CNIT 123 Proj 3: HTTP Basic Authentication (10 pts.)

What You Need

A Linux machine, such as Kali.

Starting Apache

In a Terminal window, execute this command:
service apache2 start
If you see an error saying Apache is not installed, follow the instructions on your screen to install it.

In a Terminal window, execute this command:

ip addr
(Note: ifconfig is deprecated and ip is preferred.)

Find your IP address.

Click Applications, Internet, "IceWeasel Web Browser" and enter your IP address in the URL. You should see a Web page--if your Apache is newly installed, it will be an Apache default page.

Making the secret Page

In a Terminal window, execute these commands:
mkdir /var/www/html/secret

nano /var/www/html/secret/index.html

In nano, enter the HTML code shown below, replacing YOUR-NAME with your own name:

<html>
<body>
<h1>YOUR-NAME Secret Page</h1>

Protected by HTTP Basic Authentication!

</body>
</html>

Save the file with Ctrl+X, Y, Enter.

In IceWeasel, append /secret to the IP address to view your page, as shown below:

There was no password required to see this page.

Configuring Basic Authentication

In a Terminal window, execute this command:
nano /etc/apache2/sites-enabled/001-secret.conf
In nano, enter the code shown below:

<Directory "/var/www/html/secret">
DirectoryIndex index.py
AddHandler cgi-script .py
Options Indexes FollowSymLinks MultiViews ExecCGI
AuthType Basic
AuthName "Private Documentation Repository"
AuthUserFile /etc/apache2/.htaccess
Require valid-user
AllowOverride None
Order allow,deny
allow from all
</Directory>
Save the file with Ctrl+X, Y, Enter.

Specifying Username and Password

In a Terminal window, execute this command replacing "YOUR-NAME with your own name. When you are prompted for a password, enter secretpassword twice.
htpasswd -c /etc/apache2/.htaccess YOUR-NAME

Restart Apache

In a Terminal window, execute this command:
service apache2 restart

Starting Wireshark

In a Terminal window, execute this command:
wireshark
A box pops up saying "Lua: Error during loading". Press Enter.

Another box says 'Running as user "root"...'. Press Enter.

In Wireshark, click Capture, Interfaces.

In the Interfaces list, check the any interface, as shown below:

Click Start.

Authenticating

In IceWeasel, refresh the page with your IP address followed by /secret

An "Authentication Required" box pops up, as shown below. Log in with your name and the password secretpassword

In Wireshark, click Capture, Stop.

In the top section of the Wireshark window, in the Filter bar, erase the text there and type in this filter.

frame contains Basic
Press Enter.

Two packets are visible, as shown below.

In the Info column, the first one is labelled "HTTP/1.1 401 Authorization Required", and the second one is labelled "GET /secret/ HTTP/1.1", as shown below.

In the top pane of Wireshark, click "GET /secret/ HTTP/1.1".

In the middle pane, expand the "Hypertext Tranfer Protocol" section.

Scroll down and expand the Authorization section.

The credentials are shown in cleartext, showing your name and the secret password, as shown below:

Saving the Screen Image

Make sure YOUR-NAME and secretpassword are visible, as shown above.

Click the host computer's desktop. Press the PrntScrn key to capture the entire desktop.

YOU MUST SUBMIT A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Save this image as a PNG file, named "Proj 3 from YOUR NAME"

Turning in Your Project

Email the image to cnit.123@gmail.com with a subject of "Proj 3 from YOUR NAME".

Source

http://doc.norang.ca/apache-basic-auth.html

Last modified 9-7-16
Sam Bowne