Attack Methods | How does an attacker exploit this vulnerability using a tool such as dsniff? The attacker will use webmitm and sshmitm tools from the dsniff package for attacking HTTPS or SSH. |
Attackers position themselves between two systems and actively participate in the connection to gather data. The attacker may also run the dnsspoof program configured to send false DNS information so that a DNS query for a given website will resolve to the attacker's IP address. Then the attacker will activate webmitm program such that it will transparently proxy all HTTP and HTTPS traffic it receives.
The DNS spoof program detects DNS request for www.website.com and redirects the client to attacker's machine. The ARP table convinces the victim's machine that it is indeed talking to the intended web server. The victim's browser starts to establish a secure connection.
All messages for establishing SSL connection are sent to webmitm running on the attacker's machine. webmitm acts as a SSL proxy, establishing two SSL connections - one from victim to the attacker's machine and the other from attacker's machine to the actual web server. When establishing the SSL session between the victim machine and the attacker machine, webmitm will send the attacker's own certificate.
The victim's browser will notice that the certificate is not signed by a trusted Certificate Authority and show a message to the user asking the user whether to accept this un-trusted certificate or not. The normal tendency is to accept it, thinking it is some error message.
No comments:
Post a Comment