Anti-sniffing for Logon

Anti-sniffing for Logon (previous code implementation)
 
Matt
I heard from xsser that the verification code was bound to implement it, and I think it is quite feasible ..
 
No js, no technical content in the code, no spray ..
 
Package and download ..
 
Http://dl.dbank.com/c0a94csv5e
 
Login.html
 
<! -- Status OK -->
<! Doctype html public "-// W3C // dtd html 4.01 Transitional // EN">
<Html>
<Script type = "text/javascript" src = "md5.js"> </script>
<Script>
 
Function login ()
{
Var u = document. getElementById ("username"). value;
Var p = document. getElementById ("password"). value;
Var k = document. getElementById ("key"). value;
Var pass = hex_md5 (p );
Pass = hex_md5 (pass + k );
Window. open ("login. php? U = "+ u +" & p = "+ pass)
}
</Script>
<Head> <meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8"> <title> logon </title>
</Head>
<Body>
Username:
<Input id = "username" name = "username" type = "text"/> <br>
Password:
<Input id = "password" name = "oassword" type = "text"/> <br>
Key:
<Input id = "key" name = "key" type = "text"/>
<br>
<Button type = "button" onclick = "login ()"> Apply </button> <br>
</Form>
</Body>
</Html> login. php
 
<? Php
Include ('Key. php ');
Login_check ();
$ U = $ _ GET ['U'];
$ P = $ _ GET ['P'];
If ($ u = 'Matt ')
{
 
$ Pass = md5 ('matt123 ');
$ Key = $ _ SESSION ['login _ check_num '];
If ($ p = md5 ($ pass. $ key ))
{
 
Echo "login OK ";
$ Keys = $ _ SERVER [HTTP_USER_AGENT]. $ _ SERVER [REMOTE_ADDR];
$ _ SESSION ['login _ check_num '] = "";
$ _ SESSION ["login"] = md5 ($ keys );
Exit ();
}
Else
{
Echo "login error ";
Exit ();
}
}
 
?> Key. php
 
<? Php
Session_start ();
Error_reporting (0 );
Function login_check ()
{
If ($ _ SESSION [login] = md5 ($ _ SERVER [HTTP_USER_AGENT]. $ _ SERVER [REMOTE_ADDR]) and $ _ SESSION ['login _ check_num '] = "")
{
$ _ SESSION ['login _ check_num '] = "";
Echo "you are login ..";
Exit ();
}
}
// Call this page. If the following formula is set up, a verification code image is generated.
If ($ _ GET ["action"] = "verifycode ")
{
Rand_create ();
}
// Verification Code Image Generation
Function rand_create ()
{
// Notify the browser that a PNG image will be output
Header ("Content-type: image/PNG ");
// Prepare the random number generator Seeds
Srand (double) microtime () * 1000000 );
// Prepare Image Parameters
$ Im = imagecreate (62,20 );
$ Black = ImageColorAllocate ($ im, 0); // RGB black identifier
$ White = ImageColorAllocate ($ im, 255,255,255); // RGB white identifier
$ Gray = ImageColorAllocate ($ im, 200,200,200); // RGB gray identifier
// Start plotting
Imagefill ($ im, 0, 0, $ gray );
While ($ randval = rand () % 100000) <10000 );{
$ _ SESSION ["login_check_num"] = $ randval;
// Print the four-digit integer verification code into the image
Imagestring ($ im, 5, 10, 3, $ randval, $ black );
}
// Add interference pixels
For ($ I = 0; I I <200; $ I ++ ){
$ Randcolor = ImageColorallocate ($ im, rand (0,255), rand (0,255), rand (0,255 ));
Imagesetpixel ($ im, rand () % 70, rand () % 30, $ randcolor );
}
// Output verification Image
ImagePNG ($ im );
// Destroy the image identifier
ImageDestroy ($ im );
}
 
?>
--------------------------------------------------------------------------------
 
KEvin1986 www.2cto.com
In the sniff case, I know hash and key... what then? C <-> m <-> s: I act as m. No matter which one is used, I am a pioneer ....
 
I think this is still a problem.
 
In addition, echo "you are login?
 
 
 
Brother cricket (<-handsome)
Log on to js encryption. For details, refer to Oschina. Net.
 
Uses client JS encryption and SSL
 
 
 
KEvin1986 (rm-rf/is what im diser) |
 
Well, when I look at it again, it seems that I have made up my own brains... anti-sniffing or I can. Hijacking won't happen.
 
 
 
Matt |
 
@ KEvin1986 there is no way to hijack it, just like the previous script. It's impossible to change Https to http .. It can only barely prevent sniffing ^_^
 
 
 
Matt |
 
@ KEvin1986 echo you is login is only used to determine whether the ip address and AGENT are verified and prevent replay ..
 
 
 
Beastk |
 
Try flash. The last time I saw naver used this.
 
 
 
KEvin1986 (rm-rf/is what im diser) |
 
@ Matt... I am, You are, (S) He/it is... allow me to vomit the syntax ......--
 
 
 
Nuclear attacks (rule the world and target all mankind! Destroys any organic creature that dares to block !) |
 
You can use the simple "Challenge and Response" mode to perform anti-sniffing.
 
If it is better, you can encrypt the sent information with a random key.
 
 
 
Nuclear attacks (rule the world and target all mankind! Destroys any organic creature that dares to block !) |
 
Assume that server A needs to authenticate the identity of server B:
 
1) B said to A, "I am B. Please authenticate me !"
 
2) A generates A random string and returns it to B.
 
3) B encrypts the received string with its own key and then sends it to
 
4) A encrypts the generated random string with the locally stored B's key and compares the strings transmitted by B. If the two strings are the same, the identity of B is proved.
 
Challenge-response: the authentication process that requires Calculation of correct responses for unpredictable queries.
 
Because this authentication method does not transmit passwords in the network, it can prevent password interception, data packet re-occurrence, and other forms of impersonating attacks.
 
Feature: the original key is not transmitted in the network. Each generated key is a one-time key.
 
Effect: Anti-sniffing and anti-replay, unable to obtain the original key
 
 
 
Nuclear attacks (rule the world and target all mankind! Destroys any organic creature that dares to block !) |
 
Haha, by the way, let's take a look at the background login verification method for Nuclear-Blog v6.0.
 
First, the login mode is based on the "challenge, response" mode, and then the upgrade is abnormal.
 
Paste a short piece of code ......
 
<Script type = "text/javascript" src = "js/md5.js"> </script>
<Script language = "javascript">
Function SubmitForm (){
Var username = document. getElementById ("verrgfxesigepgdx"). value;
Var password = document. getElementById ("ssqftwligjkczecb"). value;
For (I = 1; I <= 2012; I ++ ){
Username = hex_md5 (username + I );
Password = hex_md5 (password + I );
}
Document. getElementById ("verrgfxesigepgdx"). value = hex_md5 (username + "gjeuipyjavvmtqm ");
Document. getElementById ("ssqftwligjkczecb"). value = hex_md5 (password + "gjeuuipyjavvmtqm ");
Document. form1.submit ();
}
</Script> the form name and key are randomly generated each time, and the length is a random string of no less than 15 bytes ......
 
 
 
Matt |
 
@ The core attack challenge is not suitable. If your server sends a key to the client, then the client is encrypted, and then the server is verified, but the client is encrypted here .. The client can only use encryption such as js (not to mention browser plug-ins), so that attackers can easily see the encryption method .. So.
 
 
 
Nuclear attacks (rule the world and target all mankind! Destroys any organic creature that dares to block !) |
 
@ Matt
 
This is meaningless. How can I see the algorithm?
 
The md5 and sha1 algorithms are public and do not have the original key. Can you bypass them?
 
There is no direct relationship with encryption algorithms ......
 
 
 
Px1624 |
 
Document. getElementById ("x") is decisive. Let's define the function first.
 
 
 
Anthr @ X |
 
@ Core attack: This method is the same as sending the hash with salt. challenge is to send the plaintext salt of a client, and send a client after calculating the password and the hash of salt, if the password is weak during sniffing, it can still be cracked offline.
 
In the case of man-in-the-middle attack, man-in-the-middle can completely replace your encrypted js, change it to plaintext, and then send it to the other party ......
 
 
 
Matt |
 
@ Core attack makes sense to respond to this challenge .. I can't reply to any software ..
 
 
 
Nuclear attacks (rule the world and target all mankind! Destroys any organic creature that dares to block !) |
 
Since data packets are tampered with by man-in-the-middle, any native Http data submission scheme is invalid.
 
 
 
_ Edevil (sexual interest is the best teacher.) |
 
@ Matt @ the kernel Attack Script is OK. For example, php api cracking is a typical example... 80vul has a pdf file. Compared with this document, it is possible to reverse the conversion from the key to the cloud ..
 
 
 
From: http://zone.wooyun.org/content/471