HTTP NEVER!

There will always be vulnerabilities when it comes to the web and a lot of websites have moved away from HTTP in favor of the much more secure HTTPS. However, some companies still use HTTP sites internally and while an attacker can find it hard or impossible to penetrate the many firewalls and IPS (intrusion detection system) companies have, vulnerabilities still exist on the LAN.

What if an attacker makes his way on to company property and finds an empty port that does not have switchport security ( which prevents unauthorized devices from using an accessing the LAN) enabled. The attacker once connected, can sniff network traffic with tools such as Wireshark. This tool can save information in a file that can be analyzed later for passwords or other types of important information.

I will demonstrate on my own network how an attacker can see passwords and usernames in clear text on network traffic when communication is made via the HTTP protocol. For testing purposes, I installed an application using a Docker container on a PC that I use as a file/media server. The application uses the insecure HTTP protocol to allow a user to log in. Let's dig in and capture some network traffic for analysis.

Figure 1

I first started the application Wireshark, which when initiated, looks like the image above.Since I am on a wifi connection, the interface to select is the name given to your wireless card by your OS (wlan0 in my case). Clicking on the blue fin symbol under the file tab starts the network traffic capture process.

Figure 2

In Figure 2 above, I logged into the webpage with the username "te st" and the password "test". I then stopped the capture of network traffic in Wireshark for analysis.

Below is an image of the important an image showing the valuable information captured. If you notice in Wireshark, I highlighted the packet in question.This communication was between my device and the server via a web browser and the HTTP protocol. IP addresses, source, and destination can also be seen. Shown are the username and password which is not encrypted and can be seen in clear text.

If company employees are using their company assigned IDs and passwords to log into an HTTP site housed on a server on a companies LAN, an attacker can possibly have access to the user credentials of let's say an admin or someone with access to a company's financial information.Either scenario is dangerous and is one of the many justifications to never use HTTP.