[Owasp-Malaysia] MITM Attack : Why should we look at it?

Hazrul Hamzah hazrul at hazrulnz.net
Sun Oct 3 23:15:55 EDT 2010


 Bro,

Awareness is the most important thing. Do Not USE public open facilities
like this for personal/private accounts/emails transactions. MiTM is one
thing, session duplication is another. For the latter, there wont be any
popups about expired cert on your screen. The last thing that you'll
know is that your personal account already compromised ;)

Btw if we look at the current trend now, these kind of attackers prefer
to perform large scale attacks via spam/phising mails. More lucrative,
higher compromise percentage and yeah surprisingly lot of people fall to
it :D

My piece..
p/s: Cha'ah.. brutal la hang. hahaha.


On 02/10/2010 13:44, Mohd Fazli Azran wrote:
> Dear members, 
>
> I have some opinion to share. Why we must look at this attack as a
> threat. But please dont doing this at home. This is not a good ethic
> and probably it will miss use for personal interest and if you get
> caught it your responsibility. This is for education purpose. This is
> just example:
>
> Tool : Cain or Ettercap 
> Location : Coffee Bean / Starbuck / Old Town
> Attack Method : Sniff and ARP poisoning 
>
> Many *Money Oriented Hacker* (MOH) will do this for their own
> interest. What would they prefer to sniff is Bank Online.For fun they
> will try to get any Social media that you have. 
>
> HTTPS/ SSL many Organization not look into it and sometime it already
> expired or not qualified. Many people will ignore it and just accept
> the cert. Why we should worried HTTPS/SSL it not good protection for
> sniffer if the bad implement by organization. Poor implementation for
> SSL/TLS by many Organization especially in Malaysia allow many sniffer
> to be a MITM. If you see some cert are create by self signed and some
> cert maybe just rouge certificate. You can check all the Bank online
> if they have valid cert or they already expired. You also can look if
> Local bank use CA cert or not. CA was one of vendor  create commercial
> cert. Are our local bank use this cert?. If you check many HTTPS/SSL
> are broken and can be direct attack/APT by sniffer. 
>
> The problem of this i think it not from HTTPS/SSL but it from
> Application that use from them. The web online  provided by Bank
> sometime  it not enough to prevent sniffer get the U & P. Some time
> the hashing can be manipulated and they can get easily and user are
> not detected at all. 
>
> We must understand 1st what the process from user to server. Here the
> example scenario (Ahmad use Open Network and surf): 
>
> 1) Ahmad open Browser and surf Online Bank Web
> 2) Browser will request login form from the server Online Bank
> 3) Server (Online Bank) will sent random generate challenge (RGC
> )"c" *Server sends HTML with above form rules*
> 4)  RGC attach to the form and sent to Ahmad browser *MITM replaces
> the form with a simple form u/p** are not manipulated*
> 4) Ahmad will enter username "u" and Password "p_user" and
> submit *User fills out simple form, submits to MITM*
> 5) Ahmad browser will calculate h_user=hash((hash(p_user), c) *MITM
> calculates h_user from u / p / c*
> 6) Ahmad browser sent "u" and "h_user" to the server. *MITM sends u +
> h_user to server*
> 7) The server retrieve password hash "h_db" for user "u" from database
> 8) Server perform comparison which h_user==hash(h_db, c)
> 9) If this comparison it true, the credential are true and sent back
> to Ahmad Browser
> 10) Ahmad now login to server (Bank Online)
>
> If i miss out some point here please correct it. But you can see the
> red text are the process between user, MITM & server. You can do this
> and try if you can get any U & P from any local Bank Online (Maybank,
> CIMB, BIMB, RHB) and Oversea Bank (HSBC, Citibank, Standard Chartered)
> You can compare which web security are more reliable and are they
> implement it. The best policy and the process they do will combat any
> MITM to get the U/P from server. My point is are they doing enough to
> protect user from this threat. Are we?
>
> P/S : I`m not buyers any Bank here just to show what the reality are. 
>
> Mohd Fazli Azran
>
>
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
>
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
>
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20101004/41ae5cf9/attachment.html 


More information about the Owasp-Malaysia mailing list