Bindi,

In a switched network, it has to be as each switch port is its own broadcast domain, so unless a machine is a gateway, it wont see any packets that are not broadcasts or sent directly sent to it (im assuming that this network is not using a hub, hehe). And "mimic the gateway" as you put it, is what arpspoof does. It just switches the real gateways mac address with it's own in the ARP table, to traffic destined supposed to go to the gateway now goes to it.

And this link from verisign gives a good overview of how SSL works http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/ and the "read more" section has more in-depth documentation, so the SSL class is covered.

So far i have given proof via links (like a HTTP server dev team points out HTTP RFC clauses to prove what they have built is a valid HTTP server) that what I'm saying is not just my opinion, but proven concepts. Those links are old yes (with one being almost a year old, and one not working on a newer kernel that the one it's tested on), but in 2000 one could reduce or increase the download rate of a file by manipulating the TCP window size of that stream, in 2010 it still works. Unless the vulnerability a hack tool works by is not removed, the tool will still work, no matter how old it is.
If you have links showing us how to stop them, it would benefit many of us if you posted them here.



On Sat, Dec 18, 2010 at 1:49 PM, Wilson Bandi <bandson67@gmail.com> wrote:
Makobu,

Your machine doesnt have to be a gateway to sniff(above links are outdated methods for the current security infrastructures or lets just say easy targets which require the hacker to have alot of info about the network and can be mostly achieved by a network admin but for now we are assuming its an intruder), you just need to mimick a gateway and this has a con to that it has to be done for a specific machine/target at any instance.

I also dont want to give a class on the ssl architecture and where the security level begins or how it operates or how the tools get around it but... as i said let the victim spend 98 percent to fix network security issues and the two percent to avoid phishing sites. 

if i get time i will do a blog on this so if interested remind me after 2 weeks.


Regards,

W.






On Sat, Dec 18, 2010 at 3:03 AM, Makobu <makobu.mwambiriro@gmail.com> wrote:
Apart from this tool, http://www.thoughtcrime.org/software/sslsniff/ which requires that the sniffer machine be the gateway for the target machine (making it the gateway for every other machine in the subnet) there's not much else out there that can see inside an SSL tunnel, SSL is pretty secure, especially 128 bit like google uses. And with exploits like these http://ezopjr654.pastebin.com/raw.php?i=CfTETnk3 pretty much anybody can become root and do the rest.
And looking at the cookies from google on my machine, they are all either domains, urls, numbers or gibberish, so probably cookie stealing isn't getting the cracker the password either.
Apart from this and injecting a .so into the firefox process (or whatever) to sit juuust before the ssl layer and log all input, what other tools/technics did you have in mind of seeing inside an SSL tunnel?



On Sat, Dec 18, 2010 at 1:06 AM, Wilson Bandi <bandson67@gmail.com> wrote:
If i want to sniff your gmail password infact with username, the tools/technics available are beyond https control... keylogging and phishing should be disqualified for this type of attack and the victim should concentrate on the network security rather than the machine coz after all its also a linux machine which has pre-security measures in place.

As i said earlier, this attack can be achieved even from a distance depending on how careless the network has been installed and the amount of information the hacker has acquired about it.

On the other hand, having the target to be only one account also raises questions.... meaning the victim is well known by the attacker.

Taking a step backward... i believe all of us know how a form passes its input to a server for authentication. we all know that as much as all the process is done on the server we still send packets of information generated from the user thru our browsers and this include the password and username so wat the sniffer does is to identify the string that is posted for the server thru the network.. and this is where the magic happens.. more information about this can be found with CEH or Ninja tutorials which i believe will give more light to the victim.

Regards,

Wilson.




On Sat, Dec 18, 2010 at 12:37 AM, Makobu <makobu.mwambiriro@gmail.com> wrote:
Being that logging in is all ssl, the most feasible way to steal the
passowrd is on the machine ... Is there anything 'strange' in the
account's .bashrc (or equivalent)? On second thought, its not that
hard to have a hidden process that just logs that particular user's
keystrokes ... so only loging to any of your accounts from a personal
device (phone, laptop), see if that helps.

On 12/17/10, Casper Odicoh <codicoh@gmail.com> wrote:
> IMMHO,
>
> It's a case of key-logging or bad security policy in the LAN which may
>  be defeated by possibly:
>
> - Use a totally different network to change passwords
> - Give up on the www concept
> - Delete all known menemies
>
> EoE
>
> On 12/17/10, john maina <jonmaina8715@gmail.com> wrote:
>> Webmail accounts hacked via WLAN
>> <http://www.h-online.com/security/news/item/Webmail-accounts-hacked-via-WLAN-733402.html>also
>> recommend you read about this and hope it helps
>> Firefox extension steals Facebook, Twitter, etc.
>> sessions<http://www.h-online.com/open/news/item/Firefox-extension-steals-Facebook-Twitter-etc-sessions-1124596.html>
>> and
>> Firesheep cookie-jacking tool triggers arms
>> race<http://www.h-online.com/security/news/item/Firesheep-cookie-jacking-tool-triggers-arms-race-1132915.html>
>>
>> On Fri, Dec 17, 2010 at 2:57 PM, Dennis Kioko <dmbuvi@gmail.com> wrote:
>>
>>> The issue may also be that her Yahoo account is compromised hence the
>>> hacker also sees the changes in the password. also ask her to use a
>>> unique
>>> password not used on any other service in the internet.
>>>
>>> If she is on an unsecured wireless network, she may be a victim of
>>> Firesheep (
>>> http://www.h-online.com/open/news/item/Firefox-extension-steals-Facebook-Twitter-etc-sessions-1124596.html)
>>> which can be detected with Blacksheep (
>>> http://www.h-online.com/security/news/item/Firesheep-cookie-jacking-tool-triggers-arms-race-1132915.html
>>> )
>>>
>>> _______________________________________________
>>> Skunkworks mailing list
>>> Skunkworks@lists.my.co.ke
>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>> ------------
>>> Skunkworks Rules
>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>> ------------
>>> Other services @ http://my.co.ke
>>>
>>
>>
>>
>> --
>> *I don't mind the rat race but I could do with a little more cheese.
>> *
>> +254-727-427-836
>>
>
> --
> Sent from my mobile device
> _______________________________________________
> Skunkworks mailing list
> Skunkworks@lists.my.co.ke
> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
> ------------
> Skunkworks Rules
> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
> ------------
> Other services @ http://my.co.ke
>

--
Sent from my mobile device
_______________________________________________
Skunkworks mailing list
Skunkworks@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------
Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke





_______________________________________________
Skunkworks mailing list
Skunkworks@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------
Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke


_______________________________________________
Skunkworks mailing list
Skunkworks@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------
Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke




_______________________________________________
Skunkworks mailing list
Skunkworks@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------
Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke