Credential Mining
Difficulty:
Shown in Report
Alabaster Snowball is standing in the very dark.
Objective Image
Back
Challenge

The first attack is a brute force login. What's the first username tried?

Solution

Let's open up Wireshark again. As we want to focus on POST requests to /login.html we set the filter to:

http.request.uri contains "login.html" and http.request.method == "POST"

We select the first entry and right-click -> follow -> HTTP stream:

POST /login.html HTTP/1.1
Host: www.toteslegit.us
...
username=alice&password=philipHTTP/1.1 200 OK

So the first username tried is alice.

We get following hints:

HTTP Status Codes

With forced browsing, there will be many 404 status codes returned from the web server. Look for 200 codes in that group of 404s. This one can be completed with the PCAP or the log file.