Find Exposed Login Credentials

Introduction

In this challenge, you will step into the role of a network security specialist investigating a potential data leak at your company. Your task is to analyze network traffic using Wireshark to determine if any user credentials were transmitted in clear text, which could explain how sensitive information was compromised.

The challenge requires you to examine packet capture (PCAP) files of recent network communications to hunt for exposed login credentials. By applying packet analysis techniques, you'll identify instances where usernames and passwords might have been transmitted without proper encryption, highlighting the critical importance of secure protocols for handling authentication data.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") subgraph Lab Skills wireshark/display_filters -.-> lab-548820{{"Find Exposed Login Credentials"}} wireshark/packet_analysis -.-> lab-548820{{"Find Exposed Login Credentials"}} end

Your company has detected a potential data leak. As the network security specialist, you need to analyze recent network traffic to determine if any user credentials were transmitted in clear text, which could explain the leak.

Tasks

Create a display filter to find HTTP packets containing the words 'user', 'pass', or 'login'
Identify and extract any exposed credentials
Document the discovered credentials in the required format

Requirements

Open the packet capture file located at /home/labex/project/network_analysis/company_traffic.pcap using Wireshark
Create a display filter that will show only HTTP packets containing possible credential information
Your filter must search for the words 'user', 'pass', or 'login' in the HTTP packets
Save your filter for verification by clicking the "+" button in the filter bar after testing that it works
Once you find the credentials, save them to a file named /home/labex/project/network_analysis/found_credentials.txt in this format:
```
username: [found username]
password: [found password]
```

Examples

When you apply the correct filter, Wireshark should display only packets containing credential information. You might see something like this:

No.  Time     Source        Destination   Protocol  Length  Info
1    0.000000 192.168.0.2   192.168.0.1   HTTP      193     GET /login.php HTTP/1.1

When examining the packet details, you should be able to see the credential information in clear text:

Frame > Ethernet > Internet Protocol > Transmission Control Protocol > Hypertext Transfer Protocol
    content: username=labby&password=hacker

Your found_credentials.txt file should look like:

username: labby
password: hacker

Hints

Launch Wireshark from the terminal using the command wireshark
To open the packet capture file, use File > Open and navigate to the file location
The display filter bar is at the top of the Wireshark window
To search for multiple terms using OR logic, use the pipe symbol (|)
Remember that HTTP data can appear in different parts of the packet, so search the entire packet content
Wireshark filters are case-sensitive by default
You can create the credentials file using any text editor like nano or gedit

✨ Check Solution and Practice

Summary

In this challenge, I learned how to use Wireshark to analyze network traffic and identify potential security vulnerabilities related to credential exposure. The task involved examining a PCAP file of company network traffic to locate instances where user credentials were transmitted in clear text, which could explain a detected data leak.

Through careful packet inspection, I discovered HTTP traffic containing unencrypted login information, specifically a POST request that included plaintext username and password values. This exercise highlighted the critical importance of using encrypted protocols (like HTTPS) for transmitting sensitive information, as unencrypted credentials can be easily captured and exploited by malicious actors monitoring network traffic.