HTTP user/pass grab confusion - http

First and foremost, my knowledge of this subject is limited. So i'm reaching out to learn more information..Any support would be greatly appreciated.
I've been trying to use wireshark to learn more about different network traffic, how protocols work, etc. Specifically, i've been trying to see how it's possible to sniff a user/pass off my friend's website (don't worry, he made it soley to help me and there are no inappropriate intentions). He made a basic HTTP website to ensure the minimum security. When i log in, on my computer, using my own username and pass, i can see that wireshark captures my information and i'm able to see my own username and pass.
However, if i use my phone to log in (w/ my own information), or if he logs in from his own computer, those username and passwords don't show up. Nothing shows up. I'm confused because we both expected that information to appear on wireshark like it did when i signed in from my computer.
As i mentioned above, my knowledge isnt deep with this topic, so any point of direction would be helpful!

Wireshark lets the user put network interface controllers into
promiscuous mode (if supported by the network interface controller),
so they can see all the traffic visible on that interface including
unicast traffic not sent to that network interface controller's MAC
address.
If you've set up Wireshark to capture the traffic on your computer, you will see all the traffic between your network interface and the server hosting the website.
However, Wireshark will not be able to capture the traffic from the network interface on your phone to the server.
If you set up Wireshark to capture the traffic on the server itself, then you will be able to see all the traffic in and out of it from any device used.

Related

Can't communicate with smart IoT devices using HTTPS

Every time I purchase an IoT device (smart lock, bell, plug, etc.), there usually is also a way to use it by going to http://192.168.1.x but there NEVER seems to be a way to communicate it using HTTPS securely. Is this a big problem for HTTPS? Is there a solution for this? I don't want someone on my network to look at what I am sending to my device over http but I can't use https either. What can I do?
I know that TLS certificates require a hostname to verify the authenticity but these IoT devices only tell me to open the control panel using http and local IP. Does that mean all my communication with my smart device is in plain text and open for everyone to read?
Does that mean all my communication with my smart device is in plain text ...
If it is plain HTTP then yes.
... and open for everyone to read?
If everybody can read the communication inside your local network then yes. Fortunately in most local networks this is not the case. For example if you have your own WLAN which is properly secured with WPA2 and a strong password then only the ones which know this password can access the local network - but these would be able to sniff the traffic to the IoT device then.
... but there NEVER seems to be a way to communicate it using HTTPS securely.
This depends on the actual device, i.e. some might offer HTTPS but many still don't. If this is a problem for you since your network is open to potential attackers then you better put these devices in a separate network where only you have access to.

How do I send HTTP request on behalf of some other machines in my local network?

I have a local network, I can monitor all traffics there. Bandwidth for each user is limited, and usually all computers are NOT using their total bandwidth. So, if I can find a way to send requests on their behalf, then I can increase my bandwidth for some special purposes. So, the first question that comes in mind is How do I send HTTP request on behalf of some other machines in my local network?
Note:Lets mention that if the answer to my request goes to somewhere I'm not, then this wouldn't be a big problem.
Check out iptables (linux command line tool) thiss will easily allow you to do this and if you want you can even fake the ip address to get a response message with arptables... if you're running windows i'm pretty sure netsh will allow for same thing

Can I track Activities , if i know the IP?

Say if i have the IP of a user x.x.x.x , then using the IP can i track all the activities that the user is doing ? How can i do this ?
how can i check which web pages is the user opening or something similar
please guide
No, you cannot. Traffic is point-to-point and knowing the address of a point is not enough to know the traffic going to/from that point. It's like asking if you can read someones (snail) mail just because you know their house address.
In order to "snoop" that fully, you need to be in the middle where all traffic passes through your node (liking having the postman give you the mail and then you giving it to the owner of the house).
If you have a machine, the traffic from the user is reaching it (e.g. you're connected to the same switch) then probably yes. The most trivial way is using network sniffer (Wireshark for windows, tcpdump for Linux).
However if the used surf SSL secured site (a.k.a https) than you will see only encrypted content
Geolocation is not accurate because the primary source for IP address data is the Regional Internet Registries. They do not hold a database for information about individual IP addresses, but information about ranges of IP addresses that have been assigned to certain organizations. Such an organization has free reign over the IP addresses they get and they do not need to give location information to the RIRs. In other words, only your ISP knows your exact location. If you want to find the location of a user you will have to ask your ISP, and they will most probably deny your request.
You can't sniff packets sent from someone, unless you are part of the same subnet - you would have to be connected to the same switch and be on the same Virtual LAN as that user. Even if you somehow find the physical location of a user and connect to the same switch, the ISP has most likely sat up port security, which would deny access to your MAC address.
In conclusion, unless you are already connected to the same switch, you can't track that user's activities.
If you are connected to the same switch, you can install one of the popular packet sniffer utilities such as Wireshark and set it to promiscuous mode.

How to tamper with source IP address on Windows

We meet a testing scenario which needs to tamper with source IP address of a Http request to simulate clients coming from different countries. Do you know any tool help on this?
Last but not least, our web site is built with ASP.NET.
Thanks.
In a test environment it usually isn't difficult. First read this SO question about virtual network interfaces.
If the server and client are on the same machine, all you have to do is figure out how to get your client software to bind to your virtual interface.
wget for instance has the --bind-address option to specify which local address to bind to. Web browsers are a bit more difficult to do this with; you may need to just run it in a VM.
If your server and client are on the same LAN, you just need to configure your router with some static routes to your client machine. In this case you probably don't need a virtual network interface, just set a static IP for your client machine; as long as the gateway is set up correctly it should be able to send packets to the server, and as long as the route is set up correctly the replies should find their way back to the client.
If the client and server are separated by an internet, it's rather more difficult. One option is to set up a network tunnel endpoint on the server and tunnel it to the client machine, which "knows" that it has the virtual network interface.
As noted in answers to the ServerFault question "Are IP addresses trivial to forge", you cannot easily forge source addresses in a protocol that required two way communication (e.g. TCP). Note that this "two way communication" is required at the packet level. You cannot just say "no problem, I want to send requests and ignore HTTP responses." To establish a TCP session, you need to receive data. Your best bet is to use a proxy server.
I am unsure if the IP standard allows for this, but if you are working in a Lab environment, where you don't need internet connectivity during the test, I can see it working under following circumstances:
Basically, I would set the server's network interface to use netmask 0.0.0.0 and flush the rest of the routing table.
Then you could configure a client machine to take on any IP address as long as you use netmask 0.0.0.0. And two-way communication should be possible.
Server[1.2.3.4/0] <---> Client[x.x.x.x/0]
But please bear with me. I haven't tested this, so I could be wrong :-)
If you have access to your infrastructure, you can add an interface off the router and then place a static route on the router to that network.
Server-----Router----Internet
/
Test_PC----/
Alternatively you can look into PBR (Policy Based Routing) and on the routers you can flag source packets and change the source on the fly, so your server will think they are coming from where you'd like them to come from.
Server-------------Router_with_PBR-------------Internet----- PC
SCR:4.2.2.2 Change SCR:6.6.6.6 to 4.2.2.2 6.6.6.6
But you have to ask yourself why do you want to see when packets come from different countries. Some countries have massive proxy servers that filter access ( "Great Firewall of China"), so the above tests will not prove much.
Your best bet then is using proxy servers or if your looking for a long term solution then setup a server (virtual is great for this) and use RDP for testing. I'm sure you can rent a virtual server somewhere for a month or two.
That's not possible. Because when you forge the ip address, the response is never going to come back, which is required for http.
The best way is to use proxies. See also this question on serverfault.
If you change your source IP address, that means no traffic from your web server will be able to reach back to the client.
You might be able to use some kind of proxy and/or address translation filter to do the remapping while still allowing two-way communication.

How to get the MAC address of the visitors' PC in an ASP.NET webApp?

In an ASP.NET (C#) WebApp, I can get the IP of the visitors' PC easily, But How to get the MAC address of the visitors' PC in an ASP.NET webApp?
And this ASP.NET app is runing on the inner intranet of our company, and the visitors are also in the same inner intranet of our company.
The MAC address is not part of the IP header (or any other protocols above that), and thus not available if all you see is the HTTP traffic.
EDIT (after OP's update): Since clients and servers are on the same internal network, wouldn't it be better to get a host name from the IP address instead of the MAC address? You can easily look up the host name based on the IP address.
The answer that immediately comes to mind, is that this is only possible if you write an ActiveX control that runs in the client browser to obtain this information on your behalf. On the other hand it might be possible with JavaScript on the client if the javascript can instantiate a COM object that will get the information. The only other way I can think of is have a windows service that does an ARP request once the IP has been captured.
You can't easily do this. There are protocols such as ARP which allow translation between MAC and IP addresses, but this traffic is typically behind a firewall and so not available to you on a public website.
On an intranet, you might be able to do something, but not via ASP.NET. You would need to use other mechanisms to capture this information - but those kinds of tools (e.g. packet sniffers) are generally not available to developers and may contravene corporate IS policies.
Since you're on the same subnet, you can P/Invoke GetIpNetTable to get the webserver's ARP table. If you do this real-time, no additional work would be necessary - since you're having a conversation with the client, you'll have the ARP info. Otherwise, you'd need to construct an ARP request or some IP traffic (say, a ping) to get it in the cache - and note that due to DHCP and other network vagaries (like a machine being turned off), it is possible that converting IP to MAC later will yield a different answer.
Note also that any external clients (ie., ones across a router) just won't show up in the table - so be prepared to deal with that as well. If you need a MAC for them for some reason, it's technically your router's MAC.

Resources