HTTP Basic Authorization

In this LetsDefend challenge, I was provided with a .pcap log containing suspicious traffic indicating a possible HTTP authentication attack. I was tasked with extracting information from the log to determine if this was, in fact, an actual authentication attack.

The first task was determining the volume and type of traffic/protocols involved. This wasn't a large log, but judging by the objective, I decided to start with a basic search. Opening the .pcap file in Wireshark, I applied a basic filter searching for all HTTP packets. There were a total of 5 GET requests, 4 of which sent by a single IP. While the volume of GET requests is not initially concerning, the investigation could not stop here. I documented this finding and proceeded to gather additional information.

To understand the systems involved in this log, I documented the operating system as well as the software name and version used by the web server communicating with the requester. In this case, the web server was running Apache/2.2.15 on a FreeBSD operating system. I also documented that the web server was running OpenSSL/0.9.8n. All of this information can be gathered from the HTTP response packet.

Now understanding the architecture of the web server, it was important to investigate the client side of the HTTP interactions. Looking into the HTTP request packets, I documented the client's user-agent information (Lynx/2.8.7rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.8n), as well as the username and password input by the client to authenticate with the server. It appears that this client had input correct credentials based on the web server's response with a 200 response code packet, successfully authenticating the client to the server.

In my judgement, this traffic log did not show evidence of an authentication attack. There were two requests from the same client, whom when required to authenticate to the web server, provided legitimate credentials and were granted access. There were no failed authentication attempts. I found odd, however, that both requests and authentications occurred within 3 minutes of each other. Additionally, there was a single request to the web server from a different IP, which had not replied to the authentication request. Nonetheless, there was no cause for suspicion and further action would not be needed.