Finally, let’s try visiting a web site that is password-protected and examine the sequence of HTTP message exchanged for such a site. The URL http://www.steamclown.org//cyberSecuritySVCTE/wireshark/auth/wireshark_lab_006.htm is password protected. The username is “Zim” (without the quotes), and the password is “learn” (again, without the quotes). So let’s access this “secure”
password-protected site. Do the following:
- Make sure your browser’s cache is cleared, and close down your browser. Then, start up your browser
- Start up the Wireshark packet sniffer
- Enter the following URL into your browser http://www.steamclown.org//cyberSecuritySVCTE/wireshark/auth/wireshark_lab_006.htm
- Type the requested user name and password into the pop up box
- Stop Wireshark packet capture, and enter “http” in the display-filter-specification window, so that only captured HTTP messages will be displayed later in the packet-listing window.
Now let’s examine the Wireshark output. You might want to first read up on HTTP
authentication by reviewing the easy-to-read material on “HTTP Access Authentication
Framework” at http://frontier.userland.com/stories/storyReader$2159
Answer the following questions:
- What is the server’s response (status code and phrase) in response to the initial HTTP GET message from your browser?
- When your browser’s sends the HTTP GET message for the second time, what new field is included in the HTTP GET message
- Make sure your browser’s cache is cleared, and close down your browser. Then, start up your browser
- Start up the Wireshark packet sniffer
- Enter the following URL into your browser http://gaia.cs.umass.edu/wireshark-labs/protected_pages/HTTP-wireshark-file5.html
- Type the requested user name and password into the pop up box
- Stop Wireshark packet capture, and enter “http” in the display-filter-specification window, so that only captured HTTP messages will be displayed later in the packet-listing window.
Now answer the following questions again:
- What is the server’s response (status code and phrase) in response to the initial HTTP GET message from your browser?
- When your browser’s sends the HTTP GET message for the second time, what new field is included in the HTTP GET message
The username (wireshark-students) and password (network) that you entered are encoded in the string of characters (d2lyZXNoYXJrLXN0dWRlbnRzOm5ldHdvcms=) following the “Authorization: Basic” header in the client’s HTTP GET message. While it may appear that your username and password are encrypted, they are simply encoded in a format known as Base64 format. The username and password are not encrypted! To see this, go to http://www.motobit.com/util/base64-decoder-encoder.asp and enter the base64-encoded string d2lyZXNoYXJrLXN0dWRlbnRz and decode. Voila! You have translated from Base64 encoding to ASCII encoding, and thus should see your username! To view the password, enter the remainder of the string Om5ldHdvcms= and press decode. Since anyone can download a tool like Wireshark and sniff packets (not just their own) passing by their network adaptor, and anyone can translate from Base64 to ASCII (you just did it!), it should be clear to you that simple passwords on WWW sites are not secure unless additional measures are taken.
Fear not! As we will see later there are ways to make WWW access more secure.
However, we’ll clearly need something that goes beyond the basic HTTP authentication
framework!
No comments:
Post a Comment