Re: Webmail password

[Martin Visser <martinvisser99 () gmail com>]

The easiest way will be to read the documentation or the source code of the
software being used to run the webmail appplication. ;-)

There are a number of techniques to send authentication credentials as part
of the HTTP request. Mostly it is encoded in the LIB_SSO_CK and/or LIB_NAME_CK
cookies. (SSO is a TLA that normal stands for Single Sign On). A pretty
strong likelihood is that when you actually did login to your webmail,
hopefully via HTTPS (encrypted in SSL), that you were presented with those
cookies. You now send those cookies, which the server then matches up to
your previous login sequence. The cookies will be some form of encoded hash
that simply *cannot* be reverse-engineered to find your password. (The fact
that your username appears in plain text might not be the best design, but
it doesn't indicate that the password can be easily discovered. Most webmail
systems of course use the email address as the username so this is pretty
much par for the course)

It would be a very bad authentication scheme if you could simply pickout
your password by using Wireshark and with no other prior knowledge (such as
the private keys that are used by the server to encrypt any data sent to
you)


Regards, Martin

MartinVisser99 () gmail com


On Tue, Feb 23, 2010 at 11:51 AM, Relay <relay () slacky it> wrote:

> Hi everybody, I'm studing wireshark and I'm trying to sniffing my webmail
> password.These are some date that I pick up with it:
>
> 181445.680284192.168.1.*21*.52.84.153HTTPPOST
> /cp/ps/Main/login/Authenticate?trsId=4524631&rndPrx=0.7080723282452864
> HTTP/1.1  (application/x-www-form-urlencoded)
>
> with tcp stream:
>
> GET /cp/ps/Main/loadingInside?d=domain.it&u=user&t=971554d47d100d66
> HTTP/1.1
> Host: mailbeta.domain.it
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4)
> Gecko/2008102920 Firefox/3.0.4
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer:
>
> http://mailbeta.domain.it/cp/ps/Main/login/AuthenticateReal?callAPITONotify=false&va=1266882504441&d=domain.it&rndPrx=0.30611842451881544&isTestCp=false&u=user&cookieAccepted=yes&trsId=4524631&fromSso=yes&s=1266882504441
> Cookie: JSESSIONID=FA2882B3A2BBEB8225F69FD763EF7D2A;
> Domain=84.13.53.231.1266882471756605;
> __utma=267072147.2053639337.1266882716.1266882716.1266882716.1;
> __utmb=267072147.1.10.1266882716; __utmc=267072147;
> __utmz=267072147.1266882716.1.1.utmcsr=google|utmccn=(organic)|
> utmcmd=organic|utmctr=domain; LIB_ADV_CK=4-1-93-12-0;
>
> LIB_SSO_CK=NzFhYmU0ZmYwYTQ5NDhiYzliMWY5YTRiNjE5MjRkMTlQ0vC74AjZ315eM4UlCxHlgg0DmffScSSgVQPNBxzfPQ%253D%253D;
>
> LIB_NAME_CK=NWRlMTZjZDExM2RlNjVkYTZjZjZiNTEwMjcwMzgzZWQ6FsDDEOnrRcrmDFFW9%252Bnw;
> WMAIL=smart; s=1266882504441; rndPrx=_0.30611842451881544; bk=wmail33:8000
>
> I can see the username, &u=user.But I don't understand what should be the
> password.There isn't a field "password" just a field iterate a lot close to
> the username &u that is &t=971554d47d100d66.But it isn't my password.
> What do you suggest me?
> Thank for your help
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe