On Thu, Dec 13, 2001 at 12:23:21PM -0500, Evan D. Hoffman wrote:
> I was recently pointed to the app ettercap
> (http://ettercap.sourceforge.net/), which claims (among other things):
> 
> "HTTPS support : you can sniff http SSL secured data... and even if the
> connection is made through a PROXY"

yes it's true, but you can sniff only SSL v2.0 traffic. Version 3.0 is 
not affected to the man in the middle attack, because it uses 
certificates to authenticate the server. Version 2.0 is obsolete and
insecure

> Google yielded this info:
> http://lists.debian.org/debian-security/2001/debian-security-200109/msg00060
> .html but I'm still not clear on what exactly is going on.  From what I
> gather, the ettercap box will serve as a go-between for all traffic between
> server and client, and the client will get some kind of an error about the
> key changing, and if the user chooses to continue the transaction, there's
> nothing more that can be done.  Does anyone know anything more about this

That's wrong. The client doesn't get any kind of errors (I'm talking 
about SSL v2.0 protocol).
The keys exchanging are completely trasparent to the peers, because the 
ettercap box acts as a proxy,  it intercepts the legitimate keys that 
are passed back and forth during the SSL handshake, substitutes its own, 
and makes it appear to the client that it is the server, and to the 
server that it is the client. It decrypts all traffic from client with 
the session keys etablished with the client, reads and/or modifies data, 
then encrypts and sends all data to the server. And on other direction
server-client it does the same.  
You can do this with ARP poisoning, also on switched LANs

Possible solutions to prevent MITM attack:
- use certificates digitally signed from third part (SSL v3.0)
- use ARP static table entries 
                (on Windows2000/NT, ARP static table is not properly 
                static. There's a hole about implementation of ARP 
                protocol on MS systems. I don't know if it was fixed with
                latest SP)

If you can't use static entries in your ARP table, to discover MITM 
attack you can monitor your ARP cache table, and look for two different
hosts with the same MAC 

Check the documentation which come with ettercap, it is very useful.

my 2 cents (euro)

ciao
                        -- blitzkrieg
-- 

Reply via email to