Jump to content
Raywando

Script to detect data capture e.g.( Wire shark & MITM attack ) - (Moved)

Recommended Posts

Hello,

This is my first post. So I’ve worked on a script for a while and I’m planning to publish it but the problem is that it connects to an FTP server at some point, and as you probably know FTP credentials are easily captured by a MITM attack or Wireshark (not sure if Wireshark does). So I thought if i can detect data capturing in the user’s network the script would stop. Any idea?.

If there’s another workaround I’m happy to hear it. 

Share this post


Link to post
Share on other sites

Moved to the appropriate forum, as the Developer General Discussion forum very clearly states:

Quote

General development and scripting discussions. If it's super geeky and you don't know where to put it - it's probably here.


Do not create AutoIt-related topics here, use the AutoIt General Help and Support or AutoIt Technical Discussion forums.

Moderation Team


SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites
12 minutes ago, Jos said:

Never use a clear text protocol when the traffic can be captured. Use ftps or sftp instead.

Jos

Sorry for using the wrong forum.

I found an SFTP script in the forum but some functions didn’t actually work.

What I’m asking is that is there a workaround if I’m using FTP? i had the data capture detector idea but i couldn’t code it.

Share this post


Link to post
Share on other sites

How would you know /detect that data is captured by somebody? 
You are talking about a user network, but I have no idea what you mean? 
Is this connection using just a LAN with a private IP space or also public Internet?

Jos


SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Wikipedia describes how to detect MITM. Don't think this would be easy to implement using AutoIt.
Only means to prevent MITM sems to be encryption/authentication.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (2018-12-03 - Version 1.4.11.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2019-03-02 - Version 1.3.5.0) - Download - General Help & Support - Example Scripts - Wiki
Outlook Tools (2019-01-22 - Version 0.1.0.0) - Download - General Help & Support
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
 
Tutorials:

ADO - Wiki

 

Share this post


Link to post
Share on other sites
11 hours ago, Jos said:

How would you know /detect that data is captured by somebody? 
You are talking about a user network, but I have no idea what you mean? 
Is this connection using just a LAN with a private IP space or also public Internet?

Jos

No I meant just in the private IP space.

To explain the idea of what i need i had an idea but it doesn’t really work, but logically, I wanted to get the Gateway IP and see if its 192.168.0.1 or 192.168.1.1 then it means that there is no MITM attack. Because some MITM tools tell the router to pass the traffic to the attacker IP e.g. 192.168.1.107 instead of the real gateway IP so when some user execute “ipconfig” the gateway IP would be othen than the IP’s above, in this case the gateway IP would be 192.168.1.107

this idea should be similar to what i need. I don’t really need an advanced script to detect that.

thanks.

 

Share this post


Link to post
Share on other sites

You really lost me here....  so you are seriously worried about a MITM problem in your private LAN?
How would that work assuming you have proper control over the environment? 

Anyways, all of this is not really important: When you need to transfer sensitive data you need to use an encrypted transmission protocol!
.. all the rest of the detection options is Too little   Too late.

Jos  

 

Edited by Jos

SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

And re. Wireshark et al., any form of passive packet sniffing is by definition undetectable.

Share this post


Link to post
Share on other sites
2 hours ago, Jos said:

You really lost me here....  so you are seriously worried about a MITM problem in your private LAN?
How would that work assuming you have proper control over the environment? 

Anyways, all of this is not really important: When you need to transfer sensitive data you need to use an encrypted transmission protocol!
.. all the rest of the detection options is Too little   Too late.

Jos  

 

let me explain a bit more what is it I want. I'm worried if someone ran my script that they can steal my FTP credentials using a MITM attack in their network. So I started this thread hoping to find a way that when my script runs, it first checks if there is a MITM attack before connecting to the FTP server, making sure its safe to connect.

Anyway, it looks like its a long shot. What do you think I should use as an alternative for transferring data using Autoit?

another thing might help to solve this. I'm using the FTP for licensing purposes. the script connects to the FTP server to check if the user's (serial number - passcode) is valid and for downloading updates. any other idea?

Edited by Raywando

Share this post


Link to post
Share on other sites

I fully understood what you are asking and still stand behind the comments I made. 

1 hour ago, Raywando said:

another thing might help to solve this. I'm using the FTP for licensing purposes. the script connects to the FTP server to check if the user's (serial number - passcode) is valid and for downloading updates. any other idea?

I would simply make a HTTPS call to a local webserver to validate the license usage and return an OK/KO. ;)

Jos


SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites
28 minutes ago, Jos said:

I fully understood what you are asking and still stand behind the comments I made. 

I would simply make a HTTPS call to a local webserver to validate the license usage and return an OK/KO. ;)

Jos

Can you please explain briefly how that works with Autoit in steps. Sorry I’m not really experienced in these protocols.

Edited by Raywando

Share this post


Link to post
Share on other sites

The AutoIt3 part is easy, but you would have to code a website that takes the information from the GET, check the data and return OK or KO.

Jos


SciTE4AutoIt3 Full installer Download page   - Beta files       Read before posting     How to post scriptsource        Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By WoodGrain
      Hi guys,
       
      I've written a script that will move my mouse to a location on the screen whenever my remote access software becomes active, the problem I have is that as soon as the remote access software becomes active it appears to capture the mouse and keyboard so nothing happens when I use MouseMove().
       
      Is there any way around this?
       
      Thanks!
    • By Carm01
      Hello,
      I am attempting to pull a list of the directory structure from a public FTP where no username or password is required i.e:
      ftp://ftp.adobe.com/pub/adobe/
      Now I have looked all over the place and have failed find anything to accomplish, and if I found some, and the documentation is rather bleak for example;
      it does show something I am looking for, but there is no ftp.au3, and the usage and examples of what i want to do seems to elude me on this and it may not even apply to what I am trying to accomplish?
      I want to avoid using things with Internet explorer , and I have done some google searches. However nothing seems to help
      the documentation surrounding : _FTP_DirGetCurrent  references _FTP_Connect , and then references _FTP_Open , and regardless what I try I cannot get it to pull a list of directorys of files as a list.
       
      Any help is appreciated
       
       
       
    • By Jemboy
      Hi,
      Ones(some times twice) a month I get an e-mail with zip file, which has price updates from a supplier.
      I have to upload the file to an FTP to get it processed.
      When uploading the file, it will get "timestamped" with the time and date at which time the file was uploaded.
      Normally this is fine, because I mostly upload the file the same day.
      Sometimes it may take 1 or 2 days before I can upload the file.
      For historical purpose, I would like to have the file timestamped with the original date.
      I have tried using:  _FTP_Command ( $hFTPSession, "MFCT YYYYMMDDHHMMSS path") 
      however this command does not work or change the timestamp as I expected.
      Does anyone now a way how I can change the timestamp of a FTP-file?
    • By Sally1801
      Hello,
      i need help in deleting files from a server. The function "_FTP_DirDelete" only deletes a directory when its empty. I need to delete a non empty directory. I also can not delete the files in this directory first, because the files are PAG and DIR files in a .DAV directory and FTPEx.au3 doesnt like a directory starting with a ".".
      Any ideas?
      Thx, Sally
    • By CharlieH
      Hi,
       
      I have written a small script to read a file from an FTP server and check its contents. This can be re-run by the press of a button, however, if the file is deleted from the ftp server between runs (with the .exe still live), the file is still "read" and written locally, which then passes the check.
       
      If I run it initially without the file, it correctly fails and pops up my error message, but if the file is then added, it then seemingly gets cached (or similar) so that the app then always reports a success.
       
      The below code snippet is just the function run when the "test" button is pressed. It includes a load of debug message boxes, and from that I think I've gathered a few (possibly) interesting/relevant things:
      $Open and $Conn are 8 byte values, which increments (not by 1) when the FTP connection is not closed, but if the connection is closed, they stick at the value (presumably windows can re-use that session id if it's been closed e.g:
      1st run (file not present) $Open -> 0x00CC0004 $Conn -> 0x00CC0008
      2nd run (file not present) $Open -> 0x00CC0010 $Conn -> 0x00CC0014
      3rd run (file now present) $Open -> 0x00CC001C $Conn -> 0x00CC0020
      4th run (file still present) $Open -> 0x00CC001C $Conn -> 0x00CC0020
      $Ftp = _FTP_FileGet.... returns a 1 when file not present (in a run after it was present) and "test_transfer.txt" does get created and does contain the correct string This is the key bit I dont understand, I dont know how/where it is getting the data to write this file when it literally no longer exists on the target FTP server...
      resetting every variable used in the function each time it's run does work (in that they become 0), but it doesn't affect the putcome I had thought perhaps some key values were being stored in the variables, but this doesn't seem to be the case
       
       
      Is there any concept of clearing a cache when closing an ftp session? Or deleting any unknown temporary files windows might make?
       
      Thanks all
       
      Func Transfer() Local $connected = 0 $Ftpp = 0 ;Trying to reset these every time function is called $file = 0 $Open = 0 $Conn = 0 $Ftpc = 0 ;Make a new "connecting..." window so that the user has feedback that a transfer is attempting to take place ;Otherwise it just runs in the background and there's no indication its doing anything $connection_window = GUICreate ("Ethernet Switch Test" , 300 , 160 , -1 , -1 , -1 , -1 , 0) GUISetBkColor(0xFFFFFF) GUISetFont(10 * _GDIPlus_GraphicsGetDPIRatio()[0], 400, Default, "Sans Serif") $connecting_label = GUICtrlCreateLabel("Connecting to board...", 0, 25, 300, -1, $SS_Center, "") GUISetState(@SW_SHOW, $connection_window) Sleep(100) ;Connect ;MsgBox(0, "DEBUG", "1" & $Conn) While $connected = 0 $Open = _FTP_Open($count) ;MsgBox(0, "DEBUG", "open " & $Open) $Conn = _FTP_Connect($Open, $server, $username, $password) ;MsgBox(0, "DEBUG", "2" & $Conn) If $Conn = 0 then Local $retry = Msgbox(65, 'FTP Transfer', 'Connection failed' & @CRLF & "Retry?") If $retry = 2 Then MsgBox(0, "FTP Transfer", "Operation aborted") GUISetState(@SW_HIDE, $connection_window) Return EndIf Else $connected_label = GUICtrlCreateLabel("Connected!", 0, 45, 300, -1, $SS_Center, "") $connected = 1 MsgBox(0, "DEBUG", "3" & $connected) Sleep(100) endIf WEnd $transfering_label = GUICtrlCreateLabel("Reading file....", 0, 45, 300, -1, $SS_Center, "") ;Read file from server ;MsgBox(0, "DEBUG", "5" & $Ftpp) ;MsgBox(0, "DEBUG", "flie " & $file) $Ftpp = _FTP_FileGet($Conn, 'test/test.txt', 'test_transfer.txt') ;MsgBox(0, "DEBUG", "6" & $Ftpp) If ($Ftpp) then $transfered_label = GUICtrlCreateLabel("Transfered, checking...", 0, 65, 300, -1, $SS_Center, "") ;MsgBox(0, "DEBUG", "flie " & $file) $file = FileRead("test_transfer.txt") ;MsgBox(0, "DEBUG", "flie " & $file) If Not StringInStr($file, 'this is a test string 12345') Then MsgBox(0, "File check", "Received file incorrect, test failed!") GUISetState(@SW_HIDE, $connection_window) Return Else $tested_label = GUICtrlCreateLabel("Tested and Passed!", 0, 85, 300, -1, $SS_Center, "") $Ftpc = _FTP_Close($Open) ;MsgBox(0, "DEBUG", "close" & $Ftpc) ;$count = $count+1 $ok_button = GUICtrlCreateButton("OK", 125, 105, 50, -1) While 1 Local $pressed = GUIGetMsg() If ($pressed = $ok_button) Then FileDelete("test_transfer.txt") GUISetState(@SW_HIDE, $connection_window) ;$connection_window = 0 Return EndIf WEnd EndIf Else MsgBox(0, "Transfer", "Could not read file " & @error) GUISetState(@SW_HIDE, $connection_window) Return EndIf EndFunc  
×
×
  • Create New...