Ask Your Question
0

Why I can not find my clear text login credentials in Wireshark traffic

asked 2019-07-06 11:01:06 +0000

anon gravatar image

I am examining network traffic to demonstrate how a password sent in clear HTTP (not HTTPS) can be retrieved from traffic.

However, I encountered a case for a website that I could not understand. The website does not use HTTPS. The login page appears as a pop-up window. There is no certificate and the browser shows the insecure sign in the URL bar and when I click on the user name and password fields. But when I login while running the Wireshark, I can not see the password or the username in clear. I tried to search for them in Wireshark using: Edit -> Find Packet. Then in the menu options I select Packet Bytes, Narrow and Wide, String. If I search for my user name, or my password, I do not find them. I used the same method in other weak websites and I could identify the credentials in cleartext.

There might be something I am missing. If anyone can explain to me why this is happening (I can not find the password in the traffic but the website is not using HTTPS), please help me understand the reason. I am sorry that I can not post the website name. But I described the issue clearly, I think.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-07-07 11:25:40 +0000

grahamb gravatar image

As you won't disclose the website, or provide a capture, then we can only speculate, but my guess is that the website is authenticating via an obfuscated or encrypted channel, hence the lack of plain text data.

You'll need to try to capture the traffic created by the pop-up window and investigate further. Isolating that traffic might be difficult, probably best to shutdown all other processes on the host that could generate traffic, hopefully the authentication will be using the same IP address as the website but that isn't guaranteed.

You could also try opening the browser dev tools in the pop-up window to see if there is any Javascript managing the authentication.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2019-07-06 11:01:06 +0000

Seen: 2,428 times

Last updated: Jul 07 '19

Related questions

Is it possible to infer advanced cookie properties like expiration from Wireshark

How to verify what protocol was used in an encrypted file transfer?

SSL/TLS Handshake Immediately Fails

[TLS 1.3] I am getting an error while decrypting the SSL Handshake Traffic -

Decrypting Application Data with Private Key File

TCP segment data -- is it under the SSL section?

Is this a correct TLS capture filter

My TLS client initiate an unexpected ClientHello to a domain

Certficate [TCP segment of a ressembled PDU] -- WHY/WHAT causes it?

SSL Dissector having public key,private key, DH Params: possibile?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2