NetBeans IDE, Sniffers, and the Deviant Computer User

Here's a funny sentence I found in an on-line article today: "Sniffers are useful tools for deviant computer users since they can be used to pull plain text passwords off a network." Deviant computer users! Ha ha. Morally challenged? Occupationally unsettled? Try computer deviancy... (Click here to read the on-line article, which is a very good introduction to "Sniffers".) So, anyway, Petr Blaha showed me how simple it is to hack an insecure protocol like the Basic HTTP authentication that I outlined in Web Service Security: Three Steps.

It's as simple as this:

  1. Get a sniffer. I recommend Ethereal.

  2. Set up an application that uses Basic HTTP authentication. For details, see Web Service Security: Three Steps.

  3. Start the sniffer. (For example, in Ethereal, choose Capture > Start.)

  4. Deploy the web service and deploy the client. The sniffer, which you started before starting the service and client, registers the communication between them. Note that Ethereal (and probably other sniffers too) does not register anything deployed to localhost.

  5. Stop the sniffer. Now look in the sniffer's GUI to identify the data that pertains to the communication between the web service and client. And then use the sniffer to follow the TCP stream. In Ethereal, this means that you right-click the record that represents the data and then you choose Follow TCP Stream. You'll get a nice little overview of everything that's happened between the web service and client (click to enlarge):

    Note the line above that is highlighted. This is the encoded authorization. Copy the garbled part, which in the screenshot above is as follows:

    dmVyeS1oaWdoLXVwLWd1eTphYmNkZQ==

  6. Now create a main class in NetBeans IDE and use the following constructor:

    public static void main(String[] args) throws Exception {
      String encoded = "dmVyeS1oaWdoLXVwLWd1eTphYmNkZQ==";
      byte[] buf = Base64.decode(encoded);
      System.out.println("Encoded: " + encoded);
      System.out.print("Decoded: ");
      System.out.write(buf);
    }

    Note that the string that you define above is the garbled part you got from the sniffer. By the way, you need this import statement:

    import com.sun.org.apache.xerces.internal.impl.dv.util.Base64;

  7. Run the class! This is what the NetBeans IDE Output window showed me:

    Look closely at the screenshot -- this is what it includes:

    Encoded: dmVyeS1oaWdoLXVwLWd1eTphYmNkZQ==
    Decoded: very-high-up-guy:abcde

This is the user and password defined in Web Service Security: Three Steps. If you were a "deviant computer user", you'd be pretty excited right now. Here's something from the J2EE Tutorial about HTTP Basic authorization (click here for more):

HTTP basic authentication is not particularly secure. Basic authentication sends user names and passwords over the Internet as text that is uu-encoded (Unix-to-Unix encoded) but not encrypted. This form of authentication, which uses Base64 encoding, can expose your user names and passwords unless all connections are over SSL. If someone can intercept the transmission, the user name and password information can easily be decoded.

So, considering how easy it is to hack Basic HTTP authentication, it's clear that something better -- much better -- is required. And that is... SSL authentication (actually known as client-certificate authentication)! Look how garbled the TCP stream is in Ethereal when I use SSL authentication -- I mean, compare the junk below to the stream in the dialog above (click to enlarge):

Note that the highlighted text in the screenshot above shows you that I'm using the HTTP secure port 8181, rather than the standard 8080 that I used for Basic HTTP authentication. Setting things up for SSL authentication is something I partly discussed in yesterday's blog entry, but there's much much more to it, and you can actually do everything from NetBeans IDE by integrating the JDK's Keytool via Ant scripts. But that's for another day.

(One final thought from the article that I referenced at the start of this blog entry: "Avoid using insecure protocols like Basic HTTP authentication and Telnet. As a matter of fact you should sniff your own network to see what passwords sniffer tools can pick up.")

Comments:

http;//www.ngnsss.com/en NGN passwords sniffer no gui sinffer

Posted by no gui sinffer on August 10, 2005 at 02:13 PM PDT #

i need the register number

Posted by gas on March 16, 2006 at 05:19 AM PST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Geertjan Wielenga (@geertjanw) is a Principal Product Manager in the Oracle Developer Tools group living & working in Amsterdam. He is a Java technology enthusiast, evangelist, trainer, speaker, and writer. He blogs here daily.

The focus of this blog is mostly on NetBeans (a development tool primarily for Java programmers), with an occasional reference to NetBeans, and sometimes diverging to topics relating to NetBeans. And then there are days when NetBeans is mentioned, just for a change.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
12
13
14
23
24
25
26
27
28
29
30
   
       
Today