Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: Some websites are invulnerable to ARP MITM

  1. #1
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default Some websites are invulnerable to ARP MITM

    Hi,

    I have been doing research/testing of ARP man in the middle attacks using ettercap as illustrated in this posting:

    [forums.remote-exploit.org/showthread.php?t=99]

    as well as Cain and Abel (C&A). I have observed that there are many “secure” websites such as gmail, yahoo mail, myspace, etc. whose passwords can be sniffed using either ettercap or C&A.

    However, I have also noticed that there are quite a few for which this attack will not work. For example, this attack will not work against these three banking sites:

    [wellsfargo.com]

    [chaseonline.chase.com/online/home/sso_co_home.jsp]

    [bankofamerica.com/index.jsp]

    I am using IE6, so when I navigate to these webpages, I get the invalid certificate warning as usual, but when I enter my username/password, nothing shows up in either ettercap or C&A.

    How are these websites secured? I assume that it has something to do with either the type of certificates used or something to do with the SSL handshake, but not much beyond that.

    Thanks.

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Quote Originally Posted by anubis2k7 View Post
    Hi,

    I have been doing research/testing of ARP man in the middle attacks using ettercap as illustrated in this posting:

    [forums.remote-exploit.org/showthread.php?t=99]

    as well as Cain and Abel (C&A). I have observed that there are many “secure” websites such as gmail, yahoo mail, myspace, etc. whose passwords can be sniffed using either ettercap or C&A.

    However, I have also noticed that there are quite a few for which this attack will not work. For example, this attack will not work against these three banking sites:

    [wellsfargo.com]

    [chaseonline.chase.com/online/home/sso_co_home.jsp]

    [bankofamerica.com/index.jsp]

    I am using IE6, so when I navigate to these webpages, I get the invalid certificate warning as usual, but when I enter my username/password, nothing shows up in either ettercap or C&A.

    How are these websites secured? I assume that it has something to do with either the type of certificates used or something to do with the SSL handshake, but not much beyond that.

    Thanks.
    I'm not trying to be a nervous ninny but I would be really careful in this area. Most sites use a secure ssl connection I believe but banks I have no idea what they use. Unless I have permission to test one I'm gonna stay away from any talk in this area. I just want to emphasize to all our junior members that sites like this are MOST definitely logged and watched by all the major cyber crime organizations.

  3. #3
    Junior Member delusr's Avatar
    Join Date
    Jul 2007
    Posts
    31

    Default Purehate

    You forgot to mention that what he's doing is a crime and he is a criminal.

    He said "However, I have also noticed" which mean that he has tried these attacks and if he is "research/testing" then he is not doing this as an employee but experimenting.

    2 full witted people and a half witted person equals 1 full witted person

  4. #4
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default

    you r free to think whatever you want, but the reason i asked this was to understand countermeasures to ARP MITM attacks. I actually oversaw the implementation of port security on our switches after i discovered this vulnerability on our network, but I also understand some switches are older and port sec implementation would be a pain.

    also you have to consider the fact that when you publish a website, (like gmail) you have to assume that people will view your website on ARP poisonable switched networks. Therefore, from a website implementation standpoint, you will want, at the very least, to understand how to make your site to be ARP MITM proof.

  5. #5
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    I didn't call you a criminal by the way because from what I understood from your post was this. you were sniffing with ettercap and logged onto your bank with your proper credentials and just wanted to test the output of ettercap. I wasn't sure of the legality of this so I issued a simple word of caution. Hopefully someone of greater legal knowledge can shed some light on it. Me I want nothing to do with sniffer and bank in the same sentence. I apologize if I seemed rude.

  6. #6
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default

    I thank you for your honesty and maturity purehate. Perhaps I should have explained myself a little bit better.

    As is well known, a web app can’t tell its being improperly redirected via ARP poisoning, since ARP is a layer 2 protocol. In this case, I really don’t care where packets to/from my app are coming/going. What I do care about is certificate injection, which is the means by which usernames/passwords are being sniffed.

    Just for the record, I actually don’t have online accounts with these companies. I consider online banking a security nightmare. The way I am testing these sites is that when an ARP MITM/SSL injection attack is performed, regardless whether the login is valid or not, the password will be sniffed. So I am simply going to these websites, typing in dummy usernames and passwords, and seeing if they come up.

    I simply used banking sites as an example, since they are the only ones I have found that are resistant to faulty SSL certificate injection.

    For others to assume and ascribe motives to me asking this question shows their own foolishness. If I were to ask a question such as “hey, my friend told me it’s possible to hack into gmail, how can it be done?” then yes, you could call me a hacker/idiot.

    What I AM asking for is a method to defend against this attack; obviously port security is the answer. However, as I stated in my previous post, as a web dev, you must assume that your website will traverse over switched networks that are vulnerable to an ARP/SSL injection attack. In other words, port security will only take you so far. Consider open wireless hotspots….a security nightmare. Therefore, the only real method to stop this attack is to make your website SSL injection proof, as these banking sites have done.

    So let me rephrase my question; how are these websites preventing faulty SSL certificate injection and is it feasible for a small to medium business to implement such standards?

  7. #7
    Junior Member delusr's Avatar
    Join Date
    Jul 2007
    Posts
    31

    Default

    I called him a criminal and that is what he is, He says it himself
    Code:
    So I am simply going to these websites, typing in dummy usernames and passwords, and seeing if they come up.
    This is a crime in the USA and within Australia my home country and if I was the owner of this site I would not want a url to a bank on the same page as someone talking about hacking it. And yes even thou you are only typing in dummy usernames and passwords this is called a bruteforce attack.

    You should read the policies and the terms and conditions notices on these site and you would know this.

    2 full witted people and a half witted person equals 1 full witted person

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    You've left out 2 minor details.

    1) Were you testing gmail, yahoo etc via HTTPS (SSL)? or just their regular login pages.
    2) Did you receive the cert warning when working with those sites? (You said you did for the banks, but did you for the few you found vulnerable?)

  9. #9
    Member imported_anubis2k7's Avatar
    Join Date
    Jun 2006
    Posts
    115

    Default

    When I was testing hotmail, gmail, I was indeed using their SSL (https) site. Ettercap was able to sniff the passwords from these sites in spite of the use of SSL.

    When I tried the same thing against the sites listed above, I would see an invalid certificate warning as with the other sites, however, I could not detect/see any usernames or passwords.

    I carefully examined the certificate for wellsfargo (which is invulnerable) and compared it to another website that is vulnerable (website A). Both have identical certificates; they are both using SSLv3, RSA1024 encryption, a signature algorithm of SHA1RSA etc.

    Since both certificates are virtually identical, does the vulnerability have something to do with algorithm negotiation?

  10. #10
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    test it under bed.......(BruteForce Exploit Detector)
    the 0.5 version is available now

    just choose the pop or smtp proto ......
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •