Lab Instructions
History of Encryption
Local lab only. Use your own machine, localhost, and fake credentials. Do not capture traffic you do not own or have permission to capture.
Section 1 — Legal and Ethical Boundaries (Read First)
Before touching any tools, read this:
This lab is for defensive cybersecurity education only. We will capture only our own traffic, on our own machine, using fake credentials, against a local server that we created ourselves.
You must
- Use your own computer
- Use a local server (localhost only)
- Use fake usernames and fake credit card numbers
- Capture only your own traffic
You must NOT
- Capture traffic on public Wi-Fi
- Capture traffic from other students
- Perform ARP poisoning or interception
- Attempt to bypass encryption
- Collect real credentials
Important concept
Wireshark is a diagnostic tool. The legality depends entirely on permission.
If you do not own it or do not have permission — do not capture it.
Lab Objective
By the end of this lab, you will:
- See plaintext credentials over HTTP
- See encrypted traffic over HTTPS
- Understand exactly why TLS defeats passive MITM
- Understand the legal boundaries of packet analysis
Section 2 — Environment Setup
Tools required: Python installed; OpenSSL installed; Wireshark; a web browser.
All commands below are typed in Terminal (Mac/Linux) or Command Prompt / PowerShell (Windows) — not in Wireshark and not in the browser.
Section 3 — Create the Mock Login Page
Step 1 — Create file: Open Terminal (Mac/Linux) or Command Prompt / PowerShell (Windows). Navigate to a folder where you want to work. Then type: touch login.html (Windows users can right-click → New → Text Document → rename to login.html). This creates the webpage file.
Step 2 — Paste HTML code
Open login.html in VS Code, Notepad, or any text editor. Paste the HTML below. Save the file.
We are creating a fake form so we control the environment completely. No real website involved.
HTML code for login.html
<!DOCTYPE html>
<html>
<head>
<title>Security Lab Demo</title>
</head>
<body>
<h2>Mock Login (HTTP Demo)</h2>
<form method="POST">
Username: <input type="text" name="username"><br><br>
Password: <input type="password" name="password"><br><br>
<input type="submit" value="Login">
</form>
<h2>Mock Credit Card Form</h2>
<form method="POST">
Name: <input type="text" name="fullname"><br><br>
Card Number: <input type="text" name="cardnumber"><br><br>
Expiry: <input type="text" name="expiry"><br><br>
CVV: <input type="text" name="cvv"><br><br>
<input type="submit" value="Pay">
</form>
</body>
</html>Section 4 — Start Local HTTP Server
Run a server locally. In Terminal / Command Prompt, make sure you are in the folder that contains login.html.
Type:
python -m http.server 8000
What this does: python runs Python; -m http.server launches the built-in simple web server; 8000 tells it to listen on port 8000. Port 8000 is arbitrary and avoids interfering with system services.
You should see: "Serving HTTP on 0.0.0.0 port 8000". Your machine is now hosting a website at http://localhost:8000. This is HTTP — no encryption, plaintext.
Section 5 — Capture HTTP Traffic
Step 1 — Open Wireshark. Select your active network interface. Click Start.
Step 2 — Apply filter: In the Wireshark filter bar, type: tcp.port == 8000. Press Enter. This shows only traffic to our local server. Without filtering, Wireshark captures thousands of packets; filtering isolates our demo traffic.
Step 3 — Submit fake credentials
Open your browser. Visit: http://localhost:8000/login.html
Enter username: testuser. Enter password: fakepassword123. Enter fake card data: Card 1111222233334444, CVV 123. Submit.
Step 4 — Inspect packet
Back in Wireshark: Click a POST packet. Expand "Hypertext Transfer Protocol".
You will see: username=testuser&password=fakepassword123 — readable, visible, exposed. This is exactly what an attacker could see if traffic were intercepted. Pause here and let that sink in.
Section 6 — Add Encryption
Stop the HTTP server with Ctrl+C in Terminal.
Generate certificate
In Terminal, type:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
Explanation: openssl (cryptography tool); req (certificate request); -x509 (create self-signed certificate); -newkey rsa:2048 (generate 2048-bit RSA key); -keyout key.pem (save private key); -out cert.pem (save certificate); -days 365 (valid for 1 year); -nodes (no password protection). This creates key.pem and cert.pem, which enable HTTPS.
Create HTTPS server script
Create a file named https_server.py in the same folder. Paste the Python code below. We use port 4443 because port 443 is default HTTPS and 4443 avoids needing elevated privileges.
Python code for https_server.py
import http.server
import ssl
server_address = ('localhost', 4443)
httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(
httpd.socket,
keyfile="key.pem",
certfile="cert.pem",
server_side=True
)
print("Serving HTTPS on https://localhost:4443")
httpd.serve_forever()Start HTTPS server
In Terminal, run: python https_server.py
The server now runs at https://localhost:4443
Section 7 — Capture HTTPS Traffic
In Wireshark: Change the filter to tcp.port == 4443.
Visit in your browser: https://localhost:4443/login.html. You will see a certificate warning (self-signed). Click Advanced → Proceed. Submit the same fake credentials again.
Inspect packets
Click packets in Wireshark. You will NOT see username=testuser. Instead you will see: Transport Layer Security; Encrypted Application Data. Even if you follow the TCP stream: unreadable ciphertext.
Same form, same fake data, same Wireshark. The only difference: encryption.
What students should understand
HTTP: No confidentiality; no integrity; no authenticity.
HTTPS: Confidentiality (encryption); integrity (tamper detection); authenticity (certificate validation).
MITM works easily on HTTP. MITM becomes extremely difficult with properly configured HTTPS.
Final legal reminder
This lab is legal because: you own the machine; you created the server; you used fake data; you did not intercept third-party traffic.
Never repeat this on: public Wi-Fi; someone else's network; corporate networks without authorization.
Ethical cybersecurity professionals find weaknesses, report weaknesses, and fix weaknesses. They do not exploit real users.
Final teaching moment
Ask: "What changed between the two demos?" Nothing except encryption. That is the entire lesson of MITM defense.