How to decrypt traffic. BREACH attack allows you to quickly decrypt HTTPS traffic

All tips

Many users do not realize that by filling out a login and password when registering or authorizing on a closed Internet resource and pressing ENTER, this data can easily be intercepted. Very often they are transmitted over the network in an unsecured form. Therefore, if the site you are trying to log into uses the HTTP protocol, then it is very easy to capture this traffic, analyze it using Wireshark, and then use special filters and programs to find and decrypt the password.

The best place to intercept passwords is the core of the network, where the traffic of all users goes to closed resources (for example, mail) or in front of the router to access the Internet, when registering on external resources. We set up a mirror and we are ready to feel like a hacker.

Step 1. Install and launch Wireshark to capture traffic

Sometimes, to do this, it is enough to select only the interface through which we plan to capture traffic and click the Start button. In our case, we are capturing over a wireless network.

Traffic capture has begun.

Step 2. Filtering captured POST traffic

We open the browser and try to log in to some resource using a username and password. Once the authorization process is complete and the site is opened, we stop capturing traffic in Wireshark. Next, open the protocol analyzer and see a large number of packets. This is where most IT professionals give up because they don't know what to do next. But we know and are interested in specific packages that contain POST data that is generated on our local machine when filling out a form on the screen and sent to a remote server when we click the “Login” or “Authorization” button in the browser.

We enter a special filter in the window to display captured packets: http.request.method == “POST"

And we see, instead of thousands of packages, only one with the data we are looking for.

Step 3. Find the user's login and password

Quickly right-click and select the item from the menu Follow TCP Steam

After this, text will appear in a new window that restores the contents of the page in code. Let's find the fields “password” and “user”, which correspond to the password and username. In some cases, both fields will be easily readable and not even encrypted, but if we are trying to capture traffic when accessing very well-known resources such as Mail.ru, Facebook, VKontakte, etc., then the password will be encrypted:

HTTP/1.1 302 Found

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Set-Cookie: password= ; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/

Location: loggedin.php

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

Thus, in our case:

Username: networkguru

Password:

Step 4. Determine the encoding type to decrypt the password

For example, go to the website http://www.onlinehashcrack.com/hash-identification.php#res and enter our password in the identification window. I was given a list of encoding protocols in order of priority:

Step 5. Decrypting the user password

At this stage we can use the hashcat utility:

~# hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt

At the output we received a decrypted password: simplepassword

Thus, with the help of Wireshark we can not only solve problems in the operation of applications and services, but also try ourselves as a hacker, intercepting passwords that users enter in web forms. You can also find out passwords for user mailboxes using simple filters to display:

The POP protocol and filter looks like this: pop.request.command == "USER" || pop.request.command == "PASS"
The IMAP protocol and filter will be: imap.request contains "login"
The protocol is SMTP and you will need to enter the following filter: smtp.req.command == "AUTH"

and more serious utilities for decrypting the encoding protocol.

Step 6: What if the traffic is encrypted and uses HTTPS?

There are several options to answer this question.

Option 1. Connect when the connection between the user and the server is broken and capture traffic at the moment the connection is established (SSL Handshake). When a connection is established, the session key can be intercepted.

Option 2: You can decrypt HTTPS traffic using the session key log file recorded by Firefox or Chrome. To do this, the browser must be configured to write these encryption keys to a log file (FireFox based example) and you should receive that log file. Essentially, you need to steal the session key file from another user's hard drive (which is illegal). Well, then capture the traffic and use the resulting key to decrypt it.

Clarification. We're talking about the web browser of a person whose password they're trying to steal. If we mean decrypting our own HTTPS traffic and want to practice, then this strategy will work. If you are trying to decrypt the HTTPS traffic of other users without access to their computers, this will not work - that is both encryption and privacy.

After receiving the keys according to option 1 or 2, you need to register them in WireShark:

Go to the menu Edit - Preferences - Protocols - SSL.
Set the flag “Reassemble SSL records spanning multiple TCP segments”.
“RSA keys list” and click Edit.
Enter the data in all fields and write the path in the file with the key

HTTP compression, which is used by most sites to reduce the size of data transferred, can become a serious security risk if the site uses HTTPS. This was stated by security experts Dimitris Karakostas and Dionysis Zindros. Researchers managed to improve the exploitation of a long-known flaw that allows speeding up the decryption of HTTPS traffic, and used an attack against block ciphers in an SSL/TLS connection.

The attack, called BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext), exploits flaws in the gzip/DEFLATE compression algorithm. The attack first became known back in 2013. At the Black Hat USA conference, researchers Angelo Prado, Neal Harris, and Yoel Gluck talked about attacks on SSL/TLS stream ciphers such as RC4.

The new approach to exploitation is demonstrated in the open source framework Rupture, presented at Black Hat Asia last week.

During the report, experts demonstrated two successful attacks on Gmail and Facebook chat.

To carry out a BREACH attack, the attacker must be able to intercept the victim's network traffic. This can be done via a Wi-Fi network, or through access to the equipment of an Internet provider. The attacker would also need to discover a vulnerable part of the application that accepts input via parameter URLs and returns that data in an encrypted response.

In the case of Gmail, this application turned out to be search on the site for mobile devices. If the search request is made on behalf of an authorized user, an authentication token is also attached to the response. This token will be encrypted inside the response. However, each time the search string matches part of the token, the size of the response to the client will be smaller, since identical strings in the response will be compressed.

An attacker could force the client application to send a large number of requests and thus guess all the characters in the authentication token.

The Rupture framework allows you to inject special code into every unencrypted HTTP request opened by the victim's browser. The injected code causes the client browser to make connections to the vulnerable HTTPS application in the background. This is required to carry out a successful attack on block ciphers, which create a lot of “noise” when encrypting data. To eliminate garbage, the researchers sent the same requests several times in a row and analyzed the difference in the size of the responses received. The experts also managed to use parallelization on the browser side, which significantly speeded up the attack against block ciphers in TLS connections.

Good day! Today we’ll talk about what traffic is? This word applies to different areas, but it can be found especially often on the Internet. In fact, all earnings online are based on it.

Traffic is essentially movement, activity, transition from one place to another. It can be a lot or a little, it can be fast or slow. The word traffic itself means movement in translation from English!

Now let's think why do we need traffic?? Each area needs it for its own special needs. For example, in the IT field it denotes the number of megabytes. If they are, you can go online, but you will download a movie or music, or something else, depending on the volume you need to buy.

Webmasters often need it to make money and everyone strives to have as much of this valuable movement on their website as possible!

Types of traffic

Now let’s look at all the types of traffic that I managed to find!

Car traffic

Such traffic means the number of cars at any point. For example, during lunch break, 500 of them can pass on a certain street in an hour. And this is a lot of car traffic.

Owners of auto retail outlets can sometimes wonder how to attract traffic to a car dealership? By this they mean ordinary clients, buyers. To attract you just need to use advertising, that’s all!

Auto traffic needs to be measured for various studies. There are both automatic and manual measurement methods.

Road traffic or road traffic can show the level of pollution in a particular location. After all, the more cars pass there, the greater the accumulation of gases in this area.

Pedestrian traffic

This species consists purely of those who use zebras. I think that animals can also be classified as this species. After all, sometimes they also move to a specially designated place.

Pedestrian traffic is essentially people walking along a striped road - a zebra crossing!

Sometimes heavy pedestrian traffic can cause difficulties for motorists, so there are services that monitor its volume. Although I personally have not seen anything like this in practice.

Maritime traffic

This is the movement of various seaworthy vessels. For example, such as boats, ships, steamships and others! People often search for this phrase on the Internet to find out the movement of maritime traffic in real time! Surprisingly, there really is a map display on the Internet. You can go in and see where the desired boat is located!

What is traffic in trading?

This phrase refers to the number of customers who came to the store and bought something. The same can be said about traffic in business. These are just people who came and took something, giving their money in return.

Most often, traffic is traded on the Internet, but it can also be sold in everyday life. For example, by recommending a product to a person that is sold in a certain store. Moreover, you must have an agreement with the owner of the store, and he must understand which client will come from you today. If successful, the owner of the establishment will pay a percentage for the arrival of the buyer!

What is traffic on the Internet?

Under this word on the Internet, two designations can be distinguished:

Number of megabytes, gigabytes.
The number of visitors to one of the sites.

The first Internet traffic, also known as network traffic- this is when you want to go online. To do this, you need a package with the above mentioned units of measurement. Very often it is limited by mobile operators. For a home computer, you can connect to wired Internet for a fixed subscription fee. For example, for 400 rubles you can download as many movies, music and other files as you want. Here the limitation can only be in speed according to your tariff. You pay this amount once a month!

On the mobile Internet, with this money you can buy, for example, 3-5 GB for a month and that’s it. If it runs out, then you either buy more at a not very favorable price, or wait until the connection period expires. For example, you connected 2 GB on the first of May, but used it up by the 7th of the same month. This means that for the remaining 23 days you will have to sit without the Internet, either pay extra or change the tariff.

My Internet traffic is 7GB per week, tariff Zabugorishche! This is the Internet from MTS for 600 rubles. Payment once every seven days for 150 rubles. Such conditions suit me quite well, especially since seven gigabytes is for new users. I connected earlier and can download as much as I want without restrictions at a moderate speed.

Second Internet traffic shown or web is the traffic to any resource on the Internet. For example, about 400 – 450 people visit my blog on the Internet every day! As a result, I can say that my traffic is four hundred visitors per day!

I think now what traffic on the Internet is is clear even for dummies!

What is mobile traffic?

Essentially, these are people who come to you through a device - a telephone! Some people may also ask, what is traffic on the mobile Internet? Well, this is the amount of Internet traffic discussed above!

If you receive a notification that there is little traffic left, this means that the Internet will soon be turned off. Usually this happens after the number of megabytes is 10 or 50.

Incentivized traffic

This type of appearance means that a person did something at someone’s request. For example, you registered in one of the affiliate programs, online games. For bringing 1 person to it you will be paid 20 rubles. As a result, you go and do the task at a special service. Ask people to register for a reward of 5 rubles. Your profit will be 15 net profit! The person infiltrated the game because you asked him to do it for money.

Targeted or thematic traffic

I’ll tell you about this option using the example of a VKontakte group or community. A man created something similar and gathered everyone there who was interested in the release of a new iPhone. Many people are simply eager to buy it! Let's say there were 20,000 people! And so he entered the market, without thinking twice the author found a real store with an affiliate program of 5%, usually the deductions in official stores are small. But besides this, I made a fuss and found an affiliate copy. Not everyone can afford the original. I offered the community two options! And as a result, I received a good income of more than 100,000 rubles! And because all these people were interested in buying, they hit them with targeted or thematic traffic!

Well, not targeted, this means, for example, that an advertisement for a DNS laptop goes to a person who dreams of a computer from MSI. In fact, this is a dummy, a waste of money, because he won’t take it.

What is doorway traffic?

I will demonstrate again with an example! There is a lot of competition on the Internet in the sale of almost any product or service. Therefore, some people, in order to get around this obstacle and make money on affiliate programs, follow the following path:

They choose the product they want to make money on.
They are not looking for a very competitive phrase from this niche, but so that it is entered into the search often.
They create a website with a domain for just this keyword.

As a result, the site is specifically dedicated to a product, for example, an action camera or a water hose. Well, if this is the case, the search engine, in particular Yandex, tries to place it as high as possible. As a result, people come in and some of them buy traffic.

In short, traffic comes from the doorway or a site tailored for a specific affiliate program.

Referral traffic

Surely owners of affiliate programs use this phrase! They count how many direct sales they made, and how much came from referral traffic, also known as affiliate traffic.

That is, if you are an affiliate and drive visitors to the product, the product owner will call you a referral.

Or we can say that this is a user who came through someone’s referral link to the service. And then he brought more people to the same project using his link! Which can later be called referral traffic.

Outgoing and incoming

Most often, this applies to the Internet tariff on your computer. If you use a program to account for it or you have a mobile modem, for example, from MTS, then you probably noticed that there is a graph there. In addition, there are inscriptions for incoming and outgoing traffic. Well, while surfing the Internet, you exchange data with a server on another computer. Some of them go away, and the other part comes to you in the form of software, films, pictures, music, etc.

Video traffic

These are essentially user conversions using video content. For example, on YouTube you can provide links under the video or insert links into the clip itself. Active and popular YouTubers are able to attract a huge number of target users!

Search traffic or organic

That is, this is traffic from search engines! Let’s say a person is looking for a flash drive and the search engine returns a lot of sites. Well, if he goes to any of them, then for the site this visitor will be considered organic! Similar transitions can come from different search engines, for example, from Yandex, Google, Mail, etc.

Direct traffic

I'll start right away with an example. You have a friend and he recently purchased a juicer from an online store. This service gave him a 20% discount and even gave him a set of cups! Looking at your friend, you also wanted to buy something in this store with such a promotion. And therefore ask him for the exact address. He naturally gives it and so you go to the site, make a direct visit without any systems. We typed in the address and went to the main page of the project. This will mean that you have become direct traffic for this store.

Traffic from context

Many people trying to sell their services or products do contextual advertising on the Internet. This is an advertisement that you have probably seen while reading articles on the Internet.

Well, if a person clicked on an ad in the text and went to the product, then it will be referred to as traffic from the context!

What is fraud traffic?

This type indicates not entirely clean traffic. Translated from English, the word fraud means fraud. For advertisers, this type of visit means a loss of money. How can this happen?