Why encryption is absolutely essential (especially with login pages)

It’s unusual to find a web page login these days that remains unencrypted. However, occasionally, you can find one in the wild that is (or at least allows for unencrypted logins). The way to do this for a secure site (HTTPS) is to modify the URL to HTTP and resubmit. If your page returns with HTTP in the URL with the loss of security certificate (typically denoted with the lock on the left of your browser URL) then you now have access to an unencrypted login. Why is this so dangerous? Answering this question is the aim of this post.

We begin with the heart of exploiting unencrypted traffic – the protocol analyzer. However, the name is a bit of a misnomer — a protocol analyzer can do much more than detect a port number on an IP header. As we will see, it can quickly and easily rebuild entire conversations between computers, and when unencrypted, creates an easy target for hackers.

My protocol analyzer of choice is Wireshark, as it is dead easy to reassemble conversations with it. While tcpdump is quick and easy, it’s best left to being a firewall resource to export to a pcap file for viewing in something more dynamic, like Wireshark.

To begin, we enter the following line of code into our terminal:

cyber@Kali:~$ sudo wireshark &

What this does is run Wireshark in the background, allowing us to still use our terminal tab. Once loaded, I’ll select to use the interface that my network is running on: wlan0.

The next thing to do is click on a few web pages to accumulate some traffic. Then, to follow a conversation (called a TCP stream) , we will then do the following Statistics > Conversations > highlight the conversation we want to rebuild > Follow TCP Stream

When we do this we then get a recreation of the conversation in alternating highlighted red and blue text that designate when the conversation transitions from us sending to us receiving data. Capturing data from a secure web site looks like this:

...........m..e....G.....&I2n~3...?.....Z.. `Y.....Itk......:.Q......E.h..WL.".........+./.,.0............./.5.
...........7.5..2bowtiedcyberportfolio.xyz..........
.
.................#.........h2.http/1.1..........
...........................3.+.)........ ...`..r.....8'....z...r..%...C.R.-.....+..
.................JJ.................................................................................................................................................................................z...v.........WB.b.A..J...2.....8..C... `Y.....Itk......:.Q......E.h..WL......+.....3.$... ..pZ.%..a.\.bq.....cD.X..@.f.f.F.......... ....G.....T.H..E.NO....z=.E
c.X.....+......z.....>...........j.K'....p.
B4g.....qf1..F..hYf	c.2.../....JEgP..>V...)..Uf.L[{.fw..3.u;.6.].......?."...bn.;...m.$...'l.c...X.aN..)....,..S5m~......W.=.,M_..-XK.....y.!... 0....i.wj..]a...'&7..Mfj#......kYv...7...j...W@.......F.ne.&(b,.#.4.e?c..f.n...d."..2q..(.=.......}.$k2j...@....7.~...U-(..=...1.......s..4zU....ay.....si.c....N1....g.m6.V.:..........j..E..:H...$.J....W....)...^.!..h.w....s0+.y..!2.;>.g{F|*.i....Vp.....	..h...L.:8i.h..O.......~g@....(v:0.s........XP...b.......f.-W...!E.=uY.g....w.............}..2..Q....3m....n......L...
..	../`...(.h..<.$.;..!Z..l...RA.....!..s...Ro.=T._......d}R.B~t.$....fp...'..6
3(0...`r@
/..D.#.x.`r.A.h*.....l....0.!1..._....=.k..#......1..-.......k....J..-.oXn.'...^.Wy.5v.~..1q.,..(........#.....2...P!T...C.lUJ.^.B...L...C....0.8.....-..Q....L..u...,^y..r..(.oy,C3............^.z....y.91.....iy{@.na..\N....t.8*;..... _ ........	.8....>c9.v5{l^..nT..?......C./I.M......:...2.l.s.F......7-?...v.i.;I..[.....1.rVFk/.V.j..GZ...V...9..".n.....m9.j.....=.5...\.y..Z..M........H.=.".!..M.^.....H.....J.....%;.$....8..G.2..dt.M(.H5<X.;....>...
6w......F.o....*.* .K.g..N-..]..J........k.	.#T:.(.....u.k......Is..t	.}..|3..l...S).....
.....$W.j/.D....;........;...........~..c..
rB..by.q..9.:..(...).K....._.
..O...~...\/.f_u...$..1i.8.0.....x.O.@..#`A'..;:^k..)t..P.....%.
05g....3..../Km..J.B.T...zEQ4.....Jd..s..W.D......Dum.....1. .za...NoW..%.E.C..oK..+..K.rl..[...P..+u.O.BKe`R...c.Hq
$-G...eR.(:.....w..H+...~dBAz.....7d.}..G..cR..yg..B...L.>2...lvy.!.!..`.(n.Q.?.4~..f....~..y..N...LZR...o.... .f_.V.....:..I..5kD...../b)..W...#M.....TY......].O..Y.
. ..
.Z:[.	.#V...Bq.d.g..&.....e..1.L..5........;PuZ... ..U...j......9.'.(do...7.pO.~v....(..9..b...nZ.y.^ TV...."..l.1)....*..e.....z.K.|..A"...|..0...yE....6.T3...........'..5.\....<.n.6?...H..d=..D....w.C.._6.. ."A.g.?...;..
.CL....
9.....oHT`D..$.Z....4...G..2.l.C.g.!c.NZDI.lz{..B..`....
...+..6hW.....
.b......}*5H.p'f#..x.u.90B ....*.C6..a....C..U........Z.c.........}...m.	.24Qq.y..V...p%........3.........Y.M.....Np:R.90....g...Y.*....t..;.&....2..`.Rm......-U.........=.9...K...."._............3.......l%..&.P..q....rg....[j.....O=...g.....H......{..c....j?>~#.....r..6J.D..2i#..Ba..a..I...!?.........mHE...L.....=<K....R.K
.......q.......86J.4.^.z(.8QS...2!UgcQ.k.q."....x$..b{..X2..O...........x...7...........]...."......*w.i.....]D.z..J#......VV.)v..*}eO6.....9....5.F...<Y.O....LDF.I(....k...'...JK.$.Lj....v3:.<..L.....3..k$Z.~3.6.2.....::9".....P{..*	.tz......mv..f..A.:.kYI<...ting.v8........@f#1...y2...v.L...<6...C\.Q.	......LFe.....IS...m=t..
.W.%.N.....P.WP).......>.z..t.r..S.^.....$..|.3?k.%.Y..3,...R....P.$aO.y......].;..$]I1....=..S.u....r.{..<.`..RC.../b2..\......8v_R.6}.;....Z.~.h0..=7...1..	&.
o......a...........w....N>b.x......7 .../...X;..X.'.0.i..#..2...../....O;/.#8j.Q..GEM......1.....m.m....mg..igM..m...P..7i........<...10[..nU`;..%2.....?\...=.,..........\......
.t...W.>U.1Xw.?........U...ga.t..O.U
.jL_.Z...>.L..F.j...H%.E.:..]<1vQ..[H...f..c.X..k._.(9i.X.......e.U..{x..$...g.yS!.Y....L~....2...tXz....Yw.z.:.....-(.P.Z.E..
.CHl9...y...5"..^Q...3.4.UW.....$0..I
R1..i*.>....r..qr..r...G..X'W.S...mGwC.B.c.>l_...........SbW.Fv..5$........I....^...m...A[V..0q...X...S..h..-p;....1,..l...<.5..1.gB....]..xkh^I.O.`...E...vU....st....PF......T..4.4..~C....iJ.3`.[M@.6.........`...b/...H..6u..=.....][.n.[..8_H.u;g...Jg{)..r.......K..T6..b.....B....
..;.3.M............a.coI..=
[..X.\..0Xq`F#...0..N...&....p.j.........t..._lA....Pc"...2W.oQ.6..U...q..m....3I..M,..d.R.K..Z.p........k...P..^..,'..Y'.xc...0.b..t.E.Z.i...(.|}..^o}....Y.~..z..Hvz.s.\.&..T.......,......F.v.,......,.......%......R+...*.....-..@...G...k..qX..bHm........,..V7N......q...'...G*.B...........y..V..Hx!....w..........5.}...&n..I.SZV............"*..$*b...k..C..$...x............a..%......#..|..3..[..................DH.JF67MM.\:.../..l.D..*t.]q[........a...?.....X.8........t...O....g...T........_`...t."......L....I....|e(p.G....J6.."..c0..A....Y.."..."...u.$.'..m........MF.U..zE.!l.k&.h..8..q..P.pJ_.1>...2.\..i.6...+.k...>|$T.R....S.OIc.U.pZp......%.(9.sk..=.....U...j.w3.....ae..H...6 |b........-
.........J..A.	`$'DG..s.%.w]_.....]=
.)Eg.f....,.!...2f
:8|..#...p .\sr.L...	.%.I..@....(.....!o+.Q.(.P.=.hB.N.........ey..BE...5..#...>*9%..V5(bHI..^.P.%...T...w.-...;..........W...2.>.R&.p.._...'.....Q..?.....,Rg,
g..=.A.....'....R...I.*......d...;..M...X...KFT.g..Z.e	
..@....?._mmQ.L..]
....E^.EF.D./{.c.X.H...3....1..f(Fyq......Lh..T.z.1TJh.|..?I81._...>%.....d........o.CDSO4.B...V.1D........ .G.s.w.M..d.0.!.`...e....y[.._.....0......s.Y
........PQq	..>/!..e....(qJB...1.!.P%.^..k........gi.:...4.\n..1s...S .Q?_c..Pb..dz./q.i%6...sB[o.).l...l..
.R}....|.q.Ms./<.*5 .........V..5(j.......<...8....._.&.G.FT.B.+
..m#.24C..{..I..........
d...$........3../..
..m].....
...my'}"..L.}...{.N.&O.....sJ.)..:|.?0W.._#.M.XO....sM.".-..pv.....n...$.Jn..p.?....0B.1.h..x.....GD.Fq.nO@#:....tU?..^.....Z!...&....S@....Nv.B..x...s.5th-..;.I.."....A..ha.[..W...6...........j.N...L....g...L.....8.r*..{#t.+...	...N....K..=......b?q.Pmx.ruZ.q..>~.Na.[c./.!..M(...T1............B_b.Y.......k...L.&$..<.:...+..d.|.8...nX..]......H
..+g..+jq.....9.IB.e.......7Q*.).#k..N.....c...L.J(xm.........K#(.._...X0E.$.......k.........`....H..A./{
.V.{.b...^./E.Gk..eV....=...N....R.&..I!N.......*m...vJ...}.J....(.['Q....fZE...<.....4.1.....P.......el..c.
.Qq...\.L.B.....+J..<....+4....r}..b.4.^././...N..GP....^..
c.....V......DC..fGP.O..+.i..A.....5?g.....e.Cp.q.......S.G5.....X.\m..D[s..|.Su.j...h.............5
o..V.MN.....<N......B..V.......{[./.rRm.....k......%........;!...P.}.q..:".j...9...>.S.C..;8h .......\=...`,...Cf.[...,.d.Z.8 Z.@U..|-]......B._2	.*..x....O.vQ/.....*.J$....!w...w.+!.O.._..s+.
...,..x...
.%69..)f.+...MY|....J^....}...7..s.9..x.j...M.a.........vK.4...:.....^!..._8~}W.pzm.....r...NN.7D. d.............	........?......@..!.`..e..jg.=.........c.[/.^..a...n..:.-h.E..V.2.-..j...
$.^H1..|..~........|.......)T.mP\..PrV
Y..JK]..4J._.F.AOe.w.FT....^2=...b6..QX.i.@..=.z...Q.1etcR&..E....vQ....@:	...E.....>....B...6>.........L..TT...1..*-yS.0Y.S1..'L......9..H.|.}jb...*W..j$.........(.[.F.aW.LH....,.........<.c..

Not much to look at. That’s because the data has been encrypted, and the only real information we can obtain from this packet capture is near the top, where we see the URL bowtiedcyberportfolio.xyz. As we can imagine, if we were logging into an online banking account, we should feel secure knowing that the traffic is encrypted, that way, if anyone were to capture these packets, they would not be of any use to them (breaking this encryption is extremely difficult and can, in some cases, take literally thousands of years by today’s computing standards to do so).

Let’s now contrast this with an insecure or clear text protocol like HTTP. Consider the following web page login:

Now, this web page is not inherently clear text, but does allow for http login, via the url tampering mentioned in the beginning of the post. Let’s take a look at what happens when we login and reconstruct the conversation with Wireshark:

That last red line reads:

anchor=&username=test&password=OhNoMyPassword%21

The last line is the list of variables sent to the server in URL encoded clear text. In this instance, we can see that the Username was test and the password was OhNoMyPassword! (%21 is URL encoding for !, which your computer automatically does when entering this character in, as well as many others). Contrast this with the encrypted conversation listed and it is no mystery why almost every web page on the internet today is encrypted.

Does this mean that all web pages should be encrypted? Not necessarily, but it couldn’t hurt.