2

I'm trying to research and patch a TLS renegotiation exploit which makes a website vulnerable to Man-in-the-Middle attacks. However, I don't understand how the attack occurs exactly and feel like a simple working example would help.

How does an attacker append data to a client's request? Why doesn't the server receive it as two requests? Do both the attacker and victim need to be on the same network for this to occur?

Can someone provide a bare-minimum working example that demonstrates a Man-in-the-Middle exploit? Wget, curl, scripts, whatever.

Thanks for your help.

Improve this question
2
  • How do you expect to patch for a MIM attack without knowing how one works? Commented Jun 21, 2011 at 19:38
  • 2
    You're exactly right, that is the entire purpose of my question. Commented Jun 21, 2011 at 19:40

2 Answers 2

Reset to default
2

Since you specified TLS renegotiation, I assume you are referring to CVE-2009-3555. Proof of Concept code was published by RedTeam Pentesting and is available from their site: http://www.redteam-pentesting.de/en/publications/tls-renegotiation/-tls-renegotiation-vulnerability-proof-of-concept-code

Additionally, there are youtube videos demonstrating it's use.

Improve this answer
1
  • Correct about CVE-2009-3555. This is exactly what I was looking for, many thanks. Commented Jun 21, 2011 at 22:23
2

A Man in the Middle attack is just what it sounds like. A third party sits between the sender and receiver and manipulates the data before passing it on. For example, if Server A is sending a packet to Server B, the MitM client will receive the packet first, and using some clever filtering tools, will modify specific data within the packet, and then pass it on to Server B.

For example, as a prank for April Fools one day, we made rules to look for our co-workers name, "John Doe", or "John" or "Doe" and we replaced it with "Rick Astley", "Rick", and "Astley". We then found the URL for his facebook profile picture and wrote a rule that said when a packet appears with THIS address, replace it with THIS, which was the URL for a picture of Rick Astley. Every time he logged in to Facebook, it would display the Rick Astley picture instead of his and replace his name with Rick Astley's name. The only way we could do this was on our Gateway, beause our Gateway can see everyone's Internet traffic (it won't work on a switched network without some trickery, like ARP poisoning).

At any rate, a real easy tool to use is called Ettercap. Just google for Ettercap tutorials and you can find some easy to do examples.

Improve this answer
2
  • I know what a man-in-the-middle attack is at a higher level, as I think most IT professionals and programmers do. It's the lack of working examples or demos to get a better low-level understanding that I find surprising. Thanks for the lead on Ettercap. Commented Jun 21, 2011 at 20:15
  • +1. Ettercap makes this so easy to do it borders on trivial. Commented Jun 21, 2011 at 21:24

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.