Pkafkas
asked on
Ho to review a packet capture file and to verify if the communication is encrypted
I ran a short packet capture trance to login from my laptop to my work. I have downloaded the .cap file and I ca open that file up in Wireshark.
I am charged with discovering if:
1). If HTTP session cookies are transmitted in clear text.
2). To review cookies and determine if any cookies contain sensitive data.
3). Ensure all communication occurs over an encrypted channel and that the 'secure' attribute to all session cookies or any cookies containing sensitive data.
----------
Questions:
1). I can open the .cap file in Wireshark.
a. I can see syn / ack packets between my laptop's public IP address and the destination.
b. How can I find the questions stated above?
2). Since the SSL portal is using port 443 with a valid certificate, does that make everything encrypted? Why is there a need for further research with Cookies?
I am charged with discovering if:
1). If HTTP session cookies are transmitted in clear text.
2). To review cookies and determine if any cookies contain sensitive data.
3). Ensure all communication occurs over an encrypted channel and that the 'secure' attribute to all session cookies or any cookies containing sensitive data.
----------
Questions:
1). I can open the .cap file in Wireshark.
a. I can see syn / ack packets between my laptop's public IP address and the destination.
b. How can I find the questions stated above?
2). Since the SSL portal is using port 443 with a valid certificate, does that make everything encrypted? Why is there a need for further research with Cookies?
ASKER
Where can I look in the .cap file that will let me know if the cookie is being sent clear?
Where is the 'cookie set code' feature? And how if it is cleartext how can I change that on Citrix NetScaler?
I am sorry I do not understand the above suggestion.
Where is the 'cookie set code' feature? And how if it is cleartext how can I change that on Citrix NetScaler?
I am sorry I do not understand the above suggestion.
just looking through a capture will be tedious at best.
as for cookie setting secure the web developers will know about this
as for cookie setting secure the web developers will know about this
If the capture file contains both traffic on 443 and 80, then only focus on port 80 and look through it.HTTP cookies on port 80 are human readable, and text searchable in Wireshark.
Your work is basically done if NO traffic was on port 80. If there was, just a text search on the word cookie is enough. For every cookie found, check which website it is, and if you were talking a bit before of after this packet on port 443. Only then might there be a leak. If it's a cookie for a site that's unrelated to the HTTPS traffic, you can ignore it.
The problem is linking the cookies to the HTTPS traffic, or if it was just some random site visited.
Your work is basically done if NO traffic was on port 80. If there was, just a text search on the word cookie is enough. For every cookie found, check which website it is, and if you were talking a bit before of after this packet on port 443. Only then might there be a leak. If it's a cookie for a site that's unrelated to the HTTPS traffic, you can ignore it.
The problem is linking the cookies to the HTTPS traffic, or if it was just some random site visited.
ASKER
OK, I think I will need some helping understanding how to search through the packet capture correctly.
1). When I created the ntrace.cap file from the netscaler, 2 files were actually created.
a. nstrace1.cap file
b. nstrance.sslkeys
2). When viewing the .cap file in WireShark I only see TLS and TCP information.
a. When I edit the preferences to use the .sslkeys file then I see a lot of HTTP entries.
b. (Pre)-Master-Secret log filename.
Does that mean that everything using HTTP is encrypted and not viewable unless you have the encryption key?
Equally important, according to: https://osqa-ask.wireshark.org/questions/751/cookie-and-query-strings/
To filter all requests that contain a cookie, use:
1). When I created the ntrace.cap file from the netscaler, 2 files were actually created.
a. nstrace1.cap file
b. nstrance.sslkeys
2). When viewing the .cap file in WireShark I only see TLS and TCP information.
a. When I edit the preferences to use the .sslkeys file then I see a lot of HTTP entries.
b. (Pre)-Master-Secret log filename.
Does that mean that everything using HTTP is encrypted and not viewable unless you have the encryption key?
Equally important, according to: https://osqa-ask.wireshark.org/questions/751/cookie-and-query-strings/
To filter all requests that contain a cookie, use:
http.cookieASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
on your cookie set code use the secure option this will prevent the cookie from being sent over plain http