[Owasp-Malaysia] MITM Attack : Why should we look at it?
Eng Hui Tan
enghui at comstor.my
Sun Oct 3 23:39:37 EDT 2010
Please help to change the email to jehtan44 at hotmail instead of my
company email. Thanks.
On Oct 2, 2010, at 1:44 PM, Mohd Fazli Azran wrote:
> Dear members,
> I have some opinion to share. Why we must look at this attack as a
> threat. But please dont doing this at home. This is not a good ethic
> and probably it will miss use for personal interest and if you get
> caught it your responsibility. This is for education purpose. This
> is just example:
> Tool : Cain or Ettercap
> Location : Coffee Bean / Starbuck / Old Town
> Attack Method : Sniff and ARP poisoning
> Many Money Oriented Hacker (MOH) will do this for their own
> interest. What would they prefer to sniff is Bank Online.For fun
> they will try to get any Social media that you have.
> HTTPS/ SSL many Organization not look into it and sometime it
> already expired or not qualified. Many people will ignore it and
> just accept the cert. Why we should worried HTTPS/SSL it not good
> protection for sniffer if the bad implement by organization. Poor
> implementation for SSL/TLS by many Organization especially in
> Malaysia allow many sniffer to be a MITM. If you see some cert are
> create by self signed and some cert maybe just rouge certificate.
> You can check all the Bank online if they have valid cert or they
> already expired. You also can look if Local bank use CA cert or not.
> CA was one of vendor create commercial cert. Are our local bank use
> this cert?. If you check many HTTPS/SSL are broken and can be direct
> attack/APT by sniffer.
> The problem of this i think it not from HTTPS/SSL but it from
> Application that use from them. The web online provided by Bank
> sometime it not enough to prevent sniffer get the U & P. Some time
> the hashing can be manipulated and they can get easily and user are
> not detected at all.
> We must understand 1st what the process from user to server. Here
> the example scenario (Ahmad use Open Network and surf):
> 1) Ahmad open Browser and surf Online Bank Web
> 2) Browser will request login form from the server Online Bank
> 3) Server (Online Bank) will sent random generate challenge
> (RGC )"c" Server sends HTML with above form rules
> 4) RGC attach to the form and sent to Ahmad browser MITM replaces
> the form with a simple form u/p are not manipulated
> 4) Ahmad will enter username "u" and Password "p_user" and submit
> User fills out simple form, submits to MITM
> 5) Ahmad browser will calculate h_user=hash((hash(p_user), c) MITM
> calculates h_user from u / p / c
> 6) Ahmad browser sent "u" and "h_user" to the server. MITM sends u +
> h_user to server
> 7) The server retrieve password hash "h_db" for user "u" from database
> 8) Server perform comparison which h_user==hash(h_db, c)
> 9) If this comparison it true, the credential are true and sent back
> to Ahmad Browser
> 10) Ahmad now login to server (Bank Online)
> If i miss out some point here please correct it. But you can see the
> red text are the process between user, MITM & server. You can do
> this and try if you can get any U & P from any local Bank Online
> (Maybank, CIMB, BIMB, RHB) and Oversea Bank (HSBC, Citibank,
> Standard Chartered) You can compare which web security are more
> reliable and are they implement it. The best policy and the process
> they do will combat any MITM to get the U/P from server. My point is
> are they doing enough to protect user from this threat. Are we?
> P/S : I`m not buyers any Bank here just to show what the reality are.
> Mohd Fazli Azran
> Owasp-Malaysia mailing list
> Owasp-Malaysia at lists.owasp.org
> OWASP Malaysia Wiki
> OWASP Malaysia Wiki Facebook
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-Malaysia