What is the login and the password I used? All the clues you need will be in this trace.pcapng file (click to download) and the point below:
- The trace file includes me surfing "cnn.com" as well as accessing a local device
- The protocol I used was HTTP but not TCP port 80
- If you manage to find the correct IP pair, you will see me unsuccessfully try to connect on TCP port 80
- I then tried again with the correct TCP port number
- And after connecting, I login to the device
Like with any trace files, there's going to be more than one way to do this and no correct single methodology. To start this analysis, have the trace file open and set the filter to display HTTP. In order to display packets using the HTTP protocol, just simply type "http" in the Display Filter Toolbar. By doing so, allows you to narrow down to the exact protocol you need. You will notice that all the packets in the list only show HTTP for the protocol and see some traffic, including local IP going out to a public IP as well as some local IPs.
Now that you have displayed all HTTP, the easiest way to do this is to right click, then on Conversation Filter choose IPv4. You can see the results from the filter built by Wireshark correspondingly with my written clues showing that I try to connect on TCP port 80 and get a TCP RST. After the failure and trying out another TCP port, it turned out to be TCP port 81 although Wireshark still recognizes it as HTTP.
Finding the login credentials
Once you get the results, you can just quickly search by using CTRL+F for the word Credentials. Wireshark's display filter a bar located right above the column display section. This is where you type expressions to filter the frames, IP packets, or TCP segments that Wireshark displays from a pcap. To filter for string in the data of the packet, add Filter criteria, in this case type: "credent", because credentials is what Wireshark is going to interpret as the login credentials. Then Search via packet details. Click Find.
You will see Wireshark decoded credentials admin:techhead, which is the correct answer. For more detail explanation of the answer, watch the video below:
The question was asked by Packet Analysis Hero Tony Fortunato - Network Performance Specialist.