ALPACA, mhando nyowani yeMurume mukati kurwisa muHTTPS

Nhau dzichangobva kuburitswa ne boka revatsvakurudzi vanobva kumayunivhesiti akasiyana siyana kuGerman, idzos yakagadzira nzira nyowani yekurwisa yeMITM inopesana neHTTPS, iyo inobvumidza kuburitsa makuki neichi chikamu maID uye imwe yakaomarara data, pamwe nekuita zvinomisikidza JavaScript kodhi mune mamiriro eimwe saiti

Kurwisa kunodaidzwa ALPACA uye inogona kushandiswa kumaseva eTLS Ivo vanoshandisa akasiyana ekunyorera dura protocols (HTTPS, SFTP, SMTP, IMAP, POP3), asi shandisa zvakajairika TLS zvitupa.

Chinokosha chekurwiswa ndechekuti kana paine kutonga pamusoro pegedhi network kana isina waya yekuwana poindi, anorwisa anogona kuendesa zvakare traffic kune imwe network network uye ronga kumisikidza kubatana kwete kune server yeHTTP, asi kune FTP kana mail server inotsigira TLS kunyorera.

Sezvo protocol TLS ndeyepasirese uye haina kusungirwa kune ekushandisa-chikamu maprotocol, kumisikidzwa kwecrypted kubatana kwemasevhisi ese kwakafanana uye kukanganisa paunotumira chikumbiro kune isiriyo sevhisi kunogona kuonekwa chete mushure mekugadzwa kwechikamu chakanyorwa mukati mekugadzirisa. iwo mirairo yechikumbiro chakatumirwa.

Naizvozvo kana, semuenzaniso, redirect kubatana kwemushandisi, yakatanga kuendeswa kuHTTPS, kune server mail ichishandisa chitupa chakajairika ne server yeHTTPS, kubatana kweTLS kuchabudirira, asi iyo server server haizokwanise kugadzirisa mirairo yeHTTP yakatumirwa uye ichadzorera mhinduro nekodhi yekukanganisa . Mhinduro iyi ichagadziriswa nebrowser semhinduro kubva kune saiti yakumbirwa, inopfuudzwa mukati meyakagadziriswa nzira yakavharidzirwa yekutaurirana.

Sarudzo nhatu dzekurwisa dzinokurudzirwa:

  1. «Pakira» kutora Cookie ine yechokwadi parameter: Maitiro acho anoshanda kana iyo FTP server yakafukidzwa neTLS chitupa ichikubvumidza iwe kuti utore uye utore data rako. Mukusiyana uku kwekurwiswa, anorwisa anogona kuzadzisa kuchengetedzwa kwezvikamu zvekukumbira kwekutanga kweHTTP yemushandisi, senge zvirimo mumusoro weKuki, semuenzaniso, kana iyo FTP server ichidudzira chikumbiro sefaira kuti ichengetedze kana kuinyoresa na izere. zvikumbiro zvinouya. Kuti ubudirire kurwisa, anorwisa anoda neimwe nzira kutora izvo zvakachengetwa zvirimo. Kurwiswa kunoshanda kuProftpd, Microsoft IIS, vsftpd, filezilla, uye serv-u.
  2. Dhawunirodha yeyakayambuka saiti script (XSS): Iyo nzira inoratidza kuti anorwisa, semhedzisiro yekuzvimiririra kwekuzvimiririra, anogona kuisa dhata mune sevhisi achishandisa yakajairwa TLS chitupa, iyo inogona kuzopihwa mukupindura chikumbiro kubva kumushandisi. Kurwiswa uku kunoshanda kune ese ataurwa ese FTP maseva, IMAP maseva uye POP3 maseva (courier, cyrus, kerio-connect uye zimbra).
  3. Kufungisisa kumhanya JavaScript mune mamiriro eimwe saiti: Maitiro acho akavakirwa pakudzorera chikamu chechikumbiro kumutengi, icho chine JavaScript kodhi yakatumirwa neanorwisa. Kurwiswa kunoshanda kune ese ataurwa pamusoro FTP maseva, iyo cyrus, kerio-connect uye zimbra IMAP maseva, pamwe ne sendmail SMTP server.

Somuenzaniso, kana mushandisi achivhura peji rinodzorwa neanorwisa, chikumbiro chechiwanikwa chinogona kutangwa kubva kune saiti iyo mushandisi iine anoshanda account kubva peji rino. Mukurwiswa kweMITM, Ichi chikumbiro kune webhusaiti chinogona kuendeswa kune mail server iyo inogovera chitupa cheTLS.

Sezvo iyo mail server haina kubuda kunze mushure mekukanganisa kwekutanga, misoro yebasa nemirairo ichagadziriswa semirairo isingazivikanwe.

Iyo mail server haina kuenzanisira iyo data yeiyo HTTP protocol uye yeizvi iwo misoro yebasa uye data block yeiyo POST chikumbiro inogadziriswa nenzira imwecheteyo, saka mumuviri wechikumbiro chePOST iwe unogona kudoma mutsetse nemirairo ku iyo mail server.

mabviro: https://alpaca-attack.com/


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira iyo data: Miguel Ángel Gatón
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako