[Owasp-Malaysia] MITM Attack : Why should we look at it?

Gan Kee Lim (DHL MY) KeeLim.Gan at dhl.com
Sun Oct 3 21:41:50 EDT 2010

Hi Fazli,

Thank you for including me in the mailing list, I was just about to subscribe to it. Can you please change my email address to klgan2000 at yahoo.com<mailto:klgan2000 at yahoo.com>? I tend to keep my office mail for official stuff only.

Thanks & sorry for the trouble.


From: owasp-malaysia-bounces at lists.owasp.org [mailto:owasp-malaysia-bounces at lists.owasp.org] On Behalf Of Mohd Fazli Azran
Sent: Saturday, October 02, 2010 1:45 PM
To: owasp-malaysia
Subject: [Owasp-Malaysia] MITM Attack : Why should we look at it?

Dear members,

I have some opinion to share. Why we must look at this attack as a threat. But please dont doing this at home. This is not a good ethic and probably it will miss use for personal interest and if you get caught it your responsibility. This is for education purpose. This is just example:

Tool : Cain or Ettercap
Location : Coffee Bean / Starbuck / Old Town
Attack Method : Sniff and ARP poisoning

Many Money Oriented Hacker (MOH) will do this for their own interest. What would they prefer to sniff is Bank Online.For fun they will try to get any Social media that you have.

HTTPS/ SSL many Organization not look into it and sometime it already expired or not qualified. Many people will ignore it and just accept the cert. Why we should worried HTTPS/SSL it not good protection for sniffer if the bad implement by organization. Poor implementation for SSL/TLS by many Organization especially in Malaysia allow many sniffer to be a MITM. If you see some cert are create by self signed and some cert maybe just rouge certificate. You can check all the Bank online if they have valid cert or they already expired. You also can look if Local bank use CA cert or not. CA was one of vendor  create commercial cert. Are our local bank use this cert?. If you check many HTTPS/SSL are broken and can be direct attack/APT by sniffer.

The problem of this i think it not from HTTPS/SSL but it from Application that use from them. The web online  provided by Bank sometime  it not enough to prevent sniffer get the U & P. Some time the hashing can be manipulated and they can get easily and user are not detected at all.

We must understand 1st what the process from user to server. Here the example scenario (Ahmad use Open Network and surf):

1) Ahmad open Browser and surf Online Bank Web
2) Browser will request login form from the server Online Bank
3) Server (Online Bank) will sent random generate challenge (RGC )"c" Server sends HTML with above form rules
4)  RGC attach to the form and sent to Ahmad browser MITM replaces the form with a simple form u/p are not manipulated
4) Ahmad will enter username "u" and Password "p_user" and submit User fills out simple form, submits to MITM
5) Ahmad browser will calculate h_user=hash((hash(p_user), c) MITM calculates h_user from u / p / c
6) Ahmad browser sent "u" and "h_user" to the server. MITM sends u + h_user to server
7) The server retrieve password hash "h_db" for user "u" from database
8) Server perform comparison which h_user==hash(h_db, c)
9) If this comparison it true, the credential are true and sent back to Ahmad Browser
10) Ahmad now login to server (Bank Online)

If i miss out some point here please correct it. But you can see the red text are the process between user, MITM & server. You can do this and try if you can get any U & P from any local Bank Online (Maybank, CIMB, BIMB, RHB) and Oversea Bank (HSBC, Citibank, Standard Chartered) You can compare which web security are more reliable and are they implement it. The best policy and the process they do will combat any MITM to get the U/P from server. My point is are they doing enough to protect user from this threat. Are we?

P/S : I`m not buyers any Bank here just to show what the reality are.

Mohd Fazli Azran
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20101004/ec2415f9/attachment-0001.html 

More information about the Owasp-Malaysia mailing list