Wednesday, January 7, 2015

Password Sniffing Insecure Protocols is Too Easy

I suggested previously that we should just bite the bullet and kill insecure protocols like HTTP. Sometimes it's difficult to take a statement like that seriously unless you see what the malicious actors can do first hand. Thus for demonstration purposes only I'm going to show you a simple little tool that anybody (both good guys & bad guys) can get for free.

Please keep in mind my intent of this post is to hammer home the point that we should kill HTTP and other insecure protocols like FTP, etc. So, let's say I have a legit reason to look for passwords on my system. Perhaps I forgot my password, but you know some application on my system is using the password, then I can recover it with this tool. Keep in mind, it's not a far stretch at all for a malicious user to perform very similar tasks with illegitimate intentions.

The tool we're taking 2 minutes to look at is SniffPass – Simple Password Sniffer. You could start by reading darknet's article and downloading SniffPass. Please note if you're running an Anti-Virus like McAfee it may detect SniffPass.exe and delete the downloaded file as Tool-PassView, or PUP (potentially unwanted program)

Once downloaded and extracted, double-click on SniffPass.exe to open it up.

Next, click the green start arrow. Then select any of the options you have (RawSockets, WinPCap, etc.). For this demonstration they all work.

Something of interest, notice there is a Promiscious Mode checkbox you could utilize. Wow, I wonder if that might come in handy for somebody? :-P

After you hit ok, you're basically done. Your final step is to activate the application using the insecure protocol (perhaps you have filezilla running already with your saved password, perhaps you goto an FTP site in your browser, perhaps a website that requires basic windows authentication, etc.) Run the application or type in your username & password that you thought was perhaps secure. Find out immediately per the screenshot below that you're not.

The sad part? This was too simple. It took me literally 2 minutes from download to successful usage with a tool I had never in my life used before. Is it time to get rid of those insecure protocols yet? I think so.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment