Re: iis 6 ssl redirect initial login encrypted?

On Mar 27, 2:03 am, "Ken Schaefer" <kenREM...@xxxxxxxxxxxxxxxxxxxx>
wrote:
Sniffing traffic is not the same as being able to impersonate someone.

Sniffing traffic lets you intercept data. Impersonating someone gives you
the ability to then take actions as the user.

Cheers
Ken

"DaveMo" <david.mow...@xxxxxxxxx> wrote in message

news:736890d9-79a7-4293-8004-e2288f0d2967@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



On Mar 19, 6:51 pm, "Ken Schaefer" <kenREM...@xxxxxxxxxxxxxxxxxxxx>
wrote:
"DaveMo" <david.mow...@xxxxxxxxx> wrote in message

news:cd3523c7-69fc-45ed-9508-1fe2e4be2160@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

On Mar 9, 2:45 am, "Ken Schaefer" <kenREM...@xxxxxxxxxxxxxxxxxxxx>
wrote:
Ken,

Right, but to capture the hash you have to successfully attack the
challenge/response which means brute-forcing or dictionary attack
against the password and/or hash. This danger is reduced by simply
turning on strong password enforcement.

Um  - no - you can just sniff the network, or be a man-in-the-middle.
No
need to brute force anything.

Cheers
Ken

Ken,

This is not true. The hash is never available by simply intercepting
network traffic. In NTLM the challenge presented by the server is
encrypted using the hash of the password. The server (actually the DC
in domain auth scenarios) can validate that the client has possession
of the hash by decrypting the encrypted challenge. The hash is not
presented directly during the authN sequence. My point above stands.

So there is no need to actually brute force anything.  If I am a
man-in-the-middle I'm presented with the challenge/nonce from IIS. I give
that to the end user to encrypt, and I then return it to the IIS server.

Cheers
Ken- Hide quoted text -

- Show quoted text -

Yes, there is a man-in-the-middle attack on a specific auth sequence,
but what does that give an attacker? If an attacker has the ability to
intercede in the auth  sequence then they had the ability to sniff any
traffic they wanted to see anyway. My advice in general is that if
some data is important enough to require authentication then you
probably need SSL to provide confidentiality. Of course it would be
great if you could apply NTLM/Kerb encryption to HTTP traffic, but
we'll have to wait until 2020 for that to happen I guess.

There's a baseline assumption inherent in the original question that
there was not a concern about loss of confidential data because
someone has a sniffer on the wire. My point was that if that's not
your concern, then you don't need to be concerned that enabling
authentication will somehow result in the exposure of credentials.
This would be a much greater threat than simply exposing some data.
And of course we are assuming that Basic authentication is not being
used.

Dave- Hide quoted text -

- Show quoted text -

I'm sorry, but I don't understand your point. If you can sniff an
authenticated but non-encrypted HTTP transaction then you can also
modify that conversation in any way that you like. So if you are
sniffing traffic between an application and the client that allows the
withdrawal of money from a bank account then there is nothing that
prevents a sniffer from changing $10 to $10,000,000 or the bank
account number from 12 to 13. You don't need to execute a MITM attack
to do this. I believe my assertion is still valid that doing the MITM
attack that you describe doesn't get you very far. It does *not* get
you access to the clients credentials (either hash or cleartext
password) which is what the original question was about. It might
allow you to do bad things in the context of a particular application,
but most - if not all - of those things you can do if you have the
ability to intercept and modify network traffic anyway.
.

Relevant Pages

  • Re: iis 6 ssl redirect initial login encrypted?
    ... Sniffing traffic lets you intercept data. ... Impersonating someone gives you the ability to then take actions as the user. ... The hash is never available by simply intercepting ... that to the end user to encrypt, and I then return it to the IIS server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: question about teaching and learning guitar (Master Musicians)
    ... >> My playing has nothing to do with the validity of my point. ... >> vicious and unfounded ad hominum attack. ... You guys think the ability to read music is the most import thing to ... of what a good teacher is NOT. ...
    (alt.guitar.beginner)
  • Re: AES trickery ;-)
    ... > I used a rather direct style so that you would not just dismiss the ... > achieve a very high code quality. ... Instead you want to share your criticisms of my *ability* to ... There is no need however, to attack the person who writes, ...
    (sci.crypt)
  • Re: Shadowdancers "Hide in Plain Sight"
    ... And the shadowdancer's ability doesn't require you to move to do it, ... As a way to hide while being observed and without needing cover or concealment. ... probably not going to do a ranged attack while you're being threatened in melee, ... "A character with the hide in plain sight class feature ...
    (rec.games.frp.dnd)
  • Re: Hideous Blow Question
    ... My problem is that it's an "ability" that turns your ranged touch ... attack into a normal melee attack. ... It seems to me that a character with a good eldritch blast (mostly ...
    (rec.games.frp.dnd)