Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: RE: username and Password sent as clear text strings

RE: username and Password sent as clear text strings

From: <jfvanmeter_at_comcast.net>
Date: Thu, 15 May 2008 14:51:08 +0000

Insided the ssl tunnel the password is being sent as a "clear text string". Using Webscarab like a mntm attack, I can clear see the user name and password.

If I used wireshark to sniff the connection, you don't see anything since the tunnel is encrypted, I haven't tried dsniff, to see if that would help any.

I was thinking of trying netcat to see what it might happen.

Thanks everyone for all the help and information.

Take Care --John

 -------------- Original message ----------------------
From: "Jones, David H" <Jones.David.H_at_principal.com>
> If I remember correctly, WebScarab fakes a certificate, and you are able
> to see credentials in clear text. I would try using a regular passive
> packet sniffer and see if the credentials are still being passed in
> clear text.
>
>
>
>
> David Jones
> Principal Financial Group
> I/S Information Security
> 711 High Street
> Des Moines, IA 50392-0257
>
> Email: jones.david.h_at_principal.com
> Phone: 515.362.2224
>
> -----Original Message-----
> From: listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com]
> On Behalf Of jfvanmeter_at_comcast.net
> Sent: Wednesday, May 14, 2008 5:40 AM
> To: pen-test_at_securityfocus.com
> Subject: username and Password sent as clear text strings
>
> Hello everyone, and I know this might not be the most correct place to
> post this questions, but I was hoping to get some feedback on what you
> think the potential risk would be and how this this could be exploited.
>
> I completed a security review of a web server, that creates a SSL
> connection between the cleint and the server. Using WebScarab, I could
> see that the username and password are sent as clear text strings. The
> log in to the server requires a administrative account.
>
> Do you think there is a large amount of risk, in sending the username
> and password as a clear text string, since the pipe is encrypted? I was
> thinking that a man-in-the-middle or sometype of session hijacking
> attack could allow the account to be compromised.
>
> I'm working on completing the report for my client and was hoping to
> get some feedback from everyone so I could pose this to them correcly.
>
> Thank you in advance --John
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
>
> -----Message Disclaimer-----
>
> This e-mail message is intended only for the use of the individual or
> entity to which it is addressed, and may contain information that is
> privileged, confidential and exempt from disclosure under applicable law.
> If you are not the intended recipient, any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have
> received this communication in error, please notify us immediately by
> reply email to Connect_at_principal.com and delete or destroy all copies of
> the original message and attachments thereto. Email sent to or from the
> Principal Financial Group or any of its member companies may be retained
> as required by law or regulation.
>
> Nothing in this message is intended to constitute an Electronic signature
> for purposes of the Uniform Electronic Transactions Act (UETA) or the
> Electronic Signatures in Global and National Commerce Act ("E-Sign")
> unless a specific statement to the contrary is included in this message.
>
> While this communication may be used to promote or market a transaction
> or an idea that is discussed in the publication, it is intended to provide
> general information about the subject matter covered and is provided with
> the understanding that The Principal is not rendering legal, accounting,
> or tax advice. It is not a marketed opinion and may not be used to avoid
> penalties under the Internal Revenue Code. You should consult with
> appropriate counsel or other advisors on all matters pertaining to legal,
> tax, or accounting obligations and requirements.
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 15 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]