Domain: oxid.it
Stories and comments across the archive that link to oxid.it.
Comments · 18
-
Re:Isn't this old news?
The token generation algorithm uses essentially two parameters: the key fob serial number and a token activation key; each of them are usually provided by the vendor in *.XML files.
From here.
Basically, they also need the seed, which is the problem being tackled here.
-
The real threat is in sniffing mobile 3G data
I work for a web design brisbane company called Kintek. Interesting, however it still uses wincap which means its actually sniffing the LAN packets or ARP poisoning to see other users insecure data correct? Most websites dont re-direct you to https before asking you to login which basically means your login details are sent insecurely over the LAN before they get to the internet.
Theres a cool tool which lets you see all this already called Cain and Abel: http://www.oxid.it/cain.html
Using ARP poisioning you can actually man in the middle anyone on a LAN unless they use https or anti ARP poisoning tools.
The real security threat will probably come down to sniffing mobile phone 3G data. And I wonder whats possible in that realm. If you can send it you can receive it, and I doubt its encrypted well enough to prevent reading, especially when the Police want the ability to pick messages out of the airALA The Wire.
:) -
Wire Shark
Disabling Error Reporting helps. Firing up wireshark shows up huge results checking in to Microsoft http://www.wireshark.org/ (formerly known as Ethereal) I have no need to tell Nix users about Snort and Acid http://www.snort.org/ or how microsoft has an epileptic fit if you run Cain and Able http://www.oxid.it/ Most hackers are not 31337 but idiots, My old friends at the the old place pulltheplug but now http://www.overthewire.org/ had root in less than 1 minute in a war game memorable war game. I really do not know what to say apart from do your own research, it is your own responsibility to protect yourself online but sadly some people are just not that smart. Be brave
/.ers.I am not a hacker from Cult of the Cow.... Meow! :) -
Re:Slashvertisment if EVER I saw one.
Or even Cain
-
Re:Better to disconnectThen why did he say:
It may also look suspicious to sysadmins that you keep sessions alive for so long.
Is it possible for a Windows admin to poke around your desktop, remotely, without your knowledge?Of course, the answer is yes.
Also, if you yourself use the Remote Desktop protocol, in some scenarios it is not as secure as SSH.
Remote Desktop connections are encrypted, of course, but there are two problems:
- In the default configuration, the RSA private key used to sign the terminal server public key used is hard coded into a DLL, and well-known.
- Most people don't know or don't bother to configure RDP properly for TLS security
- The windows password is trivially intercepted as it is being typed
In other words, if you use RDP, and have not gone to substantial lengths to secure against MiTM attack, then if you yourself use RDP, it will be much less secure than the typical SSH setup (where each server has its own host key, and the client has memorized or been populated with the correct ones).
-
Open Source Competitors
When the submitter referenced "open source alternatives that go by similar names", he was referring to ophcrack. Similar features are also available from Cain and Abel, and John the Ripper.
I maintain a list of top password crackers and sniffers as part of my SecTools.Org site.
While the submitter is correct that they have much more competition now, I still wish to congratulate the former L0pht guys on the new release!
-
Because MITM tools are easy to get
I think what you are missing here is the fact that man-in-the-middle tools are easy to obtain and use, for example: http://www.oxid.it/
Because of this, unauthenticated certificates are utterly worthless as a security measure.
It's like your asking "Why doesn't mozilla suport ROT13 as a stream cipher? I mean, surly ROT13 is safer than no encryption at all, right? Do they have some corrupt deal with the AES guys?"
Now, I agree there is a place for self-signed certificates. However, the correct approach is to create your own certificate authority, and add it to your browser's trust store.
-
Re:Always.
http://www.oxid.it/cain.html
This makes MITM so easy anyone can do it. They don't even have to be your upstream provider - they just have to be sharing the same wireless connection, or be on the same wired network. No, a switch won't help, because it can use ARP poisoning to become your gateway to the Internet.
So yes, eliminating just one attack vector does improve security significantly if it is an easy to exploit vector.
As a point of interest, I was once in a CEH (Certified Ethical Hacker) class for work and fired this baby up. An entire classroom full of "security experts" of various levels of skill. Even though a few noticed that the CA signed certs for their favorite sites were now popping up a browser warning ("hey, why is this popping up?"), to a one, they all accepted the new cert anyway and checked their email/bank account/Paypal.
So, while it's good to eliminate one potential avenue of exploit, the larger avenue remains one of proper education, even for "experts". -
Re:Securing against Can and Abel
Script kiddies already have access to Cain and Abel. It's a very widely available tool. Here it is.
-
How about Cain & Abel?
I wonder if this will make Cain & Abel illegal in Germany...? This software is an extremely useful "multi-tool" for any network/server administrator, and I've been using it for years to recover lost passwords, evaluate security, etc. but I imagine it is used constantly to assist with people's [sic?] questionable hacking activities.
Of course, being in Canada, these blanket-like laws won't have any jurisdiction here, but I still wonder about what kind of effect this is going to have on sysadmins in Germany. Pretty messed up. We've all heard the horror stories of technically-challenged judges not understanding the key concepts behind potentially grey-area situations (using someone's open WiFi network, for example). -
Cain and Abel
http://www.oxid.it/cain.html
Here's what we used in Security Class. Creates a ton of network traffic, but very good at tracking down every password on a network. -
Cain-n-Able
Download an easy to use packet analyzer like Cain-n-Able and go to a place with wireless access and connect to the AP. Hotels are the best if you are staying there, but there is no reason you can't just sit in the parking lot. Let CnA run for any amount of time and look at how many email, web page, news or whatever passwords you receive. Then realize that someone could be doing this to you!
-
getting biblical on the neighbours
When my neighbour mooched my wireless I had a little fun with Cain & Abel. I got some good recipes from their private documents. Romano cheese really is better than parmesan on spaghetti!
You can have a lot of phun with this all-in-one cracker suite. Hell, if my neighbours had a MS-SQL server or Cisco switch I could have 0wned those too! -
Re:Encryption?
I recently tried to find software tools to record my own VOIP calls. I found Cain & Abel: http://www.oxid.it./ It is a freeware product that provides a lot of network monitoring function. The site claims that "there are no illegal applications here!". I'm not a lawyer, so that might be correct. I nievely installed the software thinking it would allow me to monitor my own traffic. It did so... and much more. I was shocked at all the login passwords and network traffic that it easily proccessed and available for me to investigate. Like VOIP packets were sticked together and available to listen to with a single click. I use a cable provider for Internet access and I saw hundreds of machines that it started to monitor for me. Not only did I find many of my own passwords pop up in plain text, but I believe I saw many others. I don't advise you to install this software, unless you really know what the implications are. I don't... I removed it! But I was definately shocked and awed.
Note the NSA apparently uses it: http://www.washingtonpost.com/wp-srv/photo/postpho tos/orb/asection/2006-01-27/4.htm. However, I can not verify the authenticity of this photo.
My advice: don't install Cain & Abel. It probably does way more then your looking for and doesn't cost anything. -
willing and abel
I'm going to assume you used abel as a tongue in cheek reference to cain and abel, right? RIGHT??
-
Re:this reminds me...
and this wonderful little program called cain does this wonderful little thing called arp poisoning, and it can even hijack HTTPS traffic with no issues at all.
One huge issue: The person you're sniffing gets a warning that the site certificate's authenticity could not be verified. Unless they are very stupid, this is usually a big red flag.
From the Cain FAQ:
Q: When I use HTTPS sniffer the client's browser popups a dialog telling him that the certificate comes from an untrusted certification authority, why ?
A: Because that server certificate is not the real one signed by a Trusted Root Certification Authority. It has been generated, self signed and injected by Cain to the client's browser. -
Re:Absolutely hysterical
"Make sure that the Web site uses Secure Sockets Layer/Transport Layer Security (SSL/TLS) and check the name of the server before you type any sensitive information. [....] By checking the name on the digital certificate user for SSL/TLS, you can verify the name of the server that provides the page that you are viewing. [...] double-click the lock icon, and then check the name that appears next to Issued to. If the Web site does not use SSL/TLS, do not send any personal or sensitive information to the site. If the name that appears next to Issued to is different from the name of the site that you thought provides the page that you are viewing, close the browser to leave the site"
What they are not addressing is the "man in the middle" spoofs that are able to intercept SSL traffic. Most users would click through the "warnings" that the browsers give. Dont believe me, look at what the latest version of cain can do. -
Incorrect Information In The Article
The article makes a statement that I think is untrue:
While an attacker would need administrator rights to a system to grab the file that contains the password hashes, the file is still valuable, said David Dittrich, a senior security researcher at University of Washington.
Using a tool like Cain & Able, it is possible to get access to this information without having administrative rights.
You can also dump the hashes using Cain & Able's password cracking tool. It is really quite trivial to do.
By the way, you can easily acquire the passwords of the last five users who logged into an NT system. They are stored in LSA "secrets", an area of memory which is easy to dump. Cain & Able does this for you.
Have fun.