[Owasp-Malaysia] MITM Attack : Why should we look at it?

Amir Haris amirharis at gmail.com
Sat Oct 2 06:51:49 EDT 2010


Maybe.. you can present the topic and do some demos that related with:

- Injection (e.g: Command injection)
- Key Manipulation (e.g: SSH v1, IPSEC, HTTPS)
- Downgrade Attack (SSH v2 -> v1)
- Filtering (insert malicious code or modification of binary files, https

It will be awesome ..

On Sat, Oct 2, 2010 at 6:47 PM, Amir Haris <amirharis at gmail.com> wrote:

> Dear Fazli,
> Correct, once in the middle, the attacker can:
> 1. Do Injection
> 2. Key Manipulation
> 3. Downgrade attack
> 4. FIltering.
> Which can lead to:
> - ARP poisoning
> - DNS spoofing
> - STP mangling
> - Port stealing
> - ICMP redirection
> - IRDP spoofing
> - DHCP Spoofing
> - route mangling
> - traffice tunneling
> - Access Point Reassociation.
> - others. :)
> On Sat, Oct 2, 2010 at 1:44 PM, Mohd Fazli Azran <mfazliazran at gmail.com>wrote:
>> Dear members,
>> I have some opinion to share. Why we must look at this attack as a threat.
>> But please dont doing this at home. This is not a good ethic and probably it
>> will miss use for personal interest and if you get caught it
>> your responsibility. This is for education purpose. This is just example:
>> Tool : Cain or Ettercap
>> Location : Coffee Bean / Starbuck / Old Town
>> Attack Method : Sniff and ARP poisoning
>> Many *Money Oriented Hacker* (MOH) will do this for their own interest.
>> What would they prefer to sniff is Bank Online.For fun they will try to get
>> any Social media that you have.
>> HTTPS/ SSL many Organization not look into it and sometime it already
>> expired or not qualified. Many people will ignore it and just accept the
>> cert. Why we should worried HTTPS/SSL it not good protection for sniffer if
>> the bad implement by organization. Poor implementation for SSL/TLS by many
>> Organization especially in Malaysia allow many sniffer to be a MITM. If you
>> see some cert are create by self signed and some cert maybe just rouge
>> certificate. You can check all the Bank online if they have valid cert or
>> they already expired. You also can look if Local bank use CA cert or not. CA
>> was one of vendor  create commercial cert. Are our local bank use this
>> cert?. If you check many HTTPS/SSL are broken and can be direct attack/APT
>> by sniffer.
>> The problem of this i think it not from HTTPS/SSL but it from Application
>> that use from them. The web online  provided by Bank sometime  it not enough
>> to prevent sniffer get the U & P. Some time the hashing can be manipulated
>> and they can get easily and user are not detected at all.
>> We must understand 1st what the process from user to server. Here the
>> example scenario (Ahmad use Open Network and surf):
>> 1) Ahmad open Browser and surf Online Bank Web
>>  2) Browser will request login form from the server Online Bank
>> 3) Server (Online Bank) will sent random generate challenge (RGC )"c" *Server
>> sends HTML with above form rules*
>> 4)  RGC attach to the form and sent to Ahmad browser *MITM replaces the
>> form with a simple form u/p** are not manipulated*
>> 4) Ahmad will enter username "u" and Password "p_user" and submit *User
>> fills out simple form, submits to MITM*
>> 5) Ahmad browser will calculate h_user=hash((hash(p_user), c) *MITM
>> calculates h_user from u / p / c*
>> 6) Ahmad browser sent "u" and "h_user" to the server. *MITM sends u +
>> h_user to server*
>> 7) The server retrieve password hash "h_db" for user "u" from database
>> 8) Server perform comparison which h_user==hash(h_db, c)
>> 9) If this comparison it true, the credential are true and sent back to
>> Ahmad Browser
>> 10) Ahmad now login to server (Bank Online)
>> If i miss out some point here please correct it. But you can see the red
>> text are the process between user, MITM & server. You can do this and try if
>> you can get any U & P from any local Bank Online (Maybank, CIMB, BIMB, RHB)
>> and Oversea Bank (HSBC, Citibank, Standard Chartered) You can compare which
>> web security are more reliable and are they implement it. The best policy
>> and the process they do will combat any MITM to get the U/P from server. My
>> point is are they doing enough to protect user from this threat. Are we?
>> P/S : I`m not buyers any Bank here just to show what the reality are.
>> Mohd Fazli Azran
>> _______________________________________________
>> Owasp-Malaysia mailing list
>> Owasp-Malaysia at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>> OWASP Malaysia Wiki
>> http://www.owasp.org/index.php/Malaysia
>> OWASP Malaysia Wiki Facebook
>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20101002/fcdad7d9/attachment.html 

More information about the Owasp-Malaysia mailing list