M 105: Plaintext Login (15 pts)

What You Need for This Project

Purpose

To observe network transmissions from an insecure app, and prove that they are not encrypted properly.

Background

This problem is gaining recognition, so few apps still have this flaw. Clear Messenger, which was used used in an earlier version of this project, but that app has been removed from Google Play, as of Feb 10., 2019.

So please use one of these apps instead. They all used plaintext network transmission on Feb 10, 2019, but eventually they may be fixed or removed.

Installing a Vulnerable App

On your Android device, in Google Play, find and install the app shown below.

Equity Pandit

Archived APK

If you don't have access to Google Play, use this archived copy of the app:

base-eqp.apk

Starting Wireshark

On your host system, launch Wireshark. If you don't have it, get it at:

https://www.wireshark.org/

In the main Wireshark window, double-click the network interface that is being used to reach the Internet. On my system, it is "Wi-Fi: en0", outlined in green in the image below.

Wirehark starts displaying packets. At the top, in the Filter bar, enter this display filter:

http
Press Enter to filter the traffic.

On your Android device, in the vulnerable app, use the "Create Account" page to make an account.

Wireshark shows a captured POST request, as shown below.

Troubleshooting

If you don't see any packets, try these fixes:
  • Click the red square button to stop the capture
  • From the menu, click Capture, Options
  • Choose a different network adapter
  • If the "Link-layer header" is set to "802.11...", scroll to the right and uncheck the monitor box
In the top pane of Wireshark, right-click the POST request, and click Follow, "TCP Stream", as shown above.

The request appears, containing your credentials, as shown below.


M 105: Filename (15 pts)

Find the text covered by a green box in the image above. That's the flag.
Converted to a CTF 2-28-19