Packet Analysis 4 : Bacic HTTP Authentication

 "This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.The pcap file used in this example is from a CTF challenge "


Protocol - Hypertext Transfer Protocol - Used for exchanging or transfer hypertext 
Connection Type - TCP 



So the challenge scenario is something like this . 

Find the username and passport for the bacis http authentication.

So to solve this challenge I will use Wireshark. First I load the pcap file in Wireshark.


In the filter bar I will write "http" so that it displays the packets matching the HTTP protocol only.



Now we will analyze the first capture and right click on it and select "Follow TCP Stream". After analyzing the we will find that the page is protected by Basic Http Authentication. 



GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.1
Connection: Keep-Alive
Authorization: Basic YWRtaW5pc3RyYXRvcjpwQHNzdzByZA==


So if we look carefully at the http packets we have 2 response codes 
401 Access Denied 
200 Okay .

200 Okay means "Successfully Loaded the Page". So lets use "Follow TCP Stream" on it.



GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.1
Connection: Keep-Alive
Authorization: Basic YWRtaW5pc3RyYXRvcjpwQHNzdzByZA==


HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 08 Apr 2010 19:43:33 GMT
Content-Length: 1270
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGGQGGGYU=MNHDPIBDBHJEPFGBCFGKPKIJ; path=/
Cache-control: private

So we need to decode the information of HTTP Authentication . It is generally encrypted in base64 . So we need to decrypt it 
YWRtaW5pc3RyYXRvcjpwQHNzdzByZA==

For HTTP Authetication the username and password is joined using a " : " and encrypted using base64. So on decrypting we get


Username = administrator
Password  = p@ssw0rd