[Owasp-Malaysia] MITM Attack : Why should we look at it?

Eng Hui Tan enghui at comstor.my
Sun Oct 3 23:39:37 EDT 2010


Please help to change the email to jehtan44 at hotmail instead of my  
company email. Thanks.


On Oct 2, 2010, at 1:44 PM, Mohd Fazli Azran wrote:

> Dear members,
> I have some opinion to share. Why we must look at this attack as a  
> threat. But please dont doing this at home. This is not a good ethic  
> and probably it will miss use for personal interest and if you get  
> caught it your responsibility. This is for education purpose. This  
> is just example:
> Tool : Cain or Ettercap
> Location : Coffee Bean / Starbuck / Old Town
> Attack Method : Sniff and ARP poisoning
> Many Money Oriented Hacker (MOH) will do this for their own  
> interest. What would they prefer to sniff is Bank Online.For fun  
> they will try to get any Social media that you have.
> HTTPS/ SSL many Organization not look into it and sometime it  
> already expired or not qualified. Many people will ignore it and  
> just accept the cert. Why we should worried HTTPS/SSL it not good  
> protection for sniffer if the bad implement by organization. Poor  
> implementation for SSL/TLS by many Organization especially in  
> Malaysia allow many sniffer to be a MITM. If you see some cert are  
> create by self signed and some cert maybe just rouge certificate.  
> You can check all the Bank online if they have valid cert or they  
> already expired. You also can look if Local bank use CA cert or not.  
> CA was one of vendor  create commercial cert. Are our local bank use  
> this cert?. If you check many HTTPS/SSL are broken and can be direct  
> attack/APT by sniffer.
> The problem of this i think it not from HTTPS/SSL but it from  
> Application that use from them. The web online  provided by Bank  
> sometime  it not enough to prevent sniffer get the U & P. Some time  
> the hashing can be manipulated and they can get easily and user are  
> not detected at all.
> We must understand 1st what the process from user to server. Here  
> the example scenario (Ahmad use Open Network and surf):
> 1) Ahmad open Browser and surf Online Bank Web
> 2) Browser will request login form from the server Online Bank
> 3) Server (Online Bank) will sent random generate challenge  
> (RGC )"c" Server sends HTML with above form rules
> 4)  RGC attach to the form and sent to Ahmad browser MITM replaces  
> the form with a simple form u/p are not manipulated
> 4) Ahmad will enter username "u" and Password "p_user" and submit  
> User fills out simple form, submits to MITM
> 5) Ahmad browser will calculate h_user=hash((hash(p_user), c) MITM  
> calculates h_user from u / p / c
> 6) Ahmad browser sent "u" and "h_user" to the server. MITM sends u +  
> h_user to server
> 7) The server retrieve password hash "h_db" for user "u" from database
> 8) Server perform comparison which h_user==hash(h_db, c)
> 9) If this comparison it true, the credential are true and sent back  
> to Ahmad Browser
> 10) Ahmad now login to server (Bank Online)
> If i miss out some point here please correct it. But you can see the  
> red text are the process between user, MITM & server. You can do  
> this and try if you can get any U & P from any local Bank Online  
> (Maybank, CIMB, BIMB, RHB) and Oversea Bank (HSBC, Citibank,  
> Standard Chartered) You can compare which web security are more  
> reliable and are they implement it. The best policy and the process  
> they do will combat any MITM to get the U/P from server. My point is  
> are they doing enough to protect user from this threat. Are we?
> P/S : I`m not buyers any Bank here just to show what the reality are.
> Mohd Fazli Azran
> _______________________________________________
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-malaysia
> OWASP Malaysia Wiki
> http://www.owasp.org/index.php/Malaysia
> OWASP Malaysia Wiki Facebook
> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/ 
> 295989208420

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-malaysia/attachments/20101004/4c73faa2/attachment-0001.html 

More information about the Owasp-Malaysia mailing list