Wireshark reveals Basic Web Authentication flaw

Home > Blogs > Cisco > Wireshark reveals Basic Web Authentication flaw

Wireshark reveals Basic Web Authentication flaw

Like This Blog 1 Mark Jacob
Added by September 4, 2015

If you spend much time in a position of responsibility within a company’s network, you will likely have need from time to time to stoop down beside the traffic flow and peer inside. A great tool for this task is Wireshark. I want to share a cool thing which can be done with Wireshark. This is not some new untrodden path, but for the up-and-coming network admins who pass my way, this may be something you haven’t seen before.

For an in-depth instructor-led training on Wireshark, see our 4-day course SHARK300: Advanced Network Analysis and Troubleshooting with Wireshark

I want to demonstrate that seeing something with your own eyes often has a longer-lasting impact on your psyche than just reading about it. I can tell you to look both ways before crossing the street, but get your Smartphone slapped out of your hand by a passing car JUST ONCE will forever ingrain in your brain the wisdom of checking for clearance.

So I want to look upon this with my own eyes (scene: Darth Vader’s helmet being removed) to experience what a lack of attention to authentication strategy can do. I have a web server ready to receive clients. I have a client ready to access this web server. I have a third machine which is just leaning on a shovel. Well, leaning and also monitoring packets (translation: running Wireshark). I have configured a capture filter to include only port 80 traffic, to cut down on the output. To access the capture options, click the icons as shown in figure 1:


Figure 1

When you hover, it will display “Show the capture options.” In the window that appears, go to the box beside the Capture Filter button and type port 80. Then click the Start button down below to begin capturing only your desired packets. This is shown in figure 2.


Figure 2

Now that the capture is occurring, I go to my client machine and attempt to browse the home page of my server machine. I am prompted for credentials – username and password. I enter the requested credentials and am granted access. Flip back to my Wireshark box and stop the capture and examine the output. The output is shown in figure 3:


Figure 3

By selecting Frame 8, which contains the Info string “GET / HTTP/1.1, I spy my Basic Authentication piece of this transaction in the window below. Notice the section entitled Authorization. There is an alphanumeric string on the right. If I go to my handy-dandy online Base64 decoder, I can see something quite interesting.


Figure 4

I used base64decode.org, but there are numerous resources available to decode Base64. It’s that easy. However, if that is too much effort, there is an even faster way to see those credentials in clear text. If you re-examine figure 3, you notice a ‘+’ sign to the left of the string I have highlighted. If you expand that, note the result in figure 5:


Figure 5

There are the credentials in clear text, and I never had to exit Wireshark to see them. This shows clearly that Basic Authentication has serious flaws as a web authenticator. As mentioned, you have probably heard this many times, but to see how easy it is to reveal supposedly confidential information is an eye-opener.

I highly recommend gaining experience using Wireshark and in fact, if you watch our course offerings here at Interface Technical Training, we have a 4-day Wireshark class available SHARK300: Advanced Network Analysis and Troubleshooting with Wireshark

Feel free to post any comments about your own Wireshark coolness….

Mark Jacob
Cisco and CompTIA Network + Instructor – Interface Technical Training
Phoenix, AZ

Videos You May Like

Agile Methodology in Project Management

0 155 0

In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management

IPv6 Port Redirection

0 294 0

In this video, Cisco CCNA and CompTIA Network + Instructor Mark Jacob demonstrates how to do port redirections in IPv6. If you have any questions or comments, please feel free to post them. Until next time. Mark Jacob Cisco and CompTIA Network + Instructor – Interface Technical Training Phoenix, AZ

Detailed Forensic Investigation of Malware Infections – April 21, 2015

4 609 5

How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015

Write a Comment

See what people are saying...

  1. Avatar Interface

    Since you have an entry first in your list that says “permit ip any any” your traffic will flow uninterrupted through your router.

    As far as specifying a port for your sniffed traffic, may I recommend this link from cisco:

    Thanks for your interest!

Share your thoughts...

Please fill out the comment form below to post a reply.