[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-users
Subject: Re: [Wireshark-users] Webmail password
From: Martin Visser <martinvisser99 () gmail ! com>
Date: 2010-02-23 5:32:01
Message-ID: b3739b0c1002222132j1253e86al9c8099827cfa7078 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
The easiest way will be to read the documentation or the source code of the
software being used to run the webmail appplication. ;-)
There are a number of techniques to send authentication credentials as part
of the HTTP request. Mostly it is encoded in the LIB_SSO_CK and/or LIB_NAME_CK
cookies. (SSO is a TLA that normal stands for Single Sign On). A pretty
strong likelihood is that when you actually did login to your webmail,
hopefully via HTTPS (encrypted in SSL), that you were presented with those
cookies. You now send those cookies, which the server then matches up to
your previous login sequence. The cookies will be some form of encoded hash
that simply *cannot* be reverse-engineered to find your password. (The fact
that your username appears in plain text might not be the best design, but
it doesn't indicate that the password can be easily discovered. Most webmail
systems of course use the email address as the username so this is pretty
much par for the course)
It would be a very bad authentication scheme if you could simply pickout
your password by using Wireshark and with no other prior knowledge (such as
the private keys that are used by the server to encrypt any data sent to
you)
Regards, Martin
MartinVisser99@gmail.com
On Tue, Feb 23, 2010 at 11:51 AM, Relay <relay@slacky.it> wrote:
> Hi everybody, I'm studing wireshark and I'm trying to sniffing my webmail
> password.These are some date that I pick up with it:
>
> 181445.680284192.168.1.*21*.52.84.153HTTPPOST
> /cp/ps/Main/login/Authenticate?trsId=4524631&rndPrx=0.7080723282452864
> HTTP/1.1 (application/x-www-form-urlencoded)
>
> with tcp stream:
>
> GET /cp/ps/Main/loadingInside?d=domain.it&u=user&t=971554d47d100d66
> HTTP/1.1
> Host: mailbeta.domain.it
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4)
> Gecko/2008102920 Firefox/3.0.4
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer:
>
> http://mailbeta.domain.it/cp/ps/Main/login/AuthenticateReal?callAPITONotify=false&va \
> =1266882504441&d=domain.it&rndPrx=0.30611842451881544&isTestCp=false&u=user&cookieAccepted=yes&trsId=4524631&fromSso=yes&s=1266882504441
>
> Cookie: JSESSIONID=FA2882B3A2BBEB8225F69FD763EF7D2A;
> Domain=84.13.53.231.1266882471756605;
> __utma=267072147.2053639337.1266882716.1266882716.1266882716.1;
> __utmb=267072147.1.10.1266882716; __utmc=267072147;
> __utmz=267072147.1266882716.1.1.utmcsr=google|utmccn=(organic)|
> utmcmd=organic|utmctr=domain; LIB_ADV_CK=4-1-93-12-0;
>
> LIB_SSO_CK=NzFhYmU0ZmYwYTQ5NDhiYzliMWY5YTRiNjE5MjRkMTlQ0vC74AjZ315eM4UlCxHlgg0DmffScSSgVQPNBxzfPQ%253D%253D;
>
> LIB_NAME_CK=NWRlMTZjZDExM2RlNjVkYTZjZjZiNTEwMjcwMzgzZWQ6FsDDEOnrRcrmDFFW9%252Bnw;
> WMAIL=smart; s=1266882504441; rndPrx=_0.30611842451881544; bk=wmail33:8000
>
> I can see the username, &u=user.But I don't understand what should be the
> password.There isn't a field "password" just a field iterate a lot close to
> the username &u that is &t=971554d47d100d66.But it isn't my password.
> What do you suggest me?
> Thank for your help
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@wireshark.org
> ?subject=unsubscribe
>
[Attachment #5 (text/html)]
The easiest way will be to read the documentation or the source code of the software \
being used to run the webmail appplication. ;-) <div><br></div><div>There are a \
number of techniques to send authentication credentials as part of the HTTP request. \
Mostly it is encoded in the <span class="Apple-style-span" style="font-family: \
arial, sans-serif; font-size: 13px; border-collapse: collapse; ">LIB_SSO_CK and/or \
</span><span class="Apple-style-span" style="font-family: arial, sans-serif; \
font-size: 13px; border-collapse: collapse; ">LIB_NAME_CK cookies. (SSO is a TLA that \
normal stands for Single Sign On). A pretty strong likelihood is that when you \
actually did login to your webmail, hopefully via HTTPS (encrypted in SSL), that you \
were presented with those cookies. You now send those cookies, which the server then \
matches up to your previous login sequence. The cookies will be some form of encoded \
hash that simply *cannot* be reverse-engineered to find your password. (The fact that \
your username appears in plain text might not be the best design, but it doesn't \
indicate that the password can be easily discovered. Most webmail systems of course \
use the email address as the username so this is pretty much par for the \
course)</span></div> <div><font class="Apple-style-span" face="arial, \
sans-serif"><span class="Apple-style-span" style="border-collapse: \
collapse;"><br></span></font></div><div><font class="Apple-style-span" face="arial, \
sans-serif"><span class="Apple-style-span" style="border-collapse: collapse;">It \
would be a very bad authentication scheme if you could simply pickout your password \
by using Wireshark and with no other prior knowledge (such as the private keys that \
are used by the server to encrypt any data sent to you)<br> \
</span></font><div><br></div><div><br clear="all">Regards, Martin<br><br><a \
href="mailto:MartinVisser99@gmail.com">MartinVisser99@gmail.com</a><br> <br><br><div \
class="gmail_quote">On Tue, Feb 23, 2010 at 11:51 AM, Relay <span dir="ltr"><<a \
href="mailto:relay@slacky.it">relay@slacky.it</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex;"> Hi everybody, I'm studing wireshark and I'm trying \
to sniffing my webmail<br> password.These are some date that I pick up with it:<br>
<br>
181445.680284192.168.1.*21*.52.84.153HTTPPOST \
/cp/ps/Main/login/Authenticate?trsId=4524631&rndPrx=0.7080723282452864<br> \
HTTP/1.1 (application/x-www-form-urlencoded)<br> <br>
with tcp stream:<br>
<br>
GET /cp/ps/Main/loadingInside?d=<a href="http://domain.it" \
target="_blank">domain.it</a>&u=user&t=971554d47d100d66 \
HTTP/1.1<br>
Host: <a href="http://mailbeta.domain.it" target="_blank">mailbeta.domain.it</a><br>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4)<br>
Gecko/2008102920 Firefox/3.0.4<br>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br>
Accept-Language: en-us,en;q=0.5<br>
Accept-Encoding: gzip,deflate<br>
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7<br>
Keep-Alive: 300<br>
Connection: keep-alive<br>
Referer:<br>
<a href="http://mailbeta.domain.it/cp/ps/Main/login/AuthenticateReal?callAPITONotify=f \
alse&va=1266882504441&d=domain.it&rndPrx=0.30611842451881544&isTestCp= \
false&u=user&cookieAccepted=yes&trsId=4524631&fromSso=yes&s=1266882504441" \
target="_blank">http://mailbeta.domain.it/cp/ps/Main/login/AuthenticateReal?callAPITON \
otify=false&va=1266882504441&d=domain.it&rndPrx=0.30611842451881544&is \
TestCp=false&u=user&cookieAccepted=yes&trsId=4524631&fromSso=yes&s=1266882504441</a><br>
Cookie: JSESSIONID=FA2882B3A2BBEB8225F69FD763EF7D2A;<br>
Domain=84.13.53.231.1266882471756605;<br>
__utma=267072147.2053639337.1266882716.1266882716.1266882716.1;<br>
__utmb=267072147.1.10.1266882716; __utmc=267072147;<br>
__utmz=267072147.1266882716.1.1.utmcsr=google|utmccn=(organic)|<br>
utmcmd=organic|utmctr=domain; LIB_ADV_CK=4-1-93-12-0;<br>
LIB_SSO_CK=NzFhYmU0ZmYwYTQ5NDhiYzliMWY5YTRiNjE5MjRkMTlQ0vC74AjZ315eM4UlCxHlgg0DmffScSSgVQPNBxzfPQ%253D%253D;<br>
LIB_NAME_CK=NWRlMTZjZDExM2RlNjVkYTZjZjZiNTEwMjcwMzgzZWQ6FsDDEOnrRcrmDFFW9%252Bnw;<br>
WMAIL=smart; s=1266882504441; rndPrx=_0.30611842451881544; bk=wmail33:8000<br>
<br>
I can see the username, &u=user.But I don't understand what should be the<br>
password.There isn't a field "password" just a field iterate a lot \
close to<br> the username &u that is &t=971554d47d100d66.But it isn't my \
password.<br> What do you suggest me?<br>
Thank for your help<br>
___________________________________________________________________________<br>
Sent via: Wireshark-users mailing list <<a \
href="mailto:wireshark-users@wireshark.org">wireshark-users@wireshark.org</a>><br>
Archives: <a href="http://www.wireshark.org/lists/wireshark-users" \
target="_blank">http://www.wireshark.org/lists/wireshark-users</a><br>
Unsubscribe: <a href="https://wireshark.org/mailman/options/wireshark-users" \
target="_blank">https://wireshark.org/mailman/options/wireshark-users</a><br>
mailto:<a \
href="mailto:wireshark-users-request@wireshark.org">wireshark-users-request@wireshark.org</a>?subject=unsubscribe<br>
</blockquote></div><br></div></div>
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic