[Owasp-Malaysia] MITM Attack : Why should we look at it?

Mohd Fazli Azran mfazliazran at gmail.com
Sat Oct 2 01:44:56 EDT 2010


Dear members,

I have some opinion to share. Why we must look at this attack as a threat.
But please dont doing this at home. This is not a good ethic and probably it
will miss use for personal interest and if you get caught it
your responsibility. This is for education purpose. This is just example:

Tool : Cain or Ettercap
Location : Coffee Bean / Starbuck / Old Town
Attack Method : Sniff and ARP poisoning

Many *Money Oriented Hacker* (MOH) will do this for their own interest. What
would they prefer to sniff is Bank Online.For fun they will try to get any
Social media that you have.

HTTPS/ SSL many Organization not look into it and sometime it already
expired or not qualified. Many people will ignore it and just accept the
cert. Why we should worried HTTPS/SSL it not good protection for sniffer if
the bad implement by organization. Poor implementation for SSL/TLS by many
Organization especially in Malaysia allow many sniffer to be a MITM. If you
see some cert are create by self signed and some cert maybe just rouge
certificate. You can check all the Bank online if they have valid cert or
they already expired. You also can look if Local bank use CA cert or not. CA
was one of vendor  create commercial cert. Are our local bank use this
cert?. If you check many HTTPS/SSL are broken and can be direct attack/APT
by sniffer.

The problem of this i think it not from HTTPS/SSL but it from Application
that use from them. The web online  provided by Bank sometime  it not enough
to prevent sniffer get the U & P. Some time the hashing can be manipulated
and they can get easily and user are not detected at all.

We must understand 1st what the process from user to server. Here the
example scenario (Ahmad use Open Network and surf):

1) Ahmad open Browser and surf Online Bank Web
2) Browser will request login form from the server Online Bank
3) Server (Online Bank) will sent random generate challenge (RGC )"c" *Server
sends HTML with above form rules*
4)  RGC attach to the form and sent to Ahmad browser *MITM replaces the form
with a simple form u/p** are not manipulated*
4) Ahmad will enter username "u" and Password "p_user" and submit *User
fills out simple form, submits to MITM*
5) Ahmad browser will calculate h_user=hash((hash(p_user), c) *MITM
calculates h_user from u / p / c*
6) Ahmad browser sent "u" and "h_user" to the server. *MITM sends u + h_user
to server*
7) The server retrieve password hash "h_db" for user "u" from database
8) Server perform comparison which h_user==hash(h_db, c)
9) If this comparison it true, the credential are true and sent back to
Ahmad Browser
10) Ahmad now login to server (Bank Online)

If i miss out some point here please correct it. But you can see the red
text are the process between user, MITM & server. You can do this and try if
you can get any U & P from any local Bank Online (Maybank, CIMB, BIMB, RHB)
and Oversea Bank (HSBC, Citibank, Standard Chartered) You can compare which
web security are more reliable and are they implement it. The best policy
and the process they do will combat any MITM to get the U/P from server. My
point is are they doing enough to protect user from this threat. Are we?

P/S : I`m not buyers any Bank here just to show what the reality are.

Mohd Fazli Azran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20101002/af32d59e/attachment.html 


More information about the Owasp-Malaysia mailing list