Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: HTTP AUTH BASIC monowall.

From: Simon Smith <simon () snosoft com>
Date: Wed, 15 Mar 2006 13:46:53 -0500
At last!
    Someone that understands! I realize that the network would be pretty
much in a hole at this stage of the game, no contest there. I'm just
thinking about how to better protect critical devices from this type of
internal attack (assuming the admin doesn't notice the cert changes and
all that good stuff.). So far, I've received a lot of flack for asking
this question but nothing useful (short of what you just wrote). I
understand the benefits of SSL, but I also understand (as most people
here don't seem to) that wrapping something insecure in something secure
doesn't make it secure, it just makes it more difficult to get at.

I want to protect the authentication information better than it is
currently being protected.

I like the idea of encrypting the authentication traffic within the SSL
session...

bkfsec wrote:

Simon Smith wrote:


Ok,
   As suspected... so I am correct; and it is a security threat. I can
compromise a network, arp poison it, MiTM, access the firewall,
distributed metastasis, presto... owned...


 


Yes and no... as others have pointed out, you already have much larger
problems at that point, such as the fact that your network has been
totally and completely compromised from the inside in order to do the
MitM in the first place... I can see some reasons why one would want
to do that, but really, if you can execute a good MitM attack, there
really isn't anything you can't do... once you've broken the
encryption you can intercept all kinds of auth traffic and replay it.
OK - at that point, maybe you can tunnel under the SSL using another
form of encryption as a wrapper for the authentication
infrastructure... aside from that, there really isn't much to do...
certs, shared keys, etc... these can all be grabbed from the air if
the SSL traffic is MitM'ed.
Essentially, we're talking very significant owning of a network in
order to simply get the firewall password.  At that point, I'd think
there'd be even worse things that can be done.

         -bkfsec






-- 


Regards, 
        Adriel T. Desautels
        Harvard Security Group
        http://www.harvardsecuritygroup.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: