The first attack is a brute force login. What's the first username tried?
Let's open up Wireshark again. As we want to focus on POST requests to /login.html
we set the filter to:
http.request.uri contains "login.html" and http.request.method == "POST"
We select the first entry and right-click -> follow -> HTTP stream:
POST /login.html HTTP/1.1
Host: www.toteslegit.us
...
username=alice&password=philipHTTP/1.1 200 OK
So the first username tried is alice
.
We get following hints:
With forced browsing, there will be many 404 status codes returned from the web server. Look for 200 codes in that group of 404s. This one can be completed with the PCAP or the log file.