Fazli, Maybe.. you can present the topic and do some demos that related with:
- Injection (e.g: Command injection) - Key Manipulation (e.g: SSH v1, IPSEC, HTTPS) - Downgrade Attack (SSH v2 -> v1) - Filtering (insert malicious code or modification of binary files, https redirection) It will be awesome .. On Sat, Oct 2, 2010 at 6:47 PM, Amir Haris <[email protected]> wrote: > Dear Fazli, > > Correct, once in the middle, the attacker can: > > 1. Do Injection > 2. Key Manipulation > 3. Downgrade attack > 4. FIltering. > > Which can lead to: > - ARP poisoning > - DNS spoofing > - STP mangling > - Port stealing > - ICMP redirection > - IRDP spoofing > - DHCP Spoofing > - route mangling > - traffice tunneling > - Access Point Reassociation. > - others. :) > > On Sat, Oct 2, 2010 at 1:44 PM, Mohd Fazli Azran <[email protected]>wrote: > >> Dear members, >> >> I have some opinion to share. Why we must look at this attack as a threat. >> But please dont doing this at home. This is not a good ethic and probably it >> will miss use for personal interest and if you get caught it >> your responsibility. This is for education purpose. This is just example: >> >> Tool : Cain or Ettercap >> Location : Coffee Bean / Starbuck / Old Town >> Attack Method : Sniff and ARP poisoning >> >> Many *Money Oriented Hacker* (MOH) will do this for their own interest. >> What would they prefer to sniff is Bank Online.For fun they will try to get >> any Social media that you have. >> >> HTTPS/ SSL many Organization not look into it and sometime it already >> expired or not qualified. Many people will ignore it and just accept the >> cert. Why we should worried HTTPS/SSL it not good protection for sniffer if >> the bad implement by organization. Poor implementation for SSL/TLS by many >> Organization especially in Malaysia allow many sniffer to be a MITM. If you >> see some cert are create by self signed and some cert maybe just rouge >> certificate. You can check all the Bank online if they have valid cert or >> they already expired. You also can look if Local bank use CA cert or not. CA >> was one of vendor create commercial cert. Are our local bank use this >> cert?. If you check many HTTPS/SSL are broken and can be direct attack/APT >> by sniffer. >> >> The problem of this i think it not from HTTPS/SSL but it from Application >> that use from them. The web online provided by Bank sometime it not enough >> to prevent sniffer get the U & P. Some time the hashing can be manipulated >> and they can get easily and user are not detected at all. >> >> We must understand 1st what the process from user to server. Here the >> example scenario (Ahmad use Open Network and surf): >> >> 1) Ahmad open Browser and surf Online Bank Web >> 2) Browser will request login form from the server Online Bank >> 3) Server (Online Bank) will sent random generate challenge (RGC )"c" *Server >> sends HTML with above form rules* >> 4) RGC attach to the form and sent to Ahmad browser *MITM replaces the >> form with a simple form u/p** are not manipulated* >> 4) Ahmad will enter username "u" and Password "p_user" and submit *User >> fills out simple form, submits to MITM* >> 5) Ahmad browser will calculate h_user=hash((hash(p_user), c) *MITM >> calculates h_user from u / p / c* >> 6) Ahmad browser sent "u" and "h_user" to the server. *MITM sends u + >> h_user to server* >> 7) The server retrieve password hash "h_db" for user "u" from database >> 8) Server perform comparison which h_user==hash(h_db, c) >> 9) If this comparison it true, the credential are true and sent back to >> Ahmad Browser >> 10) Ahmad now login to server (Bank Online) >> >> If i miss out some point here please correct it. But you can see the red >> text are the process between user, MITM & server. You can do this and try if >> you can get any U & P from any local Bank Online (Maybank, CIMB, BIMB, RHB) >> and Oversea Bank (HSBC, Citibank, Standard Chartered) You can compare which >> web security are more reliable and are they implement it. The best policy >> and the process they do will combat any MITM to get the U/P from server. My >> point is are they doing enough to protect user from this threat. Are we? >> >> P/S : I`m not buyers any Bank here just to show what the reality are. >> >> Mohd Fazli Azran >> >> _______________________________________________ >> Owasp-Malaysia mailing list >> [email protected] >> https://lists.owasp.org/mailman/listinfo/owasp-malaysia >> >> OWASP Malaysia Wiki >> http://www.owasp.org/index.php/Malaysia >> >> OWASP Malaysia Wiki Facebook >> http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420 >> > >
_______________________________________________ Owasp-Malaysia mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-malaysia OWASP Malaysia Wiki http://www.owasp.org/index.php/Malaysia OWASP Malaysia Wiki Facebook http://www.facebook.com/pages/OWASP-Malaysia-Local-Chapter/295989208420
