Find Exposed Login Credentials

Introduction

In this challenge, you will step into the role of a network security specialist investigating a potential data leak at your company. Your task is to analyze network traffic using Wireshark to determine if any user credentials were transmitted in clear text, which could explain how sensitive information was compromised.

The challenge requires you to examine packet capture (PCAP) files of recent network communications to hunt for exposed login credentials. By applying packet analysis techniques, you'll identify instances where usernames and passwords might have been transmitted without proper encryption, highlighting the critical importance of secure protocols for handling authentication data.

Your company has detected a potential data leak. As the network security specialist, you need to analyze recent network traffic to determine if any user credentials were transmitted in clear text, which could explain the leak.

Tasks

Create a display filter to find packets containing the words 'user', 'pass', or 'login'
Identify and extract any exposed credentials
Document the discovered credentials in the required format

Requirements

Open the packet capture file located at /home/labex/project/network_analysis/company_traffic.pcap using Wireshark
Create a display filter that will show packets containing possible credential information
Your filter must search packet contents for the words 'user', 'pass', or 'login'
Save your filter for verification by clicking the "+" button in the filter bar after testing that it works
Once you find the credentials, save them to a file named /home/labex/project/network_analysis/found_credentials.txt in this format:
```
username: [found username]
password: [found password]
```

Examples

When you apply the correct filter, Wireshark should display only packets containing credential information. The credential-bearing packet may appear as HTTP or TCP in the packet list, so focus on the matching packet contents rather than the Protocol column alone.

No.  Time     Source        Destination   Protocol  Length  Info
1    0.000000 192.168.0.2   192.168.0.1   TCP       193     51234 -> 80 [PSH, ACK] Len=139

When examining the packet details or following the stream, you should be able to see the credential information in clear text:

GET /login.php HTTP/1.1
content: username=admin&password=secret123

Your found_credentials.txt file should look like:

username: admin
password: secret123

Hints

Launch Wireshark from the terminal using the command wireshark
To open the packet capture file, use File > Open and navigate to the file location
The display filter bar is at the top of the Wireshark window
To search for multiple terms using OR logic, use the pipe symbol (|)
Search the packet contents instead of relying only on the Protocol column, because the matching request may appear as a TCP packet in the packet list
Wireshark filters are case-sensitive by default
You can create the credentials file using any text editor like nano or gedit

Summary

In this challenge, I learned how to use Wireshark to analyze network traffic and identify potential security vulnerabilities related to credential exposure. The task involved examining a PCAP file of company network traffic to locate instances where user credentials were transmitted in clear text, which could explain a detected data leak.

Through careful packet inspection, I discovered a login request containing unencrypted username=admin&password=secret123 data. Depending on how Wireshark dissects the crafted packet, it may appear in the packet list as HTTP or TCP, so this exercise also reinforced the importance of inspecting packet contents directly instead of relying only on the protocol label. This exercise highlighted the critical importance of using encrypted protocols like HTTPS for transmitting sensitive information.