Playing back wireless traffic

[marsbarz]

not mitm, not SSL problem, and not cookie replay......

so what is it then....not not not, but what? you are saying that you can walk into any coffee shop (unencrypted) and gain the ability to send and receive out of any web mail account....this is definitely someting new, if it's real.

"Program" name please?

Farmikolt : I asked you like two weeks ago for the name of this supposed Windows program. Are you insane or something. Either you are dragging this along because no Windows program exists or you are crazy........I don't think what you are saying could be, and I think that this is all just a waste of time. You cannot play back wireless traffic and gain send/receive mail access to these kinds of accounts (hotmail/yahoo/et al), no way, no how, not possible, end of story.

EITHER PROVIDE THE NAME THE WINDOWS PROGRAM OR SHUT THE F UP ALREADY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[Farmikol0t]

Your NOT breaking SSL at all with that procedure, I can't stop lol'ing long enough to explain where the "fundamental" problem is here, and that too would result in some roflol'ing.

The name of the Windows program is dontstealmysecrets, the website is http://www.dontsteal.net.

I didn't post this earlier because it enables any Windows user (with a Backtrack CD and a compatible card) to take over any hotmail or yahoo mail account. I did not want to post the name of this program, because I consider it dangerous if not used for its intended purpose, but apparently one or more of you figured it out and have started threads elsewhere, and have named it there.

I did not claim that this decrypts SSL, just that it appears to circumvent the authentication process, which occurs over SSL. I don't see why anyone should bother presenting the hash via SSL if the authentication can be circumvented this (apparently) easily, and I do continue to believe that there is a fundamental problem here.

[Farmikol0t]

Farmikolt : I asked you like two weeks ago for the name of this supposed Windows program.........I don't think what you are saying could be, and I think that this is all just a waste of time. You cannot play back wireless traffic and gain send/receive mail access to these kinds of accounts (hotmail/yahoo/et al), no way, no how, not possible, end of story.

EITHER PROVIDE THE NAME THE WINDOWS PROGRAM OR SHUT THE F UP ALREADY!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Very nice.

Marsbarz:

1) denial
2) "product X does that already"
3) "well, we could write that"
4) acceptance

You are currently at #1. I wonder how long it will take you to get to #4.

[nihil]

Farmikol0t

We do believe in "full disclosure" within reason. What you are referring to is a commercially available product, or rather, the "problem" that this product is supposed to solve.

That, I would say is quite acceptable. The information is in the public domain, so if anyone is to blame for its misuse it is the people who put it there?

You say:

take over any hotmail or yahoo mail account

is this strictly true? I am making a distinction between access and use an account, and take control............as in be able to change the password etc.?

[Farmikol0t]

I have no idea. Given the extensive description previously provided, "take over" in this context means "take over the use of".

[nihil]

Hmmmm, just curious................I have a suspicion that you cannot take "full control"?

If that is the case I think that the "explanation" might be fairly simple.......... if your e-mail provider doesn't close your session on exit it will stay there until they do?

That would mean that the session cookie from the previous session would remain valid?

I guess that SSL is only used on initial login............after that, it isn't?

So the system asks something along the lines of:

1. Is that one of mine?
2. Yes?..................OK, is it still open?

I would be curious to know if this works for serious pay for systems?

Somehow I doubt it, but it is a good question nevertheless

[Farmikol0t]

works even after the logout occurs, which is seriously troubling.

appears to work for many (but not all) providers. does not work for gmail, but suspect this is intentional. works for a large number of other providers.

Why bother with SSL at all, if playback will log you into the account?

The SSL authentication is essentially pointless.

We aren't talking about rinky-dink systems here either.

[nihil]

Well, let's look at this then?

works even after the logout occurs, which is seriously troubling.

Only if you are a cheapskate who expects a professional service without paying for it.

Why bother with SSL at all, if playback will log you into the account?

Ask the e-mail providers themselves? they are the ones who are not using the system properly............but IT IS NOT AN SSL ISSUE as you have been told several times. It is actually a session management issue.

The SSL authentication is essentially pointless.

Only to those who do not how to use it

We aren't talking about rinky-dink systems here either.

Oh yes you are!.....................unless you would care to name a commercial (paid for) e-mail system that suffers from this?

[Farmikol0t]

Thank you for your response and all of the colors.

Below are the answers to your questions:


I said: "works even after the logout occurs, which is seriously troubling"

you answered: "Only if you are a cheapskate who expects a professional service without paying for it"

my response: this includes pay services, see below.



I said: Why bother with SSL at all, if playback will log you into the account?

you answered: Ask the e-mail providers themselves? they are the ones who are not using the system properly............

my response: I guess by "not using the system properly" you mean somehow not setting up SSL or the authentication process properly. I believe that the world's largest webmail providers know how to set up authentication.



I said: The SSL authentication is essentially pointless.

you answered: Only to those who do not how to use it

my response: I believe that the providers know how to set up SSL and authentication. If you are referring to users, it wouldn't really matter what they do, the existing systems are always insecure.



I said: We aren't talking about rinky-dink systems here either.

you answered: Oh yes you are!.....................unless you would care to name a commercial (paid for) e-mail system that suffers from this?

my response: Several were named in a prior post. They have in excess of one hundred million accounts each.



In thinking about it, I suppose SSL authentication does provide something under the systems under discussion. SSL authentication under these systems is not providing any security for the accounts, but it does preclude someone from logging in at a later date. That's not much, but it's better than nothing.

[d34dl0k1]

Let's pretend you're talking about gmail. Yes, it is very possible and easy to hijack a session post-login. The login is the only transaction that is over SSL. Just because the login process occurs over SSL does not mean that all of the traffic afterwards is. Everything afterwards is plaintext, and cookies/session variables are ripe for the taking. Replaying the traffic afterwards would give you access to the account. However, once it is logged out, you won't have access again.

I'm almost positive that this is where you are confused.