[Owasp-Malaysia] MITM Attack : Why should we look at it?

Mohd Fazli Azran mfazliazran at gmail.com
Sun Oct 3 20:52:44 EDT 2010


Wow interesting topic. Injection command and Filtering are maybe very
popular topic.

On Sat, Oct 2, 2010 at 6:51 PM, Amir Haris <amirharis at gmail.com> wrote:

> Fazli,
>
> Maybe.. you can present the topic and do some demos that related with:
>
> - Injection (e.g: Command injection)
> - Key Manipulation (e.g: SSH v1, IPSEC, HTTPS)
> - Downgrade Attack (SSH v2 -> v1)
> - Filtering (insert malicious code or modification of binary files, https
> redirection)
>
> It will be awesome ..
>
>
> On Sat, Oct 2, 2010 at 6:47 PM, Amir Haris <amirharis at gmail.com> wrote:
>
>> Dear Fazli,
>>
>> Correct, once in the middle, the attacker can:
>>
>> 1. Do Injection
>> 2. Key Manipulation
>> 3. Downgrade attack
>> 4. FIltering.
>>
>> Which can lead to:
>> - ARP poisoning
>> - DNS spoofing
>> - STP mangling
>> - Port stealing
>> - ICMP redirection
>> - IRDP spoofing
>> - DHCP Spoofing
>> - route mangling
>> - traffice tunneling
>> - Access Point Reassociation.
>> - others. :)
>>
>> On Sat, Oct 2, 2010 at 1:44 PM, Mohd Fazli Azran <mfazliazran at gmail.com>wrote:
>>
>>> Dear members,
>>>
>>> I have some opinion to share. Why we must look at this attack as a
>>> threat. But please dont doing this at home. This is not a good ethic and
>>> probably it will miss use for personal interest and if you get caught it
>>> your responsibility. This is for education purpose. This is just example:
>>>
>>> Tool : Cain or Ettercap
>>> Location : Coffee Bean / Starbuck / Old Town
>>> Attack Method : Sniff and ARP poisoning
>>>
>>> Many *Money Oriented Hacker* (MOH) will do this for their own interest.
>>> What would they prefer to sniff is Bank Online.For fun they will try to get
>>> any Social media that you have.
>>>
>>> HTTPS/ SSL many Organization not look into it and sometime it already
>>> expired or not qualified. Many people will ignore it and just accept the
>>> cert. Why we should worried HTTPS/SSL it not good protection for sniffer if
>>> the bad implement by organization. Poor implementation for SSL/TLS by many
>>> Organization especially in Malaysia allow many sniffer to be a MITM. If you
>>> see some cert are create by self signed and some cert maybe just rouge
>>> certificate. You can check all the Bank online if they have valid cert or
>>> they already expired. You also can look if Local bank use CA cert or not. CA
>>> was one of vendor  create commercial cert. Are our local bank use this
>>> cert?. If you check many HTTPS/SSL are broken and can be direct attack/APT
>>> by sniffer.
>>>
>>> The problem of this i think it not from HTTPS/SSL but it from Application
>>> that use from them. The web online  provided by Bank sometime  it not enough
>>> to prevent sniffer get the U & P. Some time the hashing can be manipulated
>>> and they can get easily and user are not detected at all.
>>>
>>> We must understand 1st what the process from user to server. Here the
>>> example scenario (Ahmad use Open Network and surf):
>>>
>>> 1) Ahmad open Browser and surf Online Bank Web
>>>  2) Browser will request login form from the server Online Bank
>>> 3) Server (Online Bank) will sent random generate challenge (RGC )"c" *Server
>>> sends HTML with above form rules*
>>> 4)  RGC attach to the form and sent to Ahmad browser *MITM replaces the
>>> form with a simple form u/p** are not manipulated*
>>> 4) Ahmad will enter username "u" and Password "p_user" and submit *User
>>> fills out simple form, submits to MITM*
>>> 5) Ahmad browser will calculate h_user=hash((hash(p_user), c) *MITM
>>> calculates h_user from u / p / c*
>>> 6) Ahmad browser sent "u" and "h_user" to the server. *MITM sends u +
>>> h_user to server*
>>> 7) The server retrieve password hash "h_db" for user "u" from database
>>> 8) Server perform comparison which h_user==hash(h_db, c)
>>> 9) If this comparison it true, the credential are true and sent back to
>>> Ahmad Browser
>>> 10) Ahmad now login to server (Bank Online)
>>>
>>> If i miss out some point here please correct it. But you can see the red
>>> text are the process between user, MITM & server. You can do this and try if
>>> you can get any U & P from any local Bank Online (Maybank, CIMB, BIMB, RHB)
>>> and Oversea Bank (HSBC, Citibank, Standard Chartered) You can compare which
>>> web security are more reliable and are they implement it. The best policy
>>> and the process they do will combat any MITM to get the U/P from server. My
>>> point is are they doing enough to protect user from this threat. Are we?
>>>
>>> P/S : I`m not buyers any Bank here just to show what the reality are.
>>>
>>> Mohd Fazli Azran
>>>
>>> _______________________________________________
>>> Owasp-Malaysia mailing list
>>> Owasp-Malaysia at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>>>
>>> OWASP Malaysia Wiki
>>> http://www.owasp.org/index.php/Malaysia
>>>
>>> OWASP Malaysia Wiki Facebook
>>> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>>>
>>
>>
>
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20101004/cc6611b7/attachment.html 


More information about the Owasp-Malaysia mailing list