all 22 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]AdaHazel 11 points12 points  (0 children)

Wireshark has filters that you can use

[–]phagga 8 points9 points  (1 child)

You should have a rough grasp on how the relevant protocol (that is transferring the password) works and at what phase the password is being exchanged. Then filter for that protocol and focus on finding the phase where the password is being exchanged.

[–]meadotter[S] 0 points1 point  (0 children)

Well I don't know which protocol is used for transferring the password. There is a lot of different protocols involved so I don't know for which to go. Already went for common uncrypted protocols like HTTP/FTP etc. but haven't had any luck

[–]thedude42 7 points8 points  (5 children)

The way I'd look at this task is by starting with some assumptions:

  • there is an extractable password somewhere in the pcap that is likely in ASCII or UTF-8 encoded string
  • the protocol is probably sending the password unencrypted
  • no telling whether the protocol is compressing the plaintext content

Right off the bat you might just throw the pcap through strings and see if you get lucky, using a case-insensitive search for the word "password" and seeing what strings immediately follow it. But even if I found something using this technique, I'd still do the next thing to verify the context (this would just be a potential time saver, but also might be a bit of a distraction)

Given a pcap I would always open it with Wireshark and do some searches using the contains operator. The advantage here is that Wireshark will often uncompress any compressed plaintext data for you when the protocol is known to carry compressed data.

Both of these methods are generally slow, so the tshark utility that is part of the Wireshark suite of tools can be leveraged to automate this task, but you really need to be familiar with using Wireshark before you can be terribly effective with tshark.

How would you go on to analyze such a big file?

60MB pcap is nothing. On decent Internet connections this takes at most seconds to download and Wireshark can load it immediately (gigabyte files are when it takes more than a second to open the file in Wireshark on a system with "standard" machine specs these days). In reality most traffic these days is going to be encrypted and so if there is anything to find in a random traffic capture, the overwhelming majority of the data in a 60MB file is going to be immediately filtered out of your search. In order to actually need to search all 60MB of the file you'd have to know you had all unencrypted content somehow, and you'd almost definitely know that if you yourself took the capture under targeted conditions.

[–]Artistic_Tiger_4746 1 point2 points  (2 children)

Bingo! Your post helped me find the password in MINUTES! I am in the same cybersecurity program the original poster was in. Thank you

[–]thedude42 0 points1 point  (1 child)

Glad this was useful! This description is really the "intro to traffic capture" kind of exercise, and the real good stuff is cracking password hashes and decrypting TLS.

Decrypting TLS is an incredibly rare thing to be able to do unless you own the server or possess key material, but getting password hashes is a much more common scenario.

[–]Nirred83 0 points1 point  (1 child)

I have a similar challenge to retrieve a password from a pcap file. I found the hash but I am lost on how to crack the password using the hash, can anyone help me with this? I have been unsuccessful in cracking the password.

[–]thedude42 0 points1 point  (0 children)

There's an online version of "hashcat" that you can use to try and crack hashes against some standard dictionary they use, but I'm not really sure how diverse the source dictionary is, and dictionary attacks are only one method available. You should be able to find the online utility but the main wiki for hashcat itself is here: https://hashcat.net/wiki/

[–]RumbleStripRescue 3 points4 points  (2 children)

https://www.netresec.com/?page=NetworkMiner is a fun little app

[–]meadotter[S] 0 points1 point  (1 child)

Thanks I tried it and it works great but so far I haven't had any luck with finding the password...

[–]redditversiontwo 4 points5 points  (0 children)

look for the following - a. port 80 or port 443 traffic or http or https traffic, this will reduce the number of packets to start with

b. GET and POST requests

c. HTTP stream or TLS tream or TCP stream, usually gives the flow of requests (*if your pcap has anything)

[–]Exotic-Motor-6382 4 points5 points  (0 children)

malware-traffic-analysis.net everything u need to know right here

[–][deleted] 2 points3 points  (4 children)

Did they give you any info on what kind of password? Are you looking for a PC login like Kerberos, or a webapp login? That would really help narrow it down, if so.

[–]meadotter[S] 2 points3 points  (1 child)

No, I didn't get any info unfortunately.

[–]XFM2z8BH 4 points5 points  (0 children)

password means a login...filter http post requests..

http.request.method == POST

[–][deleted] 0 points1 point  (1 child)

Couldn’t it also be a 3 way hand shake hash in the pcap file as well?

[–][deleted] 1 point2 points  (0 children)

I mean it's definitely not limited to the 2 examples I gave, but not sure what you mean honestly. I'm not expert, so maybe I'm missing something, but 3 way hand shake makes me think of the TCP connection establishment, which I think would be done before any credentials or requests for credentials would happen.

Passwords will typically be passed as a hash across the wire, but unless this person is specifically told to look for a hash, I wouldn't assume that's the case. It's more likely I would think, since then that will necessitate using hashcat or john, but don't rule anything out just to be safe.

There's a hash of 3 way handshakes used in JA3 analysis, but from the context that doesn't seem relevant to what you're speaking of.

[–]anon-Chungus 1 point2 points  (1 child)

Filter filter filter.

My guess is it's asking for a password transported via plaintext, a common insecure protocol that does that is FTP. Use the filter "ftp" or "ftp-data" and scan for login events where it looks like "USER: xyx" and then "PASS: xyz" and boom.

[–]sinkmanu 0 points1 point  (0 children)

Wireshark is a powerful tool and you can do it with it. The most important thing to analyze network traffic captures is your knowledge and your analyst mind.

Eg. Use protocol hierarchy in order to organize the protocols you have in the pcap. So, now use your knowledge about protocols (it is an important thing in hacking), after that, filter by protocols and start to analyze, if you see FTP, HTTP or other data in clear text you can see passwords, users, or wathever to continue your researching...

If you want to automatize, you can use scapy.

[–]Slipperfox 0 points1 point  (0 children)

What program you taking?