[Owasp-Malaysia] MITM Attack : Why should we look at it?

MASOKIS masokis at gmail.com
Sat Oct 2 04:03:12 EDT 2010


kalau ada org yang tahu wifi tu ada unsur khianat mcm mitm... dan org
tu tak mau org lain kena... boleh ke dia selamatkan org lain ??

masokis tgk2... airpwn bleh halang kot ? masokis tak siap lagi pasang
airpwn.. pasal masalah lib.


On 10/2/10, Mohd Fazli Azran <mfazliazran at gmail.com> wrote:
> Dear members,
>
> I have some opinion to share. Why we must look at this attack as a threat.
> But please dont doing this at home. This is not a good ethic and probably it
> will miss use for personal interest and if you get caught it
> your responsibility. This is for education purpose. This is just example:
>
> Tool : Cain or Ettercap
> Location : Coffee Bean / Starbuck / Old Town
> Attack Method : Sniff and ARP poisoning
>
> Many *Money Oriented Hacker* (MOH) will do this for their own interest. What
> would they prefer to sniff is Bank Online.For fun they will try to get any
> Social media that you have.
>
> HTTPS/ SSL many Organization not look into it and sometime it already
> expired or not qualified. Many people will ignore it and just accept the
> cert. Why we should worried HTTPS/SSL it not good protection for sniffer if
> the bad implement by organization. Poor implementation for SSL/TLS by many
> Organization especially in Malaysia allow many sniffer to be a MITM. If you
> see some cert are create by self signed and some cert maybe just rouge
> certificate. You can check all the Bank online if they have valid cert or
> they already expired. You also can look if Local bank use CA cert or not. CA
> was one of vendor  create commercial cert. Are our local bank use this
> cert?. If you check many HTTPS/SSL are broken and can be direct attack/APT
> by sniffer.
>
> The problem of this i think it not from HTTPS/SSL but it from Application
> that use from them. The web online  provided by Bank sometime  it not enough
> to prevent sniffer get the U & P. Some time the hashing can be manipulated
> and they can get easily and user are not detected at all.
>
> We must understand 1st what the process from user to server. Here the
> example scenario (Ahmad use Open Network and surf):
>
> 1) Ahmad open Browser and surf Online Bank Web
> 2) Browser will request login form from the server Online Bank
> 3) Server (Online Bank) will sent random generate challenge (RGC )"c"
> *Server
> sends HTML with above form rules*
> 4)  RGC attach to the form and sent to Ahmad browser *MITM replaces the form
> with a simple form u/p** are not manipulated*
> 4) Ahmad will enter username "u" and Password "p_user" and submit *User
> fills out simple form, submits to MITM*
> 5) Ahmad browser will calculate h_user=hash((hash(p_user), c) *MITM
> calculates h_user from u / p / c*
> 6) Ahmad browser sent "u" and "h_user" to the server. *MITM sends u + h_user
> to server*
> 7) The server retrieve password hash "h_db" for user "u" from database
> 8) Server perform comparison which h_user==hash(h_db, c)
> 9) If this comparison it true, the credential are true and sent back to
> Ahmad Browser
> 10) Ahmad now login to server (Bank Online)
>
> If i miss out some point here please correct it. But you can see the red
> text are the process between user, MITM & server. You can do this and try if
> you can get any U & P from any local Bank Online (Maybank, CIMB, BIMB, RHB)
> and Oversea Bank (HSBC, Citibank, Standard Chartered) You can compare which
> web security are more reliable and are they implement it. The best policy
> and the process they do will combat any MITM to get the U/P from server. My
> point is are they doing enough to protect user from this threat. Are we?
>
> P/S : I`m not buyers any Bank here just to show what the reality are.
>
> Mohd Fazli Azran
>


-- 
*>> HTTP://WWW.MASOKIS.COM <<*


More information about the Owasp-Malaysia mailing list