Jump to content
Raywando

Script to detect data capture e.g.( Wire shark & MITM attack ) - (Moved)

Recommended Posts

Hello,

This is my first post. So I’ve worked on a script for a while and I’m planning to publish it but the problem is that it connects to an FTP server at some point, and as you probably know FTP credentials are easily captured by a MITM attack or Wireshark (not sure if Wireshark does). So I thought if i can detect data capturing in the user’s network the script would stop. Any idea?.

If there’s another workaround I’m happy to hear it. 

Share this post


Link to post
Share on other sites

Never use a clear text protocol when the traffic can be captured. Use ftps or sftp instead.

Jos

Share this post


Link to post
Share on other sites

Moved to the appropriate forum, as the Developer General Discussion forum very clearly states:

Quote

General development and scripting discussions. If it's super geeky and you don't know where to put it - it's probably here.


Do not create AutoIt-related topics here, use the AutoIt General Help and Support or AutoIt Technical Discussion forums.

Moderation Team

Share this post


Link to post
Share on other sites
12 minutes ago, Jos said:

Never use a clear text protocol when the traffic can be captured. Use ftps or sftp instead.

Jos

Sorry for using the wrong forum.

I found an SFTP script in the forum but some functions didn’t actually work.

What I’m asking is that is there a workaround if I’m using FTP? i had the data capture detector idea but i couldn’t code it.

Share this post


Link to post
Share on other sites

How would you know /detect that data is captured by somebody? 
You are talking about a user network, but I have no idea what you mean? 
Is this connection using just a LAN with a private IP space or also public Internet?

Jos

Share this post


Link to post
Share on other sites

Wikipedia describes how to detect MITM. Don't think this would be easy to implement using AutoIt.
Only means to prevent MITM sems to be encryption/authentication.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2019-08-19 - Version 1.4.13.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2019-07-24 - Version 1.3.6.0) - Download - General Help & Support - Example Scripts - Wiki
Outlook Tools (NEW 2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
PowerPoint (2017-06-06 - Version 0.0.5.0) - Download - General Help & Support
Excel - Example Scripts - Wiki
Word - Wiki
Taks Scheduler (NEW 2019-10-09 - Version 0.9.0.0) - Download - General Help & Support - Wiki

Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites
11 hours ago, Jos said:

How would you know /detect that data is captured by somebody? 
You are talking about a user network, but I have no idea what you mean? 
Is this connection using just a LAN with a private IP space or also public Internet?

Jos

No I meant just in the private IP space.

To explain the idea of what i need i had an idea but it doesn’t really work, but logically, I wanted to get the Gateway IP and see if its 192.168.0.1 or 192.168.1.1 then it means that there is no MITM attack. Because some MITM tools tell the router to pass the traffic to the attacker IP e.g. 192.168.1.107 instead of the real gateway IP so when some user execute “ipconfig” the gateway IP would be othen than the IP’s above, in this case the gateway IP would be 192.168.1.107

this idea should be similar to what i need. I don’t really need an advanced script to detect that.

thanks.

 

Share this post


Link to post
Share on other sites

You really lost me here....  so you are seriously worried about a MITM problem in your private LAN?
How would that work assuming you have proper control over the environment? 

Anyways, all of this is not really important: When you need to transfer sensitive data you need to use an encrypted transmission protocol!
.. all the rest of the detection options is Too little   Too late.

Jos  

 

Edited by Jos

Share this post


Link to post
Share on other sites

And re. Wireshark et al., any form of passive packet sniffing is by definition undetectable.

Share this post


Link to post
Share on other sites
2 hours ago, Jos said:

You really lost me here....  so you are seriously worried about a MITM problem in your private LAN?
How would that work assuming you have proper control over the environment? 

Anyways, all of this is not really important: When you need to transfer sensitive data you need to use an encrypted transmission protocol!
.. all the rest of the detection options is Too little   Too late.

Jos  

 

let me explain a bit more what is it I want. I'm worried if someone ran my script that they can steal my FTP credentials using a MITM attack in their network. So I started this thread hoping to find a way that when my script runs, it first checks if there is a MITM attack before connecting to the FTP server, making sure its safe to connect.

Anyway, it looks like its a long shot. What do you think I should use as an alternative for transferring data using Autoit?

another thing might help to solve this. I'm using the FTP for licensing purposes. the script connects to the FTP server to check if the user's (serial number - passcode) is valid and for downloading updates. any other idea?

Edited by Raywando

Share this post


Link to post
Share on other sites

I fully understood what you are asking and still stand behind the comments I made. 

1 hour ago, Raywando said:

another thing might help to solve this. I'm using the FTP for licensing purposes. the script connects to the FTP server to check if the user's (serial number - passcode) is valid and for downloading updates. any other idea?

I would simply make a HTTPS call to a local webserver to validate the license usage and return an OK/KO. ;)

Jos

Share this post


Link to post
Share on other sites
28 minutes ago, Jos said:

I fully understood what you are asking and still stand behind the comments I made. 

I would simply make a HTTPS call to a local webserver to validate the license usage and return an OK/KO. ;)

Jos

Can you please explain briefly how that works with Autoit in steps. Sorry I’m not really experienced in these protocols.

Edited by Raywando

Share this post


Link to post
Share on other sites

The AutoIt3 part is easy, but you would have to code a website that takes the information from the GET, check the data and return OK or KO.

Jos

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By wysocki
      I have a smartphone and I use it to access my email. However, when composing an email on it I have a problem. My list of phone contacts on the phone is very different from my list of email contacts in my Thunderbird desktop app.  I use my Gmail address book to store primarily phone contacts, and I use Thunderbird for my list of email contacts. I wanted a way to get my Thunderbird contact list onto my smartphone to be able to compose emails to addresses in that list. Here's my solution.
      I wrote a script to export my Thunderbird Personal Address Book to a csv file. It then reads that file and re-writes it with html wrappers around the data to make it into a nicely formatted web page. It then uploads the htm file to my website. On my smartphone, I created a shortcut to the file's URL and whenever I click it, I get the list displayed. Each contact shows name and email address along with a COPY button that will put the address into the clipboard. Then in my email client, I can easily paste that address into it. Alternatively, clicking on the actual email link will open a new message dialog in your email client with that address already entered.
      To use the app, all you need to do is use Thunderbird and have a webserver available. You'll need to download the FTPEX.AU3 file from this website and make a few changes to some constants around line 17 for FTP login info, etc.
       
      pab2ftp.au3
    • By Dent
      The following function successfully connects to and uploads a local text file named user.dat
      I have checked the data being written to the text file when it is created locally using a MsgBox and it appears exactly how it should be written to the file. If I comment out the FileDelete and go and open the file locally it is as expected.
      However when I download the file from the FTP server and open it up the text that should be at the end of the file is missing. With each subsequent run more characters are missing.
      I added the Sleep(5000) in case the function was closing the FTP connection too quickly before the file could be fully written but it makes no difference. The user.dat file is (should be) approximately 100 bytes so it is tiny.
      Any idea why this is happening?
      Func UpdateUserData() ; Upload the modified user.dat file Local $hOpen = _FTP_Open("myftp") Local $hConn = _FTP_Connect($hOpen, "my.ftp.server", "user", "pass", 1, 0, 1, 2) If @error Then MsgBox(16, "Error", "Connection failed" & @CRLF & @CRLF & "Please contact support") _FTP_Close($hConn) _FTP_Close($hOpen) Exit EndIf _FTP_FilePut($hConn, @TempDir & "\user.dat", "user.dat") ; Upload the new user.dat file Sleep(5000) If @error <> 0 Then MsgBox(16, "Error", "Couldn't transmit data" & @CRLF & @CRLF & "Please contact support") _FTP_Close($hConn) _FTP_Close($hOpen) Exit EndIf _FTP_Close($hConn) _FTP_Close($hOpen) FileDelete(@TempDir & "\user.dat") EndFunc  
    • By WoodGrain
      Hi guys,
       
      I've written a script that will move my mouse to a location on the screen whenever my remote access software becomes active, the problem I have is that as soon as the remote access software becomes active it appears to capture the mouse and keyboard so nothing happens when I use MouseMove().
       
      Is there any way around this?
       
      Thanks!
    • By Carm01
      Hello,
      I am attempting to pull a list of the directory structure from a public FTP where no username or password is required i.e:
      ftp://ftp.adobe.com/pub/adobe/
      Now I have looked all over the place and have failed find anything to accomplish, and if I found some, and the documentation is rather bleak for example;
      it does show something I am looking for, but there is no ftp.au3, and the usage and examples of what i want to do seems to elude me on this and it may not even apply to what I am trying to accomplish?
      I want to avoid using things with Internet explorer , and I have done some google searches. However nothing seems to help
      the documentation surrounding : _FTP_DirGetCurrent  references _FTP_Connect , and then references _FTP_Open , and regardless what I try I cannot get it to pull a list of directorys of files as a list.
       
      Any help is appreciated
       
       
       
    • By Jemboy
      Hi,
      Ones(some times twice) a month I get an e-mail with zip file, which has price updates from a supplier.
      I have to upload the file to an FTP to get it processed.
      When uploading the file, it will get "timestamped" with the time and date at which time the file was uploaded.
      Normally this is fine, because I mostly upload the file the same day.
      Sometimes it may take 1 or 2 days before I can upload the file.
      For historical purpose, I would like to have the file timestamped with the original date.
      I have tried using:  _FTP_Command ( $hFTPSession, "MFCT YYYYMMDDHHMMSS path") 
      however this command does not work or change the timestamp as I expected.
      Does anyone now a way how I can change the timestamp of a FTP-file?
×
×
  • Create New...