Ask Your Question
0

Sniffing stealmylogin.com

asked 2019-05-09 11:08:26 +0000

ERGeorgiev gravatar image

updated 2019-05-09 11:19:20 +0000

grahamb gravatar image

Hello!

I have been trying to sniff packets to stealmylogin.com and get the user/pass I entered in the forms after submit, but Wireshark is simply not getting them.

I used tracert to get stealmylogin.com ip address and then filtered in Wireshark with ip.addr, but to no avail, no packets available. The only packets I got to that website were some DNS protocol queries from the tracert, but nothing from firefox nor google when submitting the forms.

What am I doing wrong?

My method:

  1. Start capturing packets in Wireshark on all available interfaces
  2. Go to http://www.stealmylogin.com/demo.html and enter some username and password.
  3. Submit and proceed within the website.
  4. Stop capture in wireshark.
  5. Try to filter by http.request.method == "POST"
  6. No POST requests (only keep-alive ones with no info on them with OCSP protocol)

Note that I am using a proxy to access the net.

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-05-10 07:12:20 +0000

Packet_vlad gravatar image

updated 2019-05-10 07:15:22 +0000

  1. Try to use host stealmylogin.com as capture filter. It'll resolve the name and filter by corresponding IP.

  2. BUT the site you're talking about is a bit more complex. You'll not spot any clear-text POST request as the second part (credentials transfer) uses different name (example.com) and is TLS-encrypted.

They clearly say the next:

If you look at the source code of the demo page, you'll see that we injected a malicious JavaScript file stealmylogin.js into the page, just as an attacker might. This malicious code steals the login info just before its being securely submitted to the service.

And this is exactly what's happening. After you go by http://www.stealmylogin.com/demo.html additional GET request is issued for the script named stealmylogin.js which is transferred gzipped.

The script captures your credentials, opens popup form with them. After you press the button an encrypted TLS session to example.com starts where your credentials are transferred further (using POST, but this POST is encrypted).

So you'll not be able to see any packets using http.request.method == "POST" just because there is no plain HTTP POST used for that and your data is transferred to different website.

edit flag offensive delete link more
add a comment
0

answered 2019-05-09 12:33:16 +0000

Christian_R gravatar image

updated 2019-05-09 12:33:52 +0000

Here you can find a really nice tutorial how wireshark can be used for your purpose:

Password stealing tutorial

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-05-09 11:08:26 +0000

Seen: 3,092 times

Last updated: May 10 '19

Related questions

Wireshark 2.4.1 GTK Crash on long run

Why redirection of VoIP calls to voicemail fails?

Capture incoming packets from remote web server

How do I get and display packet data information at a specific byte from the first byte?

Client is waiting for FIN flag from server for 30 sec

wifi disconnects as wireshark starts

How do I add "child item" to an item in the subtree?

What is the syntax for wireshark custom column

Getting error MSB4018 when trying to build wireshark sources

Monitoring UDP data on wireshark shows ARP packet