[Owasp-Malaysia] MITM Attack : Why should we look at it?

Amir Haris amirharis at gmail.com
Sat Oct 2 06:47:08 EDT 2010

Dear Fazli,

Correct, once in the middle, the attacker can:

1. Do Injection
2. Key Manipulation
3. Downgrade attack
4. FIltering.

Which can lead to:
- ARP poisoning
- DNS spoofing
- STP mangling
- Port stealing
- ICMP redirection
- IRDP spoofing
- DHCP Spoofing
- route mangling
- traffice tunneling
- Access Point Reassociation.
- others. :)

On Sat, Oct 2, 2010 at 1:44 PM, Mohd Fazli Azran <mfazliazran at gmail.com>wrote:

> Dear members,
> I have some opinion to share. Why we must look at this attack as a threat.
> But please dont doing this at home. This is not a good ethic and probably it
> will miss use for personal interest and if you get caught it
> your responsibility. This is for education purpose. This is just example:
> Tool : Cain or Ettercap
> Location : Coffee Bean / Starbuck / Old Town
> Attack Method : Sniff and ARP poisoning
> Many *Money Oriented Hacker* (MOH) will do this for their own interest.
> What would they prefer to sniff is Bank Online.For fun they will try to get
> any Social media that you have.
> HTTPS/ SSL many Organization not look into it and sometime it already
> expired or not qualified. Many people will ignore it and just accept the
> cert. Why we should worried HTTPS/SSL it not good protection for sniffer if
> the bad implement by organization. Poor implementation for SSL/TLS by many
> Organization especially in Malaysia allow many sniffer to be a MITM. If you
> see some cert are create by self signed and some cert maybe just rouge
> certificate. You can check all the Bank online if they have valid cert or
> they already expired. You also can look if Local bank use CA cert or not. CA
> was one of vendor  create commercial cert. Are our local bank use this
> cert?. If you check many HTTPS/SSL are broken and can be direct attack/APT
> by sniffer.
> The problem of this i think it not from HTTPS/SSL but it from Application
> that use from them. The web online  provided by Bank sometime  it not enough
> to prevent sniffer get the U & P. Some time the hashing can be manipulated
> and they can get easily and user are not detected at all.
> We must understand 1st what the process from user to server. Here the
> example scenario (Ahmad use Open Network and surf):
> 1) Ahmad open Browser and surf Online Bank Web
> 2) Browser will request login form from the server Online Bank
> 3) Server (Online Bank) will sent random generate challenge (RGC )"c" *Server
> sends HTML with above form rules*
> 4)  RGC attach to the form and sent to Ahmad browser *MITM replaces the
> form with a simple form u/p** are not manipulated*
> 4) Ahmad will enter username "u" and Password "p_user" and submit *User
> fills out simple form, submits to MITM*
> 5) Ahmad browser will calculate h_user=hash((hash(p_user), c) *MITM
> calculates h_user from u / p / c*
> 6) Ahmad browser sent "u" and "h_user" to the server. *MITM sends u +
> h_user to server*
> 7) The server retrieve password hash "h_db" for user "u" from database
> 8) Server perform comparison which h_user==hash(h_db, c)
> 9) If this comparison it true, the credential are true and sent back to
> Ahmad Browser
> 10) Ahmad now login to server (Bank Online)
> If i miss out some point here please correct it. But you can see the red
> text are the process between user, MITM & server. You can do this and try if
> you can get any U & P from any local Bank Online (Maybank, CIMB, BIMB, RHB)
> and Oversea Bank (HSBC, Citibank, Standard Chartered) You can compare which
> web security are more reliable and are they implement it. The best policy
> and the process they do will combat any MITM to get the U/P from server. My
> point is are they doing enough to protect user from this threat. Are we?
> P/S : I`m not buyers any Bank here just to show what the reality are.
> Mohd Fazli Azran
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20101002/dafd5465/attachment-0001.html 

More information about the Owasp-Malaysia mailing list