Slashdot Mirror
WikiLeaks Reveals A CIA LAN-Attacking Tool From 'Vault 7' (betanews.com)
An anonymous reader quotes BetaNews:
WikiLeaks continues to release revealing documents from its Vault 7 cache. This time around the organization introduces us to a CIA tool called Archimedes -- previously known as Fulcrum. As before, there is little to confirm whether or not the tool is still in active use -- or, indeed, if it has actually ever been used -- but the documentation shows how it can be installed on a LAN to perform a man-in-the-middle attack.
The manual itself explains how Archimedes works: "Archimedes is used to redirect LAN traffic from a target's computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target's web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session."
HotHardware notes that WikiLeaks "also provided the full documentation for Fulcrum, which goes into much greater detail about how the man-in-the-middle operation is conducted" -- including this instruction in the guide's "Management" section. "If you are reading this then you have successfully delivered the Fulcrum packages and provided the binaries with code execution. Hoorah! At this stage, there is not much to do other than sit back and wait."
The manual itself explains how Archimedes works: "Archimedes is used to redirect LAN traffic from a target's computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target's web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session."
HotHardware notes that WikiLeaks "also provided the full documentation for Fulcrum, which goes into much greater detail about how the man-in-the-middle operation is conducted" -- including this instruction in the guide's "Management" section. "If you are reading this then you have successfully delivered the Fulcrum packages and provided the binaries with code execution. Hoorah! At this stage, there is not much to do other than sit back and wait."
W00h00, they reinvented ettercap: /192.168.111.1/ /192.168.111.2/
# ettercap -i eth0 -T -M arp
You put far too much faith in HTTPS.
The default settings of SSL/TLS libraries on most operating systems make man-in-the-middle attacks trivial. When an SSL/TLS session is negotiated only the following things are validated:
So, why would I say that the host name check is a useless check with 0% value? Because TLS has been neutered since SNI was introduced (RFC 3546 Transport Layer Security Extensions # Server Name Indication). Before then SSL/TLS was "reasonably secure" but since then it is virtually worthless. Under SNI the connecting client tells the origin server which host name it is connecting to and, thanks to that gaping hole, the origin server (or any man-in-the-middle appliance) has enough information to either generate a fake certificate or pull one out of its cache.