Dear Fazli, Correct, once in the middle, the attacker can:
1. Do Injection 2. Key Manipulation 3. Downgrade attack 4. FIltering. Which can lead to: - ARP poisoning - DNS spoofing - STP mangling - Port stealing - ICMP redirection - IRDP spoofing - DHCP Spoofing - route mangling - traffice tunneling - Access Point Reassociation. - others. :) On Sat, Oct 2, 2010 at 1:44 PM, Mohd Fazli Azran <[email protected]>wrote: > Dear members, > > I have some opinion to share. Why we must look at this attack as a threat. > But please dont doing this at home. This is not a good ethic and probably it > will miss use for personal interest and if you get caught it > your responsibility. This is for education purpose. This is just example: > > Tool : Cain or Ettercap > Location : Coffee Bean / Starbuck / Old Town > Attack Method : Sniff and ARP poisoning > > Many *Money Oriented Hacker* (MOH) will do this for their own interest. > What would they prefer to sniff is Bank Online.For fun they will try to get > any Social media that you have. > > HTTPS/ SSL many Organization not look into it and sometime it already > expired or not qualified. Many people will ignore it and just accept the > cert. Why we should worried HTTPS/SSL it not good protection for sniffer if > the bad implement by organization. Poor implementation for SSL/TLS by many > Organization especially in Malaysia allow many sniffer to be a MITM. If you > see some cert are create by self signed and some cert maybe just rouge > certificate. You can check all the Bank online if they have valid cert or > they already expired. You also can look if Local bank use CA cert or not. CA > was one of vendor create commercial cert. Are our local bank use this > cert?. If you check many HTTPS/SSL are broken and can be direct attack/APT > by sniffer. > > The problem of this i think it not from HTTPS/SSL but it from Application > that use from them. The web online provided by Bank sometime it not enough > to prevent sniffer get the U & P. Some time the hashing can be manipulated > and they can get easily and user are not detected at all. > > We must understand 1st what the process from user to server. Here the > example scenario (Ahmad use Open Network and surf): > > 1) Ahmad open Browser and surf Online Bank Web > 2) Browser will request login form from the server Online Bank > 3) Server (Online Bank) will sent random generate challenge (RGC )"c" *Server > sends HTML with above form rules* > 4) RGC attach to the form and sent to Ahmad browser *MITM replaces the > form with a simple form u/p** are not manipulated* > 4) Ahmad will enter username "u" and Password "p_user" and submit *User > fills out simple form, submits to MITM* > 5) Ahmad browser will calculate h_user=hash((hash(p_user), c) *MITM > calculates h_user from u / p / c* > 6) Ahmad browser sent "u" and "h_user" to the server. *MITM sends u + > h_user to server* > 7) The server retrieve password hash "h_db" for user "u" from database > 8) Server perform comparison which h_user==hash(h_db, c) > 9) If this comparison it true, the credential are true and sent back to > Ahmad Browser > 10) Ahmad now login to server (Bank Online) > > If i miss out some point here please correct it. But you can see the red > text are the process between user, MITM & server. You can do this and try if > you can get any U & P from any local Bank Online (Maybank, CIMB, BIMB, RHB) > and Oversea Bank (HSBC, Citibank, Standard Chartered) You can compare which > web security are more reliable and are they implement it. The best policy > and the process they do will combat any MITM to get the U/P from server. My > point is are they doing enough to protect user from this threat. Are we? > > P/S : I`m not buyers any Bank here just to show what the reality are. > > Mohd Fazli Azran > > _______________________________________________ > Owasp-Malaysia mailing list > [email protected] > https://lists.owasp.org/mailman/listinfo/owasp-malaysia > > OWASP Malaysia Wiki > http://www.owasp.org/index.php/Malaysia > > OWASP Malaysia Wiki Facebook > http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >
_______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
