Full Disclosure mailing list archives
Re: HTTP AUTH BASIC monowall.
From: Simon Smith <simon () snosoft com>
Date: Wed, 15 Mar 2006 13:46:53 -0500
At last! Someone that understands! I realize that the network would be pretty much in a hole at this stage of the game, no contest there. I'm just thinking about how to better protect critical devices from this type of internal attack (assuming the admin doesn't notice the cert changes and all that good stuff.). So far, I've received a lot of flack for asking this question but nothing useful (short of what you just wrote). I understand the benefits of SSL, but I also understand (as most people here don't seem to) that wrapping something insecure in something secure doesn't make it secure, it just makes it more difficult to get at. I want to protect the authentication information better than it is currently being protected. I like the idea of encrypting the authentication traffic within the SSL session... bkfsec wrote:
Simon Smith wrote:Ok, As suspected... so I am correct; and it is a security threat. I can compromise a network, arp poison it, MiTM, access the firewall, distributed metastasis, presto... owned...Yes and no... as others have pointed out, you already have much larger problems at that point, such as the fact that your network has been totally and completely compromised from the inside in order to do the MitM in the first place... I can see some reasons why one would want to do that, but really, if you can execute a good MitM attack, there really isn't anything you can't do... once you've broken the encryption you can intercept all kinds of auth traffic and replay it. OK - at that point, maybe you can tunnel under the SSL using another form of encryption as a wrapper for the authentication infrastructure... aside from that, there really isn't much to do... certs, shared keys, etc... these can all be grabbed from the air if the SSL traffic is MitM'ed. Essentially, we're talking very significant owning of a network in order to simply get the firewall password. At that point, I'd think there'd be even worse things that can be done. -bkfsec
-- Regards, Adriel T. Desautels Harvard Security Group http://www.harvardsecuritygroup.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: HTTP AUTH BASIC monowall., (continued)
- Re: HTTP AUTH BASIC monowall. Mark Coleman (Mar 16)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Michael Holstein (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Nick FitzGerald (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. bkfsec (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 15)
- Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 15)
- Re: HTTP AUTH BASIC monowall. Dave Korn (Mar 15)
- Re: Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 15)
- Re: Re: HTTP AUTH BASIC monowall. greybrimstone (Mar 15)
- Re: Re: HTTP AUTH BASIC monowall. Dave Korn (Mar 16)
- Re: Re: Re: HTTP AUTH BASIC monowall. Simon Smith (Mar 16)
- Re: HTTP AUTH BASIC monowall. Steffen Kluge (Mar 13)
- Re: HTTP AUTH BASIC monowall. Tim (Mar 13)