How to Find Passwords Using Wireshark

 

Introduction to Wireshark:

Started in 1998, Wireshark is one of the most popular network protocol analyzers to date. It lets you see what's happening on your network at a microscopic level by analyzing the traffic coming through your router. It sets the standard for network analyzers and is very easy to learn (even if you know nothing about computers!)

Step 1: Downloading Wireshark to Your CPU

 

The first step to learning how to use Wireshark to monitor HTTP and HTTPS traffic is to download it. Go to the link below and choose the 32-bit or 64-bit (Which ever one has the little white icon to the left of it) download for Windows:

https://www.wireshark.org/#download

Step 3: Getting to It

Now it has come to the point where I tell you how to get any password you could ever want, however its a little more tricky than that. Thank goodness some bright people have already thought this one through and made it nearly impossible to take just any password you want. The only passwords that you can see are ones that are not HTTPS packets. These HTTPS packets make up the majority of the packets that contain login information. However if you can manage to find a website that has little to no visitors I will now teach you how to locate the HTTP (Hyper Text Transfer Protocol) file that contains login information.

Step 4: How You Know a Website Uses HTTPS

As I just discussed you cannot look at the information in HTTPS packets because some bright people found it useful to protect this information and this is a good thing. Major websites all have encrypted packets and it would be foolish to bother with them, especially if the only thing you have read is this how to. Above are some websites that use HTTPS and you know this because there is a little green lock and the website starts with HTTPS not HTTP.

Step 5: Finding a Password

First one must identify an unprotected website (as I covered earlier) and make a logon attempt - either successful or unsuccessful. It is VERY IMPORTANT that you click the capture button in the upper left corner of wire shark and have it run while you make the logon attempt. In the second step we will follow this packet and track it down using wire shark.

Step 6: Finding a Password (Continued)

The second step to finding the packets that contain login information is to understand the protocol to look for. HTTP (Hyper Text Transfer Protocol) is the protocol we will be dealing with when looking for passwords. Wireshark comes with the option to filter packets. In the filter box type "http.request.method == POST". By filtering this you are now only looking at the post packet for HTTP. This drastically narrows the search and helps to slow down the traffic by minimizing what pops up on the screen. Then at the far right of the packet in the info section you will see something like ".login" or "/login". You can see exactly what I am talking about if you follow the pictures above. Then you will right click on it and go down to "FOLLOW" then to "TCP STREAM". Once you get there look in the red text paragraphs and try to find what I was able to locate in the picture. And you have just located the password and username you have entered on the unprotected login page - whether or not the password and username are correct are irrelevant.

Step 7: Further Learn

Learn more about wireshark and its power for both the good and the bad at wireshark.org!