CALCULATING HTTP DIGEST AUTHENTICATION PARAMETERS WITH WIRESHARK AND PYTHON
- Layout for this exercise:
- This exercise is based in the previous post Setting up HTTP Digest Authentication.
- HTTP Digest Authentication (DA) applies a hash function to the username and password before sending the credentials over the network.
- DA was originally specified by RFC 2069, although it was later replaced by the more secure RFC 2617. For instance, the new standard protects against the chosen-plaintext attack cryptanalysis.
- The process consists of 3 steps:
1) H1 = MD5 (username:realm:password)2) H2 = MD5(method:URI)
3) response = MD5(H1:Nonce:NonceCount:ClientNonce:qop:H2)
- Nonce is randomly generated by the server and helps preventing reply attacks due to the presence of timestamp; NonceCount prevents reuse of nonces (the value increments each time a new request is done); ClientNonce is created by the user and prevents collision attacks from rainbow tables; and qop ("auth" for authentication) is the quality of protection.
- Since client and server share same information, both parties perform their own calculation for the "response".
- Once the server receives the "response" from the client, it verifies whether there is a match with its own calculation. Only in case of matching then the server allows authorization to the resources.
- The goal of this exercise is to illustrate how HTTP DA (RFC 2617) calculates the "response" using repeatedly the algorithm MD5.
- First of all, let's launch the sniffer Wireshark at the Kali machine, filtering packets for just the HTTP protocol:
- The client Kali tries to access the web resource and the server responds with an authentication requirement:
- Once the client enters the correct credentials, the server allows access to the web page:
- Now, let's examine the packets captured by Wireshark, limiting to those exchanged by the client (192.168.1.13) and the server (192.168.1.15).
- The third packet corresponds to the client sending the correct credentials, because the next one (the fourth) corresponds to the 200 OK successful answer from the server:
- Opening the third packet, all the parameters used in the DA transaction are displayed:
- Copying the parameters to a text file for further study:
- Now, all parameters are available so that we can reproduce the calculations performed by server and client:
- Using a Python script with the previous parameters:
- The "response" is finally calculated:
- We can check that our "response" is equal to the "response" calculated by server and client in the previous example: