Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

basics logo Security Basics mailing list archives

RE: Windows Remote Desktop
From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Fri, 13 Feb 2004 09:47:47 -0800
Prasad S. Athawale [mailto:athawale () cse Buffalo EDU] 
...Although step 4 is not technically part of the SSL protocol, it 
provides the only protection against a form of security attack known 
as a Man-in-the-Middle Attack. Clients must perform this step and must 
refuse to authenticate the server or establish a connection if the 
domain names don't match. If the server's actual domain name matches 
the domain name in the server certificate, the client goes on to Step

5."

There are ways around that, as with anything. Using our current
situation, 
with MyDoom A's open port and file transfer accept we can upload a host 
file to a targets system, thus bypassing this client side check. Lets 
play out a situation:

We have our mark, whose a frequent of E-Trade and a multimillion day 
trader. We have already determined that Mr. Smith always connects
directly 
to the E-Trade member site and not through the www main page link. A
quick 
nmap scan of his system reveals that port 1327 is open, (MyDoom A) and
we 
craft the correct packet using Scrappy (or whatever) and we transfer a
exe 
package for the virus to run, which modifies his host file to point
E-Trade 
to our hax0r server, which is just a proxy and captures all transmitted 
traffic from E-Trade and from Mr. Smith. Now because we are l33t hax0r
we 
already got access to the E-Trade server's SSL cert, don't ask me how, 
I have no clue, social engineering?

Another way is the most SOHO's use Linksys/Netgear, etc NAT routers
which 
use DHCP. You could set the router to point to your hax0r DNS server and

it would push that to the clients, then you would have control of their 
Forward and Reverse DNS lookups. Seaming the protocol implementation is
most 
likely an rDNS against the IP to confirm the servers common name 
(www.watever.com).

I'm not saying ANY of this is easy, what I'm saying is that SSL is 
TRANSPORT security with M-T-M protection as kind of a afterthought. The 
original argument was that SSL prevented M-T-M attacks, but it doesn't
is 
only mitigates the risk down to a acceptable level. None of us should
EVER 
think that we are completely devoid of risk, because were not, there is 
always a way to defeat a system and no system is completely secure.


Any additions anyone ?


Save me, anyone? The users are at the door, it won't hold much longer!

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]