6

I have been trying to test a sniff on facebook POST request forms using wireshark (filtered HTTP).

At login form, I would try login, and then check wireshark and see that no packet was captured.

Strange enough, even the GET request of www.facebook.com wasn't always captured.

Why is this? if wireshark can't capture a POST request packet being sent to facebook, then how does facebook receive any data to process? Note: Trying the same on hotmail, and also fail.

I am suspecting some sort of encryption is performed on the data I send so that hackers can't sniff data on same networks.

user3818650
  • 305
  • 1
  • 4
  • 12
  • 1
    Why use Wireshark to capture HTTP requests? I mean, yes it can be done, but it would be a lot easier if you would use either Fiddler or Burp. – Jeroen Apr 27 '15 at 07:20
  • "I would try login, and then check wireshark and see that no packet was captured." Were you using a capture filter when you did that? If so, what happens if you use *no* capture filter? –  Apr 27 '15 at 07:27
  • You could use Webscarab or Burp Suite to intercept these requests. – LittlePanda Apr 27 '15 at 07:52
  • 3
    Be aware that if the request is protected using HTTPS, then the data will not be addressed to the HTTP port (80) but to the HTTPS port (443), therefore if you filter only traffic targeting port HTTP you will indeed see nothing. – WhiteWinterWolf Apr 27 '15 at 08:24
  • You can use Wireshark as well, but first you need to get the session key and tell Wireshark to use it to decrypt the traffic. Past versions used to require the server private key (which obviously you haven't), but now you don't need it anymore. – Stefano Sanfilippo Apr 27 '15 at 12:44

3 Answers3

9

As you guessed, Facebook uses HTTPS, what that means is that requests to Facebook.com regardless of whether they are GET or POST requests are not sent over HTTP, instead they are sent over HTTPS in an encrypted form which the 'http' filter in Wireshark wont be able to display as regular HTTP requests. If you want to view the encrypted HTTPS traffic including data to Facebook, select 'tcp' as the filter and you should find requests that you are looking for. Facebook uses HTTPS for transmission for security reasons, as you suspected, so actually Facebook is receiving data, just your filter is not displaying it to you.

Read More about HTTPS at: http://en.wikipedia.org/wiki/HTTPS

For interception of Requests to Facebook.com use a proxy such as Burp Suite or OWASP ZAP. They will allow you to intercept and modify/monitor the traffic sent in real-time.

Hope this helps.

racec0ndition
  • 581
  • 4
  • 10
4

I would recommend using Fiddler for this instead. First you will need to MITM yourself though as Facebook sends this request over HTTPS.

You can do this in fiddler by going to Tools -> Fiddler Options -> HTTPS and ticking:

  • Capture HTTPS Connects
  • Decrypt HTTPS Traffic

Then you will see a scary warning, as shown below:

Scary Warning

Clicking Yes will install an HTTPS certificate onto your computer, decrypt all of your HTTPS traffic and show this in Fiddler. This includes Facebook login requests.

JMK
  • 2,436
  • 7
  • 27
  • 38
  • "First you will need to MITM", what do you mean by that? – user3818650 Apr 28 '15 at 14:30
  • 1
    @user3818650 I mean you will need to preform a man in the middle attack on yourself so to speak, by installing an HTTPS certificate on your machine and intercepting your own traffic – JMK Apr 28 '15 at 14:36
0

try these capture string filters,

1.“tcp contains” facebook=tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x74637020 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:4] = 0x636f6e74 && tcp[((tcp[12:1] & 0xf0) >> 2) + 8:4] = 0x61696e73 && tcp[((tcp[12:1] & 0xf0) >> 2) + 12:4] = 0x20666163 && tcp[((tcp[12:1] & 0xf0) >> 2) + 16:4] = 0x65626f6f && tcp[((tcp[12:1] & 0xf0) >> 2) + 20:1] = 0x6b

2.tcp contains facebook and ssl=tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x20227463 && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:4] = 0x7020636f && tcp[((tcp[12:1] & 0xf0) >> 2) + 8:4] = 0x6e746169 && tcp[((tcp[12:1] & 0xf0) >> 2) + 12:4] = 0x6e732220 && tcp[((tcp[12:1] & 0xf0) >> 2) + 16:4] = 0x66616365 && tcp[((tcp[12:1] & 0xf0) >> 2) + 20:4] = 0x626f6f6b && tcp[((tcp[12:1] & 0xf0) >> 2) + 24:4] = 0x20616e64 && tcp[((tcp[12:1] & 0xf0) >> 2) + 28:4] = 0x2073736c

3.json contains message=tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x226a736f && tcp[((tcp[12:1] & 0xf0) >> 2) + 4:4] = 0x6e20636f && tcp[((tcp[12:1] & 0xf0) >> 2) + 8:4] = 0x6e746169 && tcp[((tcp[12:1] & 0xf0) >> 2) + 12:4] = 0x6e732220 && tcp[((tcp[12:1] & 0xf0) >> 2) + 16:4] = 0x6d657373 && tcp[((tcp[12:1] & 0xf0) >> 2) + 20:2] = 0x6167 && tcp[((tcp[12:1] & 0xf0) >> 2) + 22:1] = 0x65

blueeyiz702
  • 1
  • 2
    Welcome to Information Security Stack Exchange! When answering questions here, please also explain _why_ things solve the problem. In this case, a quick explanation of how these filters solve the problem. You can [edit] your answer to include this. – S.L. Barth Jun 22 '18 at 04:18