ComputerSecurityStudent (CSS) [Login] [Join Now]

|SECURITY TOOLS >> Sniffing Techniques >> Current Page |Views: 45375

(Sniffing Traffic: Lesson 1)

{ Using TCPDUMP to Capture and Crack Base64 Encryption }

Section 0. Background Information
  1. What is Base64 Encryption/Encoding
    • Base64 encoding schemes are commonly used when there is a need to encode binary data that needs be stored and transferred over media that is designed to deal with textual data.
    • This is to ensure that the data remains intact without modification during transport.
    • Base64 is commonly used in a number of applications including email via MIME, Basic .htaccess authentication, and storing complex data in XML.

  2. Sniffing Base64 Encryption Traffic
    • In this lab, I will show you how to do the following:
      1. How to set up an Apache2 password protected directory using htpasswd.
      2. How to sniff traffic using tcpdump.
      3. How to decode/decrypt Base64 encoding/encryption.

  3. References
  4. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • 2012 No content replication of any kind is allowed without express written permission.


Section 1: Configure BackTrack Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. Click Start Button
      2. Search for "vmware player"
      3. Click VMware Player


  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings


  3. Edit Network Adapter Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button


Section 2: Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine


  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.


  3. Bring up the GNOME
    • Instructions:
      1. Type startx


Section 3: Configure Password Protected Apache Directory
  1. On BackTrack, Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window


  2. Create Apache Web Directory
    • Instructions:
      1. mkdir -p /var/www/topsecret
      2. chown www-data:www-data /var/www/topsecret
      3. ls -ld /var/www/topsecret


  3. Create Web Directory Password
    • Instructions:
      1. cd /var/www/topsecret
      2. htpasswd -c .htpasswd student
        • New Password: Try2H4ckM3!
        • Re-type new Password: Try2H4ckM3!
      3. cat .htpasswd
        • Notice the password for "student" is encrypted.


  4. Backup and edit the apache2.conf file
    • Instructions:
      1. cd /etc/apache2
      2. cp apache2.conf apache2.conf.BKP
      3. gedit apache2.conf > /dev/null 2>&1


  5. Access gedit Preferences (Part 1)
    • Instructions:
      1. Click Edit
      2. Click Preferences


  6. Access gedit Preferences (Part 2)
    • Instructions:
      1. Check Display line numbers
      2. Check Highlight current line
      3. Click the Close Button


  7. Search for "Satisfy all"
    • Instructions:
      1. Search --> Find...
      2. Search for: Satisfy all
      3. Click the Find Button


  8. Making some room
    • Instructions:
      1. Arrow down one line after the line that contains </Files>.
        • It should be line 165
      2. Press <Enter> two times
        • Now there should be three blank lines after the line that contains </Files>.


  9. Copy the below Apache Directive
    • Instructions:
      1. Highlight and Copy the below Apache Directive
        • <Directory /var/www/topsecret>
            AuthType Basic
            AuthName "restricted area"
            AuthUserFile /var/www/topsecret/.htpasswd
            require valid-user
            #Order allow,deny
            #Allow from all
      2. Arrow Down to line 166
      3. Edit --> Paste


  10. Save your work
    • Instructions:
      1. File --> Save


  11. Close apache2.conf
    • Instructions:
      1. File --> Close


  12. Restart Apache Webserver
    • Instructions:
      1. service apache2 restart
      2. ps -eaf | grep apache2 | grep -v grep
    • Note(FYI):
      1. The service command runs the following init script (apache2) to perform some action (restart)
      2. ps -eaf, show me all the processes.  | grep apache2, only show me apache2 processes.  | grep -v grep, ignore the actual grep command searching for the apache2 process.


Section 4: Capture Base64 Web Authentication
  1. Prepare to Sniff Traffic
    • Instructions:
      1. cd /var/www/topsecret
      2. tcpdump -A -i any | tee 2>&1 sniff-traffic.txt
    • Note(FYI):
      1. tcpdump is used to dump and view network traffic.
        1. The "-A" means to display in ASCII format
        2. The "-i any" means to listen on any port.
        3. tee is used to both view the contents of tcpdump and log it to a file named sniff-traffic.txt
        4. 2>&1 means to log all standard error (2) into standard out (1).


  2. Open Firefox Web Browser
    • Instructions:
      1. Applications --> Internet --> Firefox Web Browser


  3. Navigate to password protected directory
    • Instructions:
      1. Navigate to the following URL:
      2. Username: student
      3. Password: Try2H4ckM3!
      4. Click the OK Button


  4. Stop tcpdump
    • Instructions:
      1. Press the <Ctrl> and "c" keys at the same time to stop tcpdump


  5. View Encrypted Apache Authorization Request
    • Instructions:
      1. grep "Authorization: Basic" sniff-traffic.txt | tail -1
    • Note(FYI):
      • You should see some encrypted text similar to mine
      • Above is the Encrypted Authorization String being made to the Apache web server.


Section 5: Cracking Base64 Traffic with Perl
  1. Download Perl Base64 Decoding Script
    • Instructions:
      1. wget
      2. mv
      3. chmod 700
      4. ls -l
    • Note(FYI):
      • wget is used to download files from webpages.
      • mv is the move or rename command in the Unix/Linux world.
      • chown is used to change the file owner and/or group ownership.
      • ls is used to list the directory contents. (-l) provides a long listing or details of the file.


  2. Run Base64 Decoding Script
    • Instructions:
      1. ./
    • Note(FYI):
      • is a perl script that using the MIME::Base64 module to decode the Base64 encoding.
      • Notice how we can easily decode and extract both the username and password.


Section 6: Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. ls -l
      2. ./
      3. date
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • E.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth