RE: Cain a& Abel Question

From: Christopher Harrington (charrington@syseng.com)
Date: Thu May 22 2003 - 13:16:09 EDT


That's an interesting vector. You would have some notification of the Root
Cert being added on the client workstation though. There is no way to turn
off the MS CAPI warning that pops up when you add a certificate to the
root container. The user would have to accept the bogus cert.

--Chris

-----Original Message-----
From: Eliot Mansfield [mailto:Eliotm@eurodatasystems.com]
Sent: Thursday, May 22, 2003 4:41 AM
To: pen-test@securityfocus.com
Subject: RE: Cain a& Abel Question

Persumably a cunning attack vector would be to compromise a private
network, generate a self signed certificate and use windows 2000 group
policy to deliver your untrusted root ca as a trusted ca into everyones
browser. Then C&A and Doug Songs tools would work without warning??

Eliot Mansfield

-----Original Message-----
From: Cushing, David [mailto:David.Cushing@hitachisoftware.com]
Sent: 21 May 2003 19:15
To: pjacob@ftmc.com; pen-test@securityfocus.com
Subject: RE: Cain a& Abel Question

Pete,

What you are seeing is the result of a "man in the middle" style attack
rather than a decoding of your SSL connection to the bank.

C&A is intercepting and forwarding your traffic due to the ARP poisoning.
Your browser negotiates an SSL connection with C&A. C&A negotiates
another SSL connection to the bank. Then C&A is able to see all traffic
in plaintext as it passes it along.

Browser <--ssl--> C&A (plaintext) <--ssl--> Bank

The program is not able to generate a proper certificate to hand your
browser, though. It is self signed and will not be trusted by your
browser. An alert should have popped up when you opened the page. Did
it?

Cain info: http://www.oxid.it/cain_faq.html
MiM info: http://www.sans.org/rr/threats/man_in_the_middle.php

--
David
> -----Original Message-----
> I was reading thru the list and decided to give Cain & Abel a try...
> it is a really powerful tool, I do have a question, I was running it
> using the ARP poisoning from one of my test machines to my internet
> gateway.. (Cisco 3600 series) I logged into my On-line banking
> account, which is an SSL connection, and Cain & Abel picked up my
> username and passsword as "Clear text"... I guess I am confused about
> this... when I goto the site, it is an SSL site,it appears that the
> entire session is SSL, and Cain & Abel is not doing any sort of
> "Cracking" and
> if the software "Cain & Abel" is doing
> some sort of sniffing, wouldn't it be encrypted via SSL?
--------------------------------------------------------------------------
-
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-pen-test
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------
-
*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown
enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-pen-test
--------------------------------------------------------------------------
--




This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:33 EDT