Jump to content

How to stop a sniffer - w/out breaking his nose


logicalconfusion
 Share

Recommended Posts

I didn't expect to see rhetoric. Who's to say the person on the other end isn't being held at gun-point? If you mean to say that major corporations such as Chase, Goldmansacks, NASA, etc use SSL knowing that a call center rep. in the Philippines happened to read your post and undermine security, you've been online too long. SSL is a standard on secure systems. Please show proof that its trivial to hack.

Link to comment
Share on other sites

Very hard to detect a sniffer in promsic or monitor mode. Only ways to stop a sniffer is local encryption. If a MITM is happening then latency can be used to detect (think mtr). Arpspoofing is easy to detect since it's noisey as fuck.

Encrypt using:

Darknet

VPN

SSH to remote VPS (poor mans vpn)

SSL end to end (kinda screwed thanks to moxie's SSLstrip and similar tech)

We can wait for DNSSEC to be fully implemented which will help prevent DNS cache poisoning but Im not sure this will help with securing SSL. If companies like komodo keep getting away with being compromised then SSL isnt worth the bits it's made from.

If you are serious about securing your data then no free VPN and no untrusted proxies! Tor is fine but remember a certain % of your data goes to the NSA.

My solution is SSL and SSH for privacy. Tor for anonymity. Mix and match depending on what you're doing.

Link to comment
Share on other sites

There is a difference between negating SSL with something like SSL strip and actually cracking SSL. There are known issues with SSL when weak key lengths are used (< 56 bits) which could allow an attacker with enough processing power to decrypt the communications.

Link to comment
Share on other sites

okay, again we're back to where we started. You keep referring to local data! Whats if its not local. MITM attacks are only possible is if the network admin is dumb enough not to monitor who's in the middle. Libraries, cafe's, etc pay people(legal - non H1 visa wokers) to monitor their networks just so fat guys with software can't around sit and sniff/compromise security in hopes of finding the cure for cancer. So, it comes down to a question of SSL security and what you think is security. I don't think they hire people to chose the word "password" as a scheme for protection (256bit). It all boils down to what ppl want sniffers to see. pls refer with examples on how SSL encryption was cracked. I don't think it's occurred to Darren Kitchen and Shannon Morse that the government might be using their techniques to lead hak101 fans right into a camera.

Edited by logicalconfusion
Link to comment
Share on other sites

I'm going to put my 2 cents in on this. I just implemented a system to get around a restrictive DNS server that was being hosted on the default gateway, and simply setting a new DNS server in my internet options did not work. I think it can be used to help in this situation.

If I'm not mistaken, packet sniffers like wireshark can pick up DNS requests that go over the network. While you may have your traffic encrypted and proxyed through an SSH tunnel/SOCKS Proxy, someone with a sniffer out would still be able to pick up on DNS requests. What I was able to learn through asking on this site was that Firefox has a great setting in it's "about:config" where you can tell it to put DNS requests through the proxy, allowing for those requests to be encrypted and handled by your remote server. (This is done by setting the value network.proxy.socks_remote_dns to "true") While this will not stop someone from stripping SSL, it will still deny someone with just a sniffer that piece of information. This may be common knowledge, and I didn't know that. If it is, my bad. Either way, that's my 2 cents, take it for what it's worth.

Link to comment
Share on other sites

It all boils down to what ppl want sniffers to see. pls refer with examples on how SSL encryption was cracked.

Search for BEAST and CRIME attacks, both are attacks against SSL/TLS.

Also look at downgrade attacks where, by injecting traffic during negotiations, certain configurations of web server can be told to downgrade HTTPS to use a cipher with a 0 byte key, i.e. no encryption, or weak ciphers, i.e. less than 56 bit.

Not breaking SSL, but another related attack is an SSL/TLS renegotiation denial of service.

Having given three examples of how it is broken I would still prefer to use it over nothing as most people are not technically competent enough to perform the first two attacks (and they can be mitigated fairly easily) and as a user, the server being DoS'd isn't really my problem unless I really need the service.

Link to comment
Share on other sites

Also look at downgrade attacks where, by injecting traffic during negotiations, certain configurations of web server can be told to downgrade HTTPS to use a cipher with a 0 byte key, i.e. no encryption, or weak ciphers, i.e. less than 56 bit.

I'll look into how BEAST and CRIME attacks are executed. I bet there's a lot more to cracking SSL encryption than checking the software on the server and then shaping packets to modify its default configuration. I mean, HTTPS Every Where is endorsed by the EFF! SSL Strip and the other techniques mentioned seem applicable when hacking archaic sites that were never properly configured in the first place. Why isn't there a list in place for researchers like GRC, listing sites that can be easily compromised? Now here's one for the for the hak5 team. Why doesn't hak5 implement encryption? They're pretty security focused. Pls don't reply with "IF you sleep with itchy butt u wake up w/ smelly finga" responses like they do on the backtrac forums.

Link to comment
Share on other sites

I imagine the reason Hak5 dont use ssl is a mixture of processor overhead and cost of the certificate.

As for the SSL stuff, there is no need to break SSL if you can subvert it. I havn't seen SSL 256bit key broken, but then I dont work in IT. Im shall we say...a hobbyist :)

Link to comment
Share on other sites

  • 2 weeks later...

For a fun way to use the "poor man's VPN" as it was described earlier, sshuttle is a random tool I found that does a fairly good job of setting up VPN over SSH without requiring root on the remote machine. I don't develop the tool, but its nice to use.

Link to comment
Share on other sites

Thanks for awesome suggestions on how to deter sniffers and ISP intrusion. We have to figure out why the entire web isn't on SSL! I don't think it has much to do with cost. Hak5 isn't using SSL. They're not taking proactive measures to protect your security or anonymity as security "professionals." Mr. Goatee Kitchen likes to refer to himself as a L33t H4XoR. Hak5.org is sponsored the likes of godaddy, citrix, jacktrheads(hobo threads). Do a reverse DNS on the domain and you'll see all the other possible affiliates paying for Shannon's pineapples

I really doubt that M$N, Yahoo, Dogpile, etc, is unaware of https like their competitor Google(they got all got enough capital to invest in HTTPS - ask the guy who owns facebook). My friends and I are re-researching just how secure SSL actually is and why certificate authorities such as Verisign Inc. deliberately avoid government agencies and security researchers from enforcing standards. ISPs ought to publicly announce known network infra-structure weaknesses along with the marketing polices, IMHO. We're not living in third world communist/fascist emirate of Mars..... just my two cents....Stay tuned....

Edited by logicalconfusion
Link to comment
Share on other sites

I imagine the reason Hak5 dont use ssl is a mixture of processor overhead and cost of the certificate.

As for the SSL stuff, there is no need to break SSL if you can subvert it. I havn't seen SSL 256bit key broken, but then I dont work in IT. Im shall we say...a hobbyist :)

At one time, the forums were SSL based. All the forums now are hosted by Invision Power Board, so I imagine thats just up to them and if they charge extra for it, or he forgot to add it back. Either way, you're on a hacker forum, SSL should be the least of your worries when coming here. I use a throw a way password for the forums thats not tied to any other sites, so if anyone every did get my password, won't do them much good other than posting spam as me on he forums and not like we haven't been popped a few times over the years.

Safe web practices, securing your own traffic, and connecting from safe locations or even VPN'ing all your traffic to here, would be just as effective as having SSL on the site if your take measures to encrypt your traffic on your own. Connecting from the local coffee shop, SSl or not, is not safe anyway, and SSl strip and several other tools could be used to intercept your session, so tunnels and/or VPN's, and layers of your own security are in the hands of the user.

Thanks for awesome suggestions on how to deter sniffers and ISP intrusion. We have to figure out why the entire web isn't on SSL! I don't think it has much to do with cost. Hak5 isn't using SSL. They're not taking proactive measures to protect your security or anonymity as security "professionals." Mr. Goatee Kitchen likes to refer to himself as a L33t H4XoR. Hak5.org is sponsored the likes of godaddy, citrix, jacktrheads(hobo threads). Do a reverse DNS on the domain and you'll see all the other possible affiliates paying for Shannon's pineapples

I really doubt that M$N, Yahoo, Dogpile, etc, is unaware of https like their competitor Google(they got all got enough capital to invest in HTTPS - ask the guy who owns facebook). My friends and I are re-researching just how secure SSL actually is and why certificate authorities such as Verisign Inc. deliberately avoid government agencies and security researchers from enforcing standards. ISPs ought to publicly announce known network infra-structure weaknesses along with the marketing polices, IMHO. We're not living in third world communist/fascist emirate of Mars..... just my two cents....Stay tuned....

@logicalconfusion if I didn't know any better, I'd say there was some pent up frustration and even a bit of a swipe at the cast there. Quite a troll of a remark in reference to a certain someone too, which I think was just down right shitty. Hak5 provides a free and open forum for everyone, with a free show of entertainment and instructional videos on a number of topics, and you pay for what? When you run your own site and show and forums, lest you be judged, try not to bite the hands that spoon feed you. Edited by digip
Link to comment
Share on other sites

Thats true. It is possible to undermine SSL security @ insecure locations such as cafe's using utilities such as SSL strip. Lets forget about SSL security for a second. The person sitting next to you can easily stick you up for your pswd in a cafe. Your neighbor can break into your house and rip off the little post-it under your keyboard while you're AFK - shopping for groceries. It happens all the time. Anything is possible.

@logicalconfusion if I didn't know any better, I'd say there was some pent up frustration and even a bit of a swipe at the cast there. Quite a troll of a remark in reference to a certain someone too, which I think was just down right shitty.

I think his goatee needs a trim...just like guy holding the "FAIL" sign in your pic, nothing personal, just a joke. Hak5 is awesome....at least they're trying. I enjoy the show. If you compare hak5 with a non-"hacker" site such as gnu.org or even the ubuntu forums you'll see they're using SSL, security, which, again can be compromised. Now we all know that SSL was designed to prevent eaves-dropping a long time ago.

LogMeInHamachi and sshutle(freeware) is meant for tunneling into a secure locations but the data is ultimately going through ISP servers on the other side, un-encrypted. I'm looking for a solution to shield us from the ISP and the blackhat's antenna. I guess i'll have to dig around for detailed info. VPNs are an option....

Link to comment
Share on other sites

I think making a suggestion to staff that we go back to SSL for forum logins is fine, I don't see it as a big deal though, since we're not an e-commerce site or making payment transactions on the forums in general. Everything posted is in the clear on the forums to begin with, and if at a cafe, you should be using an SSH tunnel or VPN to encrypt all your traffic anyway. I use one from home as it is.

The swipe was two fold though, joking aside, having met Darren, Shannon and Paul, they are some of the nicest people, but also much smarter than you might think. Darren could probably run circles around half the people here whether anyone believes that or not and deserves much respect. He gave up duties of web hosting and controlling all of this side of things a long time ago when they went to rev3 so he could wear one hat, and that was of show host, so much of this is not even his area of work any more, as where back in the day, he had a regular day job, ran the show, site, hosting, etc, you name it, with the help of the cast.

Getting back to the swipe, one was at Darren for the leet haxor remark, not so much the gotee thing, the other was at Shannon, where some might look at the pineapple remark as a reference to her anatomy, which even if that was clearly not intended, could be read that way. Some back history I don't want to drudge up, but lets just say there were some nasty attacks against her in the past and reading your remarks, having been here as long as I have, seemed almost too close to reference something from long ago that does not bear repeating, but seemed quite like it was a definite hit on the sentiment of said subject.

Still, SSL might be nice for logins, but again, we're not selling or taking credit cards, and everything you put on these forums, is public anyway. The most it would do, is safeguard your login, and that could be done with an SSH tunnel, or VPN, whether from home or anywhere on the road.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...