Page 1 of 1
Challenge Response Tutorial
Posted: Thu Mar 02, 2006 11:59 am
by AGISB
I rethought my concerns against the javascript as it really does no harm to use it. So I worked it into my login system and I think I might have cought a little hole in it.
At the end when the user is authenticated or denied the challenge_resonse is not deleted from the database. This might give an attacker a 5 minute window to use the response again if he listens to the traffic and thats what we are resuming to use it in the first place.
I think that was just forgotten in the turorial but it might be a good idea to add it.
Posted: Thu Mar 02, 2006 1:38 pm
by neophyte
Stupid question:
Just how does some one 'listen' in anyway?
How often does it happen?
How hard is it to do?
Posted: Thu Mar 02, 2006 2:12 pm
by josh
The easiest way to listen in would be a packet sniffer, using ARP poisoning an attacker can route all traffic behind his node on a network through him called a middle man attack and log all traffic. Obviously the risk is greater on a wireless network because no ARP poisoning is needed. Just FYI someone could "feasibly" listen in on a level all the way up the ISP, but it'd be damn near impossible unless they had access to the physical switches at the ISP
Posted: Thu Mar 02, 2006 2:44 pm
by Roja
neophyte wrote:Just how does some one 'listen' in anyway?
Find a *nix box with a connection between the server, and the target. Get a shell on that box. Then:
# tcpdump -i eth0
(Or whichever interface you need to listen to).
Thats it. Unfiltered, raw text will spew upon the screen, including packets containing passwords, usernames, and more.
Of course, that is the "Matrix" view, which isn't at all simple to parse. There are about a hundred different apps that can do that for you, turning it from packet stew to a sexy gui allowing you to watch the progress of a session.
neophyte wrote:How often does it happen?
Extremely often.
neophyte wrote:How hard is it to do?
Depends on the knowledge of the attacker. Considering that you can buy 1,000 machine botnets for $20 online these days, each of which can be a listening post.. not hard.
Posted: Thu Mar 02, 2006 2:45 pm
by neophyte
Thanks jshpro, I did some reading about ARP and I have a little better understanding of how this sort of thing happens. Everyday is an education.
Posted: Thu Mar 02, 2006 2:59 pm
by neophyte
Roja thanks for the post. Now I understand even better than before exactly what to do to protect my self and how easy it is for someone to obtain access to clear text transmissions.
Posted: Fri Mar 03, 2006 5:25 am
by Maugrim_The_Reaper
I checked the tutorial and surprise surprise you're quite right. Each check should allow only a single usage of the challenge. Essentially it must delete the challenge the moment it is used as a precaution against any potential misuse.
And they say peer review is worthless...oh the fools
I have amended the tutorial php code to delete the challenge after it is fetched from the database. Thanks for letting me know!
Posted: Fri Mar 03, 2006 5:29 am
by matthijs
And they say peer review is worthless...oh the fools
Indeed. I think this is the strength of these forums. It's great to see so much collaborative effort and what it results to. Thanks all of you. I'll check out the ammended code now.
Posted: Fri Mar 03, 2006 6:12 am
by Maugrim_The_Reaper
Made a few updated comments and organised the workflow better in the tutorial. The changes ensure the challenge is deleted from the database after it is pulled into the PHP script as is supposed to happen.