Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: RE: username and Password sent as clear text strings

RE: username and Password sent as clear text strings

From: <jfvanmeter_at_comcast.net>
Date: Fri, 16 May 2008 14:52:00 +0000

Hello uglyhunk, I aggree that the SSL tunnel is encrypted, and that makes it harder for someone to easydrop on the session.......

I used the proxy software, to simulate a Man in the Middle attack .

For this reason I think that the password should be hashing/encrypted

I found the following links interesting

http://isc.sans.org/diary.html?storyid=4420
http://www.sans.org/reading_room/whitepapers/threats/480.php
http://forums.remote-exploit.org/showthread.php?t=9011

There are alot of tools for SSL MITM attacks dsniff is only one.

Just my two shiny centavos --John

 -------------- Original message ----------------------
From: "uglyhunK" <uglyhunK_at_hippiecluB.org>
>
> Hey John,
>
> Firstly, SSL encrypts the entire traffic not just username/password.
>
> Coming to you being able to see username/password, that is because you are
> using proxy software.
> If you really want to confirm the actual traffic that goes through the wire,
> sniff it using
> wireshark or tcpdump which should show you some junk if the traffic is ssl.
>
> So, there is nothing to worry about.
>
> -uglyhunK
>
>
> -----Original Message-----
> From: listbounce_at_securityfocus.com
> [mailto:listbounce_at_securityfocus.com]On Behalf Of jfvanmeter_at_comcast.net
> Sent: Thursday, May 15, 2008 1:41 PM
> To: Todd Haverkos
> Cc: pen-test_at_securityfocus.com
> Subject: Re: username and Password sent as clear text strings
>
>
> Good Morning Everyone and thank you all for you input.
>
> I don't believe a certificate was every presented to the browser, I'll
> double check that when I get on the client site this morning.
>
> I guess part of the problem I'm having with this, is the web app is owned by
> a very large company, and I just thought they would take the extra measure
> of hashing or encrypting the password.
>
> Take Care and Have Fun --John
>
> -------------- Original message ----------------------
> From: Todd Haverkos <fsbo_at_haverkos.com>
> > jfvanmeter_at_comcast.net writes:
> >
> > > Hello everyone, and I know this might not be the most correct place to
> post
> > this questions, but I was hoping to get some feedback on what you think
> the
> > potential risk would be and how this this could be exploited.
> > >
> > > I completed a security review of a web server, that creates a SSL
> connection
> > between the cleint and the server. Using WebScarab, I could see that the
> > username and password are sent as clear text strings. The log in to the
> server
> > requires a administrative account.
> > >
> > > Do you think there is a large amount of risk, in sending the username
> and
> > password as a clear text string, since the pipe is encrypted? I was
> thinking
> > that a man-in-the-middle or sometype of session hijacking attack could
> allow
> > the account to be compromised.
> > >
> > > I'm working on completing the report for my client and was hoping to
> get some
> > feedback from everyone so I could pose this to them correcly.
> > >
> > > Thank you in advance --John
> >
> > Hi John,
> >
> > Webscarab, like all intercepting web proxy programs I've used on
> > https:// sites generally work by performing an intentional "man in the
> > middle" between your web browser and the server in order to be able to
> > show you what's being submitted to the server. Unless your browser is
> > broken or badly configured, you should have gotten a certificate
> > mismatch warning when first conencting to the site, and examination of
> > the certificate that was presented to the browser will have Webscarab
> > written all over.
> >
> > With that in mind are you _sure_ things are being passed in clear
> > text, or are you just saying "hey I can read these form submission
> > values just fine in webscarab!" If the latter, I don't think there's
> > necessarily a concern, because by the nature of the tool you're using
> > and you're okay'ing the certificate warning, you're letting the tool
> > sees these values.
> >
> > Best Regards,
> > --
> > Todd Haverkos
> > http://www.linkedin.com/in/toddhaverkos
> >
> >
> >
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes
> in Securing Web Applications
> Find out now! Get Webinar Recording and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on May 16 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]