How to sniff WordPress login credentials with Wireshark over an HTTP connection

Wireshark is a network protocol analyzer that can provide granular visibility on traffic traversing your network. It runs on a wide variety of operating systems and can be used it to view live traffic or capture traffic to a file for offline analysis.

Virtually all known network protocols are supported, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.

WordPress, on the other hand, is the most popular content management system in the world, with a significant percentage of its installed base still being administered over HTTP.

In this article, we’ll be using Wireshark to sniff and extract WordPress login credentials leaving the local computer. The application we’ll actually use to capture traffic is named Tshark, a command line implementation of Wireshark. We’ll then use Wireshark itself for the analysis.

Prerequisites

You’ll need to have the following to complete this tutorial:

  • A WordPress installation that you have login (administrative) access to, and that you’re currently logged into.
  • Preferably running Linux on your local computer, because this article was written on one. Other operating systems may be used, but then you’ll have to provide guidance on how to use Wireshark/Tshark on it yourself.

If you have all that in place, start by installing the tools you need to get the job done.

Step 1 – Installing Wireshark and Tshark

On Ubuntu 16.04 or Linux Mint 18.2, the version of Wireshark installable from the repository is 2.26, while the latest stable edition is 2.4.2. So to install and run the very latest and greatest, we’ll have to install it from the project’s Personal Package Archive (PPA). To add the PPA to your system, type the following command:

sudo add-apt-repository ppa:wireshark-dev/stable

Then update the package database:

sudo apt update

Finally, install Wireshark and Tshark.

sudo apt install wireshark tshark

Apart from installing Wireshark and Tshark, that also creates a wireshark group on the system. So that you’re able to run both in unprivileged mode, add your account to the the new group using this next command. $USER will evaluate to your username:

sudo usermod -aG wireshark $USER

You’ll then need to log out, then log back in for that to take effect. After logging back in, verify that you’re in the wireshark group by typing the following command. The output should include the desired group.

groups

With that, we’re now ready to learn how to use Tshark and Wireshark to capture and analyze WordPress login-related traffic.

Step 2 – Sniffing WordPress credentials on the network using Tshark

In this step we’ll use Tshark to capture traffic that we wish to analyze. The command that gets that done is:

tshark -i enp2s0 -f 'host 111.111.111.111 and not ssh' -w wp-cap.pcap
  • i: Defines the capture interface, which should be the interface over which your computer is connected to the Internet. You can determine the name of your system’s capture interface in the output of the ip ad sh command.
  • f: This is used to specify the filter expression. In the above command, the expression says, look at traffic going to and from the host with the specified IP address. And that IP address belongs to the target WordPress domain. The and not sshpart of the expression is only necessary if you’re connected to the server with the specified IP address at the same time that you’re trying to capture HTTP traffic to it. If not, you may remove that part, so it reads just host 111.111.111.111.
  • w: This specifies where to write the captured traffic to. The file format is pcap.

After the command has been executed, the following will be displayed on your terminal as Tshark is doing its job. The number represents the frame or packet count, and it will keep incrementing as more packets are captured.

Capturing on 'enp2s0'
639

Until you generate some activity on your WordPress admin dashboard, the number will be low and stable. To kickstart activity, log out and then log back into your WordPress admin dashboard. The frame or packet count shold take a huge leap. Watch until the number has stopped incrementing or incrementing very slowly, then kill the session by pressing CTRL + C.

The data saved in the file is now ready for analysis.

Step 3 – Using Wireshark to analyze captured traffic data

Beginning the process of analyzing traffic data captured using Tshark is as easy as typing the following command:

wireshark -r wp-cap.pcap
  • -r: Used to pass the file containing the captured data to Wireshark, effectively telling Wireshark to read the specified file.

With that command, Wireshark should open. The figure below shows the part of its interface you should see. The top panel shows the captured frames, the one below that shows meta data about each frame, and the last one shows real info. The search filed is for find frame containing specific information.

Wireshark's main analysis interface

Since we’re only interested in WordPress login credentials, type frames contains login into the search field, then press ENTER. One of the results should be an HTTP POST request for the WordPress login form. The info column should have /wp-login.php in it. Click on that frame, then scroll close to the bottom of the last panel until you see the text log=admin&pwd=. The text after log= is the WordPress admin username, and that after pwd= is the password. Special characters in the password will be shown using their Unicode characters, but alphabets and numbers will be shown as you typed them in.

WordPress login credentials on Wireshark

So that’s how you can extract the login credentials of a WordPress administrator from traffic captured using Wireshark/Tshark. But that’s not all you can extract. Session cookies are just as easy to extract.

Followig the same process as above, type frame contains cookieinto the search field and press ENTER. Click on any frame for an HTTP GET request, then scroll the lower panel until you see references to COOKIE : PHPSESS... The session ID for that frame should follow, as shown in the next image.

WordPress session cookies on Wireshark

The risks posed by the username and password of an online resource falling into the wrong hands are obvious to everybody, but less well understood by the vast majority of users is that posed by session cookies, which can be used by those with the proper knowledge to carry out attacks known as session or cookie hijackings.

Conclusion

This article has shown you how to install Wireshark and Tshark and use them to capture, extract and analyze traffic for a WordPress admin session. The risk of somebody doing that to your WordPress session when you’re managing your WordPress-powered site at home over a wired connection is low, but increases substantially over a wireless connection in a public setting.

The point is, try to migrate your WordPress or any other website to HTTPS, especially now that free digital certificates are available courtesy of the folks at Lets Encrypt.

Leave a Comment

Your email address will not be published. Required fields are marked *