Script to detect data capture e.g.( Wire shark & MITM attack ) - (Moved)

[Raywando]

Hello,

This is my first post. So I’ve worked on a script for a while and I’m planning to publish it but the problem is that it connects to an FTP server at some point, and as you probably know FTP credentials are easily captured by a MITM attack or Wireshark (not sure if Wireshark does). So I thought if i can detect data capturing in the user’s network the script would stop. Any idea?.

If there’s another workaround I’m happy to hear it. 

[Jos]

Never use a clear text protocol when the traffic can be captured. Use ftps or sftp instead.

Jos

[Jos]

Moved to the appropriate forum, as the Developer General Discussion forum very clearly states:

Quote

General development and scripting discussions. If it's super geeky and you don't know where to put it - it's probably here.

---

Do not create AutoIt-related topics here, use the AutoIt General Help and Support or AutoIt Technical Discussion forums.

Moderation Team

[Raywando]

12 minutes ago, Jos said:

Never use a clear text protocol when the traffic can be captured. Use ftps or sftp instead.

Jos

Sorry for using the wrong forum.

I found an SFTP script in the forum but some functions didn’t actually work.

What I’m asking is that is there a workaround if I’m using FTP? i had the data capture detector idea but i couldn’t code it.

[Jos]

How would you know /detect that data is captured by somebody? 
You are talking about a user network, but I have no idea what you mean? 
Is this connection using just a LAN with a private IP space or also public Internet?

Jos

[water]

Wikipedia describes how to detect MITM. Don't think this would be easy to implement using AutoIt.
Only means to prevent MITM sems to be encryption/authentication.

[Earthshine]

I think you need to wait for quantum computing in order to figure out if somebody’s messed with some thing

 

Do as advised above and use encryption

Edited January 13, 2019 by Earthshine

[Raywando]

11 hours ago, Jos said:

How would you know /detect that data is captured by somebody? 
You are talking about a user network, but I have no idea what you mean? 
Is this connection using just a LAN with a private IP space or also public Internet?

Jos

No I meant just in the private IP space.

To explain the idea of what i need i had an idea but it doesn’t really work, but logically, I wanted to get the Gateway IP and see if its 192.168.0.1 or 192.168.1.1 then it means that there is no MITM attack. Because some MITM tools tell the router to pass the traffic to the attacker IP e.g. 192.168.1.107 instead of the real gateway IP so when some user execute “ipconfig” the gateway IP would be othen than the IP’s above, in this case the gateway IP would be 192.168.1.107

this idea should be similar to what i need. I don’t really need an advanced script to detect that.

thanks.

 

[Jos]

You really lost me here....  so you are seriously worried about a MITM problem in your private LAN?
How would that work assuming you have proper control over the environment? 

Anyways, all of this is not really important: When you need to transfer sensitive data you need to use an encrypted transmission protocol!
.. all the rest of the detection options is Too little   Too late.

Jos  

 

Edited January 14, 2019 by Jos

[RTFC]

And re. Wireshark et al., any form of passive packet sniffing is by definition undetectable.

[Raywando]

2 hours ago, Jos said:

You really lost me here....  so you are seriously worried about a MITM problem in your private LAN?
How would that work assuming you have proper control over the environment? 

Anyways, all of this is not really important: When you need to transfer sensitive data you need to use an encrypted transmission protocol!
.. all the rest of the detection options is Too little   Too late.

Jos  

 

let me explain a bit more what is it I want. I'm worried if someone ran my script that they can steal my FTP credentials using a MITM attack in their network. So I started this thread hoping to find a way that when my script runs, it first checks if there is a MITM attack before connecting to the FTP server, making sure its safe to connect.

Anyway, it looks like its a long shot. What do you think I should use as an alternative for transferring data using Autoit?

another thing might help to solve this. I'm using the FTP for licensing purposes. the script connects to the FTP server to check if the user's (serial number - passcode) is valid and for downloading updates. any other idea?

Edited January 14, 2019 by Raywando

[Jos]

I fully understood what you are asking and still stand behind the comments I made. 

1 hour ago, Raywando said:

another thing might help to solve this. I'm using the FTP for licensing purposes. the script connects to the FTP server to check if the user's (serial number - passcode) is valid and for downloading updates. any other idea?

I would simply make a HTTPS call to a local webserver to validate the license usage and return an OK/KO.

Jos

[Raywando]

28 minutes ago, Jos said:

I fully understood what you are asking and still stand behind the comments I made. 

I would simply make a HTTPS call to a local webserver to validate the license usage and return an OK/KO.

Jos

Can you please explain briefly how that works with Autoit in steps. Sorry I’m not really experienced in these protocols.

Edited January 14, 2019 by Raywando

[Jos]

The AutoIt3 part is easy, but you would have to code a website that takes the information from the GET, check the data and return OK or KO.

Jos