Page 1 of 1

"sniffing"

Posted: Mon Mar 20, 2006 1:06 am
by s.dot
How worried should I be about what I read as "network sniffing" to gather passwords that are POSTed in plain text?

Posted: Mon Mar 20, 2006 1:20 am
by feyd
I'd think that'd swing off of how dangerous the sniffed password could be.. but generally, you should be fairly paranoid.

Posted: Mon Mar 20, 2006 1:29 am
by s.dot
so i guess i need to read that challenge/response topic :P

Re: "sniffing"

Posted: Mon Mar 20, 2006 5:21 am
by Roja
scrotaye wrote:How worried should I be about what I read as "network sniffing" to gather passwords that are POSTed in plain text?
Lets list common situations in which sniffing can occur with minimal effort:

- Using the internet over wireless (Starbucks, Airport, Colleges, etc)
- Using the internet at work
- Using the internet from a cable modem or DSL (depending on their setup)

All three can (and often are) a shared network configuration, making sniffing trivially easy. Then there are all the configurations that with minor effort can allow an attacker to do the same, making it a really large scope.

When you tie all of that together with the *huge* number of botnets that are active today, and the number of people that use the same password across multiple websites (including their bank!!!), and its a recipe for disaster.

Posted: Mon Mar 20, 2006 6:03 am
by timvw
If you have a testlab where you can sniff your own data (don't try this on a public network because it's probably illegal) you could simply install something like tcpdump/windump and filter http-post messages that include password and username.. You'd be surprised how easy it is ;)

Posted: Mon Mar 20, 2006 7:32 am
by Maugrim_The_Reaper
Nothing like opening a dumped file with a few hours worth of network traffic...;) It's not only possible, but ludicrously easy once you see it done. SSL is the obvious solution but C/R can offer a non-SSL weak alternative in certain cases. Just bear in mind it's not an SSL replacement for anything.