup on the IP address (just stick the IP address in your search bar with Who Is... and it should tell you who it belongs to). Under the info column, I 'found a bunch of packets that start with '433'. 433 is associated with SSL over HTTP. Okay, we've found the log-in process...
Next we can look for a packet that says "Application Data" in the info field. There's a section called Secure Sockets Layer in the middle window and if I max this area out, I should see an line of encrypted data. These packets are the unreadable SSL version of your username and password being transmitted to Twitter.
Now for some plain text fun. I found a site that serves up your username and password in plain text. First, notice how it defaults to HTTP instead of HTTPS. Now, when we login, we get a bunch of HTTP packets flowing. One says Customer Account Login Post. Click on this one, scroll down to the bottom of the middle section, and notice how you can see my password.
Let me know what you think. Send me a comment below or email us at firstname.lastname@example.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.
Please watch: "Bash Bunny Primer - Hak5 2225"