Back to Walkthroughs
Http Basic Authv
Let's Defend Malware Analysis [Easy]Easy

Http Basic Authv

#tutorial

Challenge Description

image

Solution and Analysis

This document provides a detailed analysis of the provided PCAP file. The objective is to extract specific information about the network traffic, including details about the client, the server, and the communication protocol used. The primary tool for this analysis is Wireshark.

Question 1: How many HTTP GET requests are in the PCAP?

To count the total number of HTTP GET requests, we can use a specific display filter in Wireshark.

  1. Open the PCAP file in Wireshark.
  2. In the display filter bar at the top, enter the following filter and press Enter: 
    http.request.method == "GET"
  3. The filter will isolate only the packets that are HTTP GET requests.
  4. The exact count is shown in the Wireshark status bar at the bottom right of the window

Question 2: What is the server's operating system?

The server's operating system can often be identified from the Server header in its HTTP responses.

  1. Apply a filter for HTTP responses coming from the server's IP address (10.0.0.5): 
    http.response and ip.src == 10.0.0.5
  2. Select any of the resulting packets in the Packet List pane.
  3. In the Packet Details pane below, expand the "Hypertext Transfer Protocol" section.
  4. The Server header will contain information about the web server software, which often includes the underlying OS. For example: Server: Apache/2.4.18 (Ubuntu).

Alternatively, you can right-click any of these packets and select Follow > TCP Stream. The server's response (text in red) will show the Server header at the top.

Server, OS, and OpenSSL information in TCP Stream

Question 3: What is the name and version of the web server software?

This information is located in the exact same place as the operating system.

Question 4: What is the version of OpenSSL running on the server?

This information is also included in the detailed Server header.

  1. Following the steps from Question 2, examine the full Server header.
  2. The server's response often bundles this information together for diagnostic purposes.
  3. Answer: The OpenSSL version is included within the server string (e.g., OpenSSL/1.0.2g).

Question 5: What is the client's user-agent information?

The User-Agent string identifies the client software (e.g., the web browser) that initiated the request.

  1. Filter for HTTP requests originating from the client: 
    http.request
  2. Select any request packet.
  3. In the Packet Details pane, expand the "Hypertext Transfer Protocol" section.
  4. Locate the User-Agent header to find the client's information.
User-Agent header in Packet Details

Question 6: What is the username used for Basic Authentication?

HTTP Basic Authentication sends credentials in the Authorization header, encoded in Base64. To find the username, we must locate this header and decode its value.

  1. Find the Authenticated Packet: Filter for packets containing an Authorization header. This is the most direct method.

    http.authorization

  2. Extract the Encoded Credential: Select a packet from the results. In the Packet Details pane, expand "Hypertext Transfer Protocol" and find the Authorization header. It will look something like this: Authorization: Basic dXNlcjpwYXNzd29yZA==

  3. Decode the Credential: The string after Basic is the Base64-encoded credential.

    • Copy this string (e.g., dXNlcjpwYXNzd29yZA==).
    • Use a Base64 decoder (an online tool or a command-line utility like echo 'dXNlcjpwYXNzd29yZA==' | base64 -d).
    • The decoded value will be in the format username:password.

  4. Identify the Username: The username is the part of the decoded string before the colon (:).

The Follow > TCP Stream method also works well for viewing the Authorization header within the context of the client's request (text in blue).

Authorization header in TCP Stream view

After decoding the Base64 string found in the header, the username can be identified.