Admins eHow SysAdmin Tips & Tricks

September 14, 2011

An analysis of recent security breach to DigiNotar and Man-In-The-Middle attack to Iranian users

Filed under: General,Security — Tags: , , , , , , , — admin @ 9:23 am

As I have received several requests from Iranian readers of my blog, I have done some analysis on recent DigiNotar security breach and MITM attack to Iranian users.
This analysis is based on Fox-IT interim report of breach. You can download the complete report in PDF Format from the following link :
http://www.adminsehow.com/wp-content/uploads/2011/09/rapport-fox-it-operation-black-tulip-v1-0.pdf

What is MITM attack and how to prevent it ?
MITM stands for Man-In-The-Middle. it simply means someone stands between you and destination and intercepts or modifies your communication. it is quite easy when communication is not encrypted.
SSL protocol is originally invented to address this issue. The idea is that a trusted Authority (CA) authenticates the identity of destination and by using some cryptography protocols your connection to authentic destination becomes encrypted and impossible to intercept or modify.
It has been shown that the cryptography methods like AES or RC4 which are employed to encrypt the data are quite effective and very hard to crack. so the easier solution is to attack the base of trust model, the trusted authorities (CA). In this kind of attacks, hackers break into CA systems and forge valid certificates for themselves so they can impersonate themselves as authentic destinations and intercept the data. this kind of attack is used in both recent incidents, Commodo and DigiNotar.
Although the protocol is almost safe itself, unfortunately many of these CAs are vulnerable themselves making the whole process vulnerable.
The FOX-IT report indicates the DigiNotar systems were using Windows (Which is vulnerable in nature) and passwords has been crackable through brute-force attack. (More on this later)

To understand it better, I have created a diagram of recent MITM attack to Iranian users with the goal of intercepting communications between them and Google. the attackers have been able to gain access to Google accounts of users through this attack :

This diagram is self-explanatory. The attacker in middle impersonates itself as Google and establishes a secure connection to the user which is signed by DigiNotar CA. Although the connection is still secure, but users have a secure connection to the attacker, not real Google. so attacker has access to all information sent by user, including username, passwords, cookies and etc.
(more…)

March 31, 2010

Check e-mail on a pop3 server using telnet

Filed under: General — Tags: , , , , , , , , , — admin @ 9:44 am

These steps show how to check your e-mail on a pop3 server using a telnet client.

Telnet to the pop3 server.

telnet pop3.somedomain.com 110

You should recieve a reply to this effect.

Trying A.B.C.D...
Connected to pop3.somedomain.com.
Escape character is '^]'.
+OK (rwcrpxc13) POP3 server

if you want to connect to a pop3 SSL server use the following command on a linux shell :

openssl s_client -connect FQDN:PORT

for instance for gmail it is :

openssl s_client -connect pop.gmail.com:995

You will get a response like this :

CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDWjCCAsOgAwIBAgIKYgy3qQADAAAJ5zANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0wOTA3MTcxNzE2NTVaFw0xMDA3MTcxNzI2NTVa
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTHqjJfnRXdpmZ
4iP/WNCpvzX4N97bEZ3rvS4aDYey/DJetKZqp9DK1Ie4/C5j8M1aakwiTNA/eHS/
wNWVgQx8+HxproYKUeeYj3shYKEkHGfrRYBcyCxc7Gd6NSGaaYru3Z7nJ+STIPUJ
E1N35JAwcjjdITVI2O4LckAL4b7GkwIDAQABo4IBLDCCASgwHQYDVR0OBBYEFIln
0T5I8Mw6cqhtUS4pyMGYRxOTMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrj
axIkMFsGA1UdHwRUMFIwUKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29v
Z2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3Js
MGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGlj
LmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkq
hkiG9w0BAQUFAAOBgQCEGIebkDpktdjtzMiTTmEiN7e4vc73hEI4K0jYKyY0Wn5N
dc44AXTfIWOzsikwb886PCUSevGs9rcw2/kaHdPaBSuGrzSCf8ODQqTC3odry3lo
PtZGr6nf/81F5UW71+bE1iWOQlJ5/olWOr2SlqYla1iOmosEctD/GyoFnDh+BA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1703 bytes and written 300 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: AF09D6024039D1F70D7A6518034EF3B2E1B949C15A71ED3D0E85BC89F7D4ADC2
    Session-ID-ctx:
    Master-Key: 58D4202B16256CA5715C45B2CDDDFDDC16ABCAEF2A0993D23F3817193AE3F4A4E5531EF13CA970BADD1F8EA273FD6871
    Key-Arg   : None
    Start Time: 1270025037
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
+OK Gpop ready for requests from a.b.c.d q9pf826547gve.29

Enter your username for the pop3 e-mail account using the “user” command.

user username_here

You should recieve the following reply.

+OK

Enter your password for the pop3 e-mail account using the “pass” command.

pass password_here

You should recieve the following reply.

+OK Maildrop ready

Stat your mailbox using “stat” command.

stat

You will get response showing the number of messages on the server and total size of them.

+OK 2 9141

List the mail on the pop3 e-mail account using the “list” command.

list

You will see the list of messages on the server.

+OK scan listing follows
1 1489
2 7652
.

To see one of the messages issue the retrieve command “retr” and the message id.

retr 1

You will see the whole e-mail headers and all.

+OK 1489 octets
Return-path:
Received: from blah (blah.somedomain.net [a.b.c.d])
by blah2.somedomain.net
(iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003))
with ESMTP id <0HHF00C6KK6NXJ@blah2.somedomain.net> for
me@here.net; Wed, 02 Jul 2003 23:54:23 -0400 (EDT)
Date: Wed, 02 Jul 2003 23:52:59 -0400
From: Me
Subject: test
To: you@there.net
Reply-to: me@here.net
Message-id: <200307022352.59679.me@here.net>
Organization: Pantz.org
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7bit
Content-disposition: inline
User-Agent: KMail/1.5.1
Original-recipient: rfc822;me@here.net

test

If you would like to delete the message issue the dele command with the message id.

dele 1

You will then see a delete confirmation.

+OK message deleted

To finish issue the quit command.

quit

Response :

+OK
Connection closed by foreign host.

Powered by WordPress