Wireshark-users: Re: [Wireshark-users] Webmail password
From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Tue, 23 Feb 2010 16:32:01 +1100
The easiest way will be to read the documentation or the source code of the software being used to run the webmail appplication. ;-) 

There are a number of techniques to send authentication credentials as part of the HTTP request. Mostly it is encoded in the LIB_SSO_CK and/or LIB_NAME_CK cookies. (SSO is a TLA that normal stands for Single Sign On). A pretty strong likelihood is that when you actually did login to your webmail, hopefully via HTTPS (encrypted in SSL), that you were presented with those cookies. You now send those cookies, which the server then matches up to your previous login sequence. The cookies will be some form of encoded hash that simply *cannot* be reverse-engineered to find your password. (The fact that your username appears in plain text might not be the best design, but it doesn't indicate that the password can be easily discovered. Most webmail systems of course use the email address as the username so this is pretty much par for the course)

It would be a very bad authentication scheme if you could simply pickout your password by using Wireshark and with no other prior knowledge (such as the private keys that are used by the server to encrypt any data sent to you)


Regards, Martin

MartinVisser99@xxxxxxxxx


On Tue, Feb 23, 2010 at 11:51 AM, Relay <relay@xxxxxxxxx> wrote:
Hi everybody, I'm studing wireshark and I'm trying to sniffing my webmail
password.These are some date that I pick up with it:

181445.680284192.168.1.*21*.52.84.153HTTPPOST /cp/ps/Main/login/Authenticate?trsId=4524631&rndPrx=0.7080723282452864
HTTP/1.1  (application/x-www-form-urlencoded)

with tcp stream:

GET /cp/ps/Main/loadingInside?d=domain.it&u=user&t=971554d47d100d66 HTTP/1.1
Host: mailbeta.domain.it
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4)
Gecko/2008102920 Firefox/3.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer:
http://mailbeta.domain.it/cp/ps/Main/login/AuthenticateReal?callAPITONotify=false&va=1266882504441&d=domain.it&rndPrx=0.30611842451881544&isTestCp=false&u=user&cookieAccepted=yes&trsId=4524631&fromSso=yes&s=1266882504441
Cookie: JSESSIONID=FA2882B3A2BBEB8225F69FD763EF7D2A;
Domain=84.13.53.231.1266882471756605;
__utma=267072147.2053639337.1266882716.1266882716.1266882716.1;
__utmb=267072147.1.10.1266882716; __utmc=267072147;
__utmz=267072147.1266882716.1.1.utmcsr=google|utmccn=(organic)|
utmcmd=organic|utmctr=domain; LIB_ADV_CK=4-1-93-12-0;
LIB_SSO_CK=NzFhYmU0ZmYwYTQ5NDhiYzliMWY5YTRiNjE5MjRkMTlQ0vC74AjZ315eM4UlCxHlgg0DmffScSSgVQPNBxzfPQ%253D%253D;
LIB_NAME_CK=NWRlMTZjZDExM2RlNjVkYTZjZjZiNTEwMjcwMzgzZWQ6FsDDEOnrRcrmDFFW9%252Bnw;
WMAIL=smart; s=1266882504441; rndPrx=_0.30611842451881544; bk=wmail33:8000

I can see the username, &u=user.But I don't understand what should be the
password.There isn't a field "password" just a field iterate a lot close to
the username &u that is &t=971554d47d100d66.But it isn't my password.
What do you suggest me?
Thank for your help
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe