Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: OWA, basic authentication, and Windows NT Challenge and Response NTLM

From: "Matt Toczek" <MattT () netforcement com>
Date: Tue, 21 Mar 2006 13:34:04 -0500
Bret,

Yes, this is certainly possible.  The scenario you're describing is a
good example of a MITM (Man In The Middle) attack.
        NT Challenge/Response isn't going to be of much help in this
case.  Since the Man in the middle (paros or some other such program) is
going to intercept the user's credentials and the CR's, the server can
challenge/response as many times as it likes, and the attacker is going
to grab it all.

Ideally the OWA cert would be signed by a well-known and widely-trusted
CA.  In this case, the user's browser would likely trust it implicitly,
thus limiting the user discretion required; this will help protect them
against MITM attacks.

Installing a self-signed cert on the OWA box is a good way to open up
the transmissions to MITM attacks.


Sincerely,

Matthew Toczek, Security+, MCP, Security Operative       
www.netforcement.com
610.260.9989 Office                           
PGP KeyID:0x50AD708C 7D59 0A05 D108 F526 E4AE 3FA7 EB8B 731A 50AD 708C
  
-----Original Message-----
From: bret.lugo () gmail com [mailto:bret.lugo () gmail com] 
Sent: Wednesday, March 15, 2006 8:22 PM
To: security-basics () securityfocus com
Subject: OWA, basic authentication, and Windows NT Challenge and
Response NTLM

If a user uses Outlook Web Acess over https on a untrusted network such
as a wifi hotspot or a airport and does not check the certificate to
make sure its valid would it be possible for someone to use a program
proxy such as paros to see there user name and password if basic
authentication is used on the OWA server?

Would using Windows NT Challenge and Response NTLM not allow this to
happen?

Also what would be the best defense against this sort of attack if your
users do not check for valid certificates when using untrusted networks?

Maybe make them IPsec VPN in before they can access OWA?

Thanks for the help


------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: