Re: iis 6 ssl redirect initial login encrypted?

Sniffing traffic is not the same as being able to impersonate someone.

Sniffing traffic lets you intercept data. Impersonating someone gives you the ability to then take actions as the user.

Cheers
Ken

"DaveMo" <david.mowers@xxxxxxxxx> wrote in message news:736890d9-79a7-4293-8004-e2288f0d2967@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Mar 19, 6:51 pm, "Ken Schaefer" <kenREM...@xxxxxxxxxxxxxxxxxxxx>
wrote:
"DaveMo" <david.mow...@xxxxxxxxx> wrote in message

news:cd3523c7-69fc-45ed-9508-1fe2e4be2160@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx





> On Mar 9, 2:45 am, "Ken Schaefer" <kenREM...@xxxxxxxxxxxxxxxxxxxx>
> wrote:
>> > Ken,

>> > Right, but to capture the hash you have to successfully attack the
>> > challenge/response which means brute-forcing or dictionary attack
>> > against the password and/or hash. This danger is reduced by simply
>> > turning on strong password enforcement.

>> Um - no - you can just sniff the network, or be a man-in-the-middle. >> No
>> need to brute force anything.

>> Cheers
>> Ken

> Ken,

> This is not true. The hash is never available by simply intercepting
> network traffic. In NTLM the challenge presented by the server is
> encrypted using the hash of the password. The server (actually the DC
> in domain auth scenarios) can validate that the client has possession
> of the hash by decrypting the encrypted challenge. The hash is not
> presented directly during the authN sequence. My point above stands.

So there is no need to actually brute force anything. If I am a
man-in-the-middle I'm presented with the challenge/nonce from IIS. I give
that to the end user to encrypt, and I then return it to the IIS server.

Cheers
Ken- Hide quoted text -

- Show quoted text -

Yes, there is a man-in-the-middle attack on a specific auth sequence,
but what does that give an attacker? If an attacker has the ability to
intercede in the auth sequence then they had the ability to sniff any
traffic they wanted to see anyway. My advice in general is that if
some data is important enough to require authentication then you
probably need SSL to provide confidentiality. Of course it would be
great if you could apply NTLM/Kerb encryption to HTTP traffic, but
we'll have to wait until 2020 for that to happen I guess.

There's a baseline assumption inherent in the original question that
there was not a concern about loss of confidential data because
someone has a sniffer on the wire. My point was that if that's not
your concern, then you don't need to be concerned that enabling
authentication will somehow result in the exposure of credentials.
This would be a much greater threat than simply exposing some data.
And of course we are assuming that Basic authentication is not being
used.

Dave

.

Relevant Pages

  • Re: iis 6 ssl redirect initial login encrypted?
    ... Sniffing traffic lets you intercept data. ... the ability to then take actions as the user. ... encrypted using the hash of the password. ... You don't need to execute a MITM attack ...
    (microsoft.public.inetserver.iis.security)
  • Re: Help with hash of dates
    ... calculations, we won't accidentally skip or double a day. ... You can produce this functionality in a tied hash. ... Another exercise left to the reader is the ability to cache the return value for ALL days in the week provided. ...
    (perl.beginners)
  • Re: HASH TABLES IN PYTHON
    ... I will need to utilize this ability for ... quick numerical calculations. ... Dictionaries are, by definition, hash tables with a very optimized ...
    (comp.lang.python)
  • Re: Copying a hash-of-hashes
    ... >leaving the subroutine no ability to modify the main hash. ... use Clone qw; ...
    (perl.beginners)
  • How to implement global mouse hook?
    ... I need ability to intercept, block, or modify and pass through mouse ... Lisa ...
    (microsoft.public.pocketpc.developer)