Re: demoing sslv2 vulns



Here is a demonstration for SSL Strip Attack:
http://securitytube.net/SSLstrip-Tutorial-video.aspx

On Thu, Jul 22, 2010 at 8:14 AM, chintan dave <davechintan@xxxxxxxxx> wrote:
Yeah Richard you are correct this will be for Null prefix attack.

I thought you were talking about SSL in general and not specifically
weak cipher.

I don't think you can demonstrate weak cipher attacks via a POC coz
cracking the cipher suite itself is computationally very expensive
(unless you have a cluster of really powerful boxes).

On Thu, Jul 22, 2010 at 4:36 AM, Richard Miles
<richard.k.miles@xxxxxxxxxxxxxx> wrote:
Hi chintan,

But SSL Strip is another attack, it's not because of the weak cipher
used. There is any POC against the SSL weak ciphers + web server?

Thanks

On Wed, Jul 21, 2010 at 4:24 AM, chintan dave <davechintan@xxxxxxxxx> wrote:
Hi Richard,

You can use SSL Strip to demonstrate the exploitation of
vulnerabilities like Null Prefix Attack.

This might not be a stand alone attack, however for a POC you can use
it in conjunction with other attacks like ARP Spoofing to show that
you have legitimately intercepted the traffic.

The tool works just fine for linux, however it might require some
level of tweaking for getting it to work with windows.

Hope this helps.

Thanks,
Chintan

On Tue, Jul 20, 2010 at 1:34 AM, Richard Miles
<richard.k.miles@xxxxxxxxxxxxxx> wrote:
modify the hello packet is easy with ettercap. But how to break the
captured data?

On Mon, Jul 12, 2010 at 9:08 PM, Yered Céspedes <yered@xxxxxxxxxxxxx> wrote:
You could give it a try with an ettercap filter to perform the MITM

On Tue, Jul 6, 2010 at 1:01 AM, Cor Rosielle <cor@xxxxxxxxxxxxx> wrote:

Robin,

I am not a cryptanalyst, so here is for what it's worth.

When an sslv2 connection is set up, a session key must be negotiated. This
negotiation is not encrypted (because there is no key yet). During this
negotiation the client sends a "client hello" packet, which contains a list
with the cipher suites the client knows. A man in the middle can intercept
and modify this list and remove strong cipher suites. The server can now
only pick a weak cipher and thus the encryption is much weaker as one would
expect. Servers often allow keys of 40 bits and sometimes even NULL ciphers.
In 2004 a typical home computer could break 40 bits keys in little under two
weeks (http://en.wikipedia.org/wiki/40-bit_encryption). A 2010 typical home
computer must be able to break it within a day.

The man in the middle can record the traffic and then break the weak
encryption later. This will still take quite some time, but it's feasible.
He can view the confidential data within a day.

sslv3 is not vulnerable for such a cipher degradation attack, because the
"client hello" packet has an integrity control.

Because sslv2 lacks the integrity control and a cipher degradation attack is
possible it can be weak, but not necessarily is weak. If a server supports
sslv2 with strong ciphers only (128 bits or more), I think the risk is low,
because a cipher degradation can not result in real weak ciphers (however,
this is an risk decision and not a fact).

I don't know about existing tools to perform the cipher degradation attack,
but they might exist. And after that you still need to decipher the
encrypted packets, which requires other software.

So for a successful attack one must be able to do all of the below:
- to do a man in the middle attack and sniff traffic
- intercept the client hello and execute a cipher degradation attack
- cipher suite negotiation must result in a weak cipher suite
- record all traffic
- decrypt it later

But again, I am not a cryptanalyst so perhaps this explanation is not
accurate.

Apart from the attack there is a solution which is fast and easy to
implement in Microsoft IIS as in Apache. It will take you a lot more time to
do a risk analysis to decide to skip this fix than it takes to actually do
it.

Cor


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Robin Wood
Sent: zondag 4 juli 2010 13:53
To: rapper crazy
Cc: pen-test list
Subject: Re: demoing sslv2 vulns

On 4 July 2010 12:47, rapper crazy <rappercrazzy@xxxxxxxxx> wrote:
Hello Robin,

The exploitation of these vulnerabilities require industrial / govt
level
infra support. The only way to attack these vulnerabilities are with
cryptanalytic attack.
Breaking these might not be possible for lone attacker but
considering
corporate espionage, dumping the network (ssl-encrypted) traffic,
these
dumps can later be brute force to recover the session key and then
the whole
communication.

Thanks
JT


So basically I tell them that for most situations they currently
aren't really a threat but as cryptanalysis only gets better, never
worse it is only a matter of time before they become a problem so it
is better to get protected now before it is a problem rather than rush
to upgrade once it does become a problem.

Sound about right?

Robin

-----------------------------------------------------------------------
-
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
-----------------------------------------------------------------------
-



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




--
Yered Céspedes, Security+, ITIL, CEH
Mobile +506 8892-8652
yered@xxxxxxxxxxxxx

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------





--
Regards,
Chintan Dave,

LinkedIn: http://in.linkedin.com/in/chintandave
Blog:http://www.chintandave.com





--
Regards,
Chintan Dave,

LinkedIn: http://in.linkedin.com/in/chintandave
Blog:http://www.chintandave.com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------





--
Saleh Alsanad
http://www.google.com/profiles/q8mosfet

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: demoing sslv2 vulns
    ... I don't think you can demonstrate weak cipher attacks via a POC coz ... But SSL Strip is another attack, it's not because of the weak cipher ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: demoing sslv2 vulns
    ... This might not be a stand alone attack, however for a POC you can use ... and modify this list and remove strong cipher suites. ... only pick a weak cipher and thus the encryption is much weaker as one would ... Information Assurance Certification Review Board ...
    (Pen-Test)
  • Re: Countering chosen-plaintext attacks
    ... >> attack on your cipher as proof that the cipher is safe from anyone ... > So we have a disagreement as you said. ... This is why it is called a chosen plaintext attack. ...
    (sci.crypt)
  • =?windows-1252?Q?Re=3A_Counteracting_Different_Attacks_by_Selective_Mea?= =?windows-1252?Q?n
    ...  The cipher that I have invented ... remaining attack i.e. ciphertext-only attack. ... Making my main keyet (the set of change-or-origin vectors random ... I have said just now that there are other keys also. ...
    (sci.crypt)
  • Re: demoing sslv2 vulns
    ... But SSL Strip is another attack, it's not because of the weak cipher ... Information Assurance Certification Review Board ...
    (Pen-Test)