Snatching HTML form data due to a lack of SSL encryption through Wireshark

This time, we’ll be capturing HTML form data through the use of Wireshark due to a lack of SSL encryption on the form page.

Glossary:

SSL: SSL (Secure Sockets Layer) is a type of digital security that allows encrypted communication between a site and a browser. It’s currently deprecated and slowly being replaced by TLS.
Wireshark: Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. It runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows.
Kali: Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing.

Requirements:

You just need Wireshark for this. I’m using Wireshark through a Kali Linux virtual machine.
Wireshark: https://www.wireshark.org/#download

Step One: Making a really simple form.

As an example, we’ll be making an extremely basic form, and we’ll be leaving the password field as plain text just so you can tell what I’ve written.

To begin, create a file named form with the file extension html. So, form.html

Next, write in a form of your choice. For this example, I just wrote a really simple form from w3schools.

Now, let’s just create a PHP script to handle the form really quick, and take this chance to make a visual confirmation of what we wrote before. Make a file named welcome.php.

Now, write in the PHP script. It will also serve to show us what we wrote before.

Now, we just need to run the html code. Since I’m running a Kali virtual machine, and to make this much simpler for exemplary purposes, we’ll be running it offline. So open the form.html file with Firefox or a browser of your choice.

Here, we’ll see the simple form we’ve made.

Now, to intercept the data, open up Wireshark and capture your ethernet adapter. For me it’s eth0.

Here is the main capturing page.

Apply the http.request.method==”POST” filter so we can intercept just the form POST data.

Now, we’re pretty much done, just submit the form and you’ll capture the data

There is our HTTP post data. So just click on it and click follow HTTP stream, in my experience the TCP stream looks nearly identical, but let’s keep it simple.

In a normal scenario (with a server and with a proper form and NO SSL) you would be able to see captured data in the last red line before the blue data. But since I’m running this offline, we won’t really be seeing much here, but this is how it’s done in practice and theory, you can still analyze all the contents here.

Sources:

Nerd at all things IT. Studies Cybersecurity but soon Computer Engineering. Loves dogs with a passion