Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them...
-
Upload
amira-dark -
Category
Documents
-
view
221 -
download
2
Transcript of Blackhats Italia 2003 1 Man in the middle attacks What they are What they are How to achieve them...
Blackhats Italia 2003Blackhats Italia 2003 11
Man in the middle Man in the middle attacksattacks
What they are What they are How to achieve themHow to achieve them How to use themHow to use them How to prevent themHow to prevent them
Alberto Ornaghi <[email protected]>Marco Valleri <[email protected]>
Blackhats Italia 2003Blackhats Italia 2003 22
Table of contentsTable of contents
Different attacks in different scenarios:Different attacks in different scenarios:
LOCAL AREA NETWORK:LOCAL AREA NETWORK:- ARP poisoning- ARP poisoning - DNS spoofing- DNS spoofing - STP - STP manglingmangling
FROM LOCAL TO REMOTEFROM LOCAL TO REMOTE (through a gateway): (through a gateway):- ARP poisoning- ARP poisoning - DNS spoofing- DNS spoofing - DHCP - DHCP spoofing spoofing - ICMP redirection- ICMP redirection - IRDP spoofing- IRDP spoofing - route - route manglingmangling
REMOTE: REMOTE: - DNS poisoning- DNS poisoning - traffic tunneling- traffic tunneling - route - route manglingmangling
Blackhats Italia 2003Blackhats Italia 2003 33
Once in the middle...Once in the middle...
Blackhats Italia 2003Blackhats Italia 2003 44
SniffingSniffing
It is the easiest attack to launch since all the packets transit through the attacker.
All the “plain text” protocols are compromised (the attacker can sniff user and password of many widely used protocol such as telnet, ftp, http)
Blackhats Italia 2003Blackhats Italia 2003 55
HijackingHijacking
Easy to launchEasy to launch
It isn’t blind (the attacker knows It isn’t blind (the attacker knows exactly the sequence numbers of exactly the sequence numbers of the TCP connection)the TCP connection)
Blackhats Italia 2003Blackhats Italia 2003 66
InjectingInjecting
Possibility to add packets to an already Possibility to add packets to an already established connection (only possible in full-established connection (only possible in full-duplex mitm)duplex mitm)
The attacker can modify the sequence The attacker can modify the sequence numbers and keep the connection numbers and keep the connection synchronized while injecting packets. synchronized while injecting packets.
If the mitm attack is a “proxy attack” it is If the mitm attack is a “proxy attack” it is even easier to inject (there are two distinct even easier to inject (there are two distinct connections)connections)
Blackhats Italia 2003Blackhats Italia 2003 77
FilteringFiltering
The attacker can modify the payload of The attacker can modify the payload of the packets by recalculating the the packets by recalculating the checksumchecksum
He/she can create filters on the flyHe/she can create filters on the fly
The length of the payload can also be The length of the payload can also be changed but only in full-duplex (in this changed but only in full-duplex (in this case the seq has to be adjusted)case the seq has to be adjusted)
Blackhats Italia 2003Blackhats Italia 2003 88
Attacks examplesAttacks examples
Blackhats Italia 2003Blackhats Italia 2003 99
Attacks examples Attacks examples (1)(1)Command injectionCommand injection
Useful in scenarios where a one time Useful in scenarios where a one time authentication is used (e.g. RSA authentication is used (e.g. RSA token).token).In such scenarios sniffing the password In such scenarios sniffing the password is useless, but hijacking an already is useless, but hijacking an already authenticated session is criticalauthenticated session is critical
Injection of commands to the serverInjection of commands to the server
Emulation of fake replies to the clientEmulation of fake replies to the client
Blackhats Italia 2003Blackhats Italia 2003 1010
Attacks examples Attacks examples (2)(2)Malicious code injectionMalicious code injection
Insertion of malicious code into Insertion of malicious code into web pages or mail (javascript, web pages or mail (javascript, trojans, virus, ecc)trojans, virus, ecc)
Modification on the fly of binary Modification on the fly of binary files during the download phase files during the download phase (virus, backdoor, ecc)(virus, backdoor, ecc)
Blackhats Italia 2003Blackhats Italia 2003 1111
Attacks examples Attacks examples (3)(3)Key exchangingKey exchanging
Modification of the public key Modification of the public key exchanged by server and clientexchanged by server and client. (eg . (eg SSH1)SSH1)
Server Client
MITM
start
KEY(rsa) KEY(rsa)
Ekey[S-Key]Ekey[S-Key]S-KEY S-KEY S-KEY
MEskey(M)
D(E(M))
D(E(M))
Blackhats Italia 2003Blackhats Italia 2003 1212
Attacks examplesAttacks examples (4)(4)Parameters and banners Parameters and banners substitutionsubstitution Parameters exchanged by server and client Parameters exchanged by server and client
can be substituted in the beginning of a can be substituted in the beginning of a connection. (algorithms to be used later)connection. (algorithms to be used later)
Example: the attacker can force the client to Example: the attacker can force the client to initialize a SSH1 connection instead of SSH2.initialize a SSH1 connection instead of SSH2.
– The server replies in this way:The server replies in this way: SSH-1.99 -- the server supports ssh1 and ssh2 SSH-1.99 -- the server supports ssh1 and ssh2 SSH-1.51 -- the server supports ONLY ssh1 SSH-1.51 -- the server supports ONLY ssh1
– The attacker makes a filter to replace “1.99” with The attacker makes a filter to replace “1.99” with “1.51”“1.51”
Possibility to circumvent known_hostsPossibility to circumvent known_hosts
Blackhats Italia 2003Blackhats Italia 2003 1313
Attacks examples Attacks examples (5)(5)IPSEC FailureIPSEC Failure
Block the keymaterial exchanged on the Block the keymaterial exchanged on the port 500 UDPport 500 UDP
End points think that the other cannot End points think that the other cannot start an IPSEC connectionstart an IPSEC connection
If the client is configured in rollback If the client is configured in rollback mode, there is a good chance that the mode, there is a good chance that the user will not notice that the connection user will not notice that the connection is in clear textis in clear text
Blackhats Italia 2003Blackhats Italia 2003 1414
Attacks examples Attacks examples (6)(6)PPTP (1) - descriptionPPTP (1) - description
Uses GRE as transport layer (no Uses GRE as transport layer (no encryption, no authentication)encryption, no authentication)
Uses the same negotiation scheme as Uses the same negotiation scheme as PPP (req, ack, nak, rej)PPP (req, ack, nak, rej)
Negotiation phases are not Negotiation phases are not authenticatedauthenticated
MS-CHAPv2 mutual authentication MS-CHAPv2 mutual authentication can’t prevent this kind of mitmcan’t prevent this kind of mitm
Blackhats Italia 2003Blackhats Italia 2003 1515
Attacks examples Attacks examples (6)(6)PPTP (2) - attacksPPTP (2) - attacks
During negotiation phaseDuring negotiation phase– Force PAP authentication (almost fails)Force PAP authentication (almost fails)– Force MS-CHAPv1 from MS-CHAPv2 (easier to crack)Force MS-CHAPv1 from MS-CHAPv2 (easier to crack)– Force no encryptionForce no encryption
Force re-negotiation (clear text terminate-ack)Force re-negotiation (clear text terminate-ack)– Retrieve passwords from existing tunnelsRetrieve passwords from existing tunnels– Perform previous attacksPerform previous attacks
Force “password change” to obtain password Force “password change” to obtain password hasheshashes– Hashes can be used directly by a modified SMB or Hashes can be used directly by a modified SMB or
PPTP clientPPTP client– MS-CHAPv2 hashes are not usefull (you can force v1)MS-CHAPv2 hashes are not usefull (you can force v1)
Blackhats Italia 2003Blackhats Italia 2003 1616
Attacks examples Attacks examples (6)(6)PPTP (3) - attack examplePPTP (3) - attack example
Server ClientMITM
start
req | auth | chapnak | auth | papreq | auth | papack | auth | pap
req | auth | fakenak| auth | chapreq | auth | papack | auth | pap
Force PAP from CHAP
We don’t have to mess with GRE sequences...
Blackhats Italia 2003Blackhats Italia 2003 1717
Attacks examples Attacks examples (6)(6)PPTP (4) - L2TP rollbackPPTP (4) - L2TP rollback
L2TP can use IPSec ESP as transport layer L2TP can use IPSec ESP as transport layer (stronger than PPTP)(stronger than PPTP)
By default L2TP is tried before PPTPBy default L2TP is tried before PPTP
Blocking ISAKMP packets results in an IPSec Blocking ISAKMP packets results in an IPSec failurefailure
Client starts a request for a PPTP tunnel Client starts a request for a PPTP tunnel (rollback)(rollback)
Now you can perform PPTP previous attacksNow you can perform PPTP previous attacks
Blackhats Italia 2003Blackhats Italia 2003 1818
Attacks examples Attacks examples (6)(6)PPTP (5) - toolsPPTP (5) - tools
EttercapEttercap (http://ettercap.sf.net)(http://ettercap.sf.net)– Hydra plugins suiteHydra plugins suite
AngerAnger ((http://packetstormsecurity.org/sniffers/anger.tar.gz)http://packetstormsecurity.org/sniffers/anger.tar.gz)
Blackhats Italia 2003Blackhats Italia 2003 1919
Attack techniquesAttack techniquesLOCAL SCENARIOLOCAL SCENARIO
Blackhats Italia 2003Blackhats Italia 2003 2020
Local Attacks (1)Local Attacks (1)ARP poisoningARP poisoning
ARP is stateless (we all knows how it works and what ARP is stateless (we all knows how it works and what the problems are)the problems are)
Some operating systems do not update an entry if it is Some operating systems do not update an entry if it is not already in the cache, others accept only the first not already in the cache, others accept only the first received reply (e.g solaris)received reply (e.g solaris)
The attacker can forge a spoofed ICMP packets to The attacker can forge a spoofed ICMP packets to force the host to make an ARP request. Immediately force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP replay after the ICMP it sends the fake ARP replay
Request attack against linux (IDS evasion)Request attack against linux (IDS evasion)
Blackhats Italia 2003Blackhats Italia 2003 2121
Local Attacks (1)Local Attacks (1)ARP poisoningARP poisoning
Useful to sniff on switched LANsUseful to sniff on switched LANs
The switch works at layer 2 and it The switch works at layer 2 and it is not aware of the poisoning in is not aware of the poisoning in the hosts’ ARP cache (unless the hosts’ ARP cache (unless some ARP inspection)some ARP inspection)
Blackhats Italia 2003Blackhats Italia 2003 2222
Local Attacks (1)Local Attacks (1)ARP poisoning ARP poisoning - tools- tools
EttercapEttercap ((http://ettercap.sf.nethttp://ettercap.sf.net))– PoisoningPoisoning– SniffingSniffing– HijackingHijacking– FilteringFiltering– SSH sniffing (transparent attack)SSH sniffing (transparent attack)
DsniffDsniff ((http://www.monkey.org/~dugsong/dsniffhttp://www.monkey.org/~dugsong/dsniff))– PoisoningPoisoning– SniffingSniffing– SSH sniffing (proxy attack)SSH sniffing (proxy attack)
Blackhats Italia 2003Blackhats Italia 2003 2323
Local Attacks (1)Local Attacks (1)ARP poison ARP poison - countermeasures- countermeasures
YESYES - passive monitoring (arpwatch) - passive monitoring (arpwatch) YESYES - active monitoring (ettercap) - active monitoring (ettercap) YESYES - IDS (detect but not avoid) - IDS (detect but not avoid)
YESYES - Static ARP entries (avoid it) - Static ARP entries (avoid it) YESYES - Secure-ARP (public key auth) - Secure-ARP (public key auth)
NONO - Port security on the switch - Port security on the switch NONO - anticap, antidote, middleware approach - anticap, antidote, middleware approach
Blackhats Italia 2003Blackhats Italia 2003 2424
Local Attacks (2)Local Attacks (2)DNS spoofingDNS spoofing
HOST DNSserverX.localdomain.it
10.1.1.50
MITM
10.1.1.1
If the attacker is able to sniff the ID of the DNS request,he/she can reply before the real DNS server
Blackhats Italia 2003Blackhats Italia 2003 2525
Local Attacks (2)Local Attacks (2)DNS spoofing DNS spoofing - tools- tools
EttercapEttercap ((http://ettercap.sf.nethttp://ettercap.sf.net))
– Phantom pluginPhantom plugin
DsniffDsniff ((http://www.monkey.org/~dugsong/dsniffhttp://www.monkey.org/~dugsong/dsniff))
– DnsspoofDnsspoof
Zodiac Zodiac ((http://www.packetfactory.com/http://www.packetfactory.com/ProjectsProjects//zodiaczodiac))
Blackhats Italia 2003Blackhats Italia 2003 2626
Local Attacks (2)Local Attacks (2)DNS spoofing DNS spoofing - - countermeasurescountermeasures YESYES - detect multiple replies (IDS) - detect multiple replies (IDS)
YESYES - use lmhost or host file for - use lmhost or host file for static resolution of critical hostsstatic resolution of critical hosts
YESYES - DNSSEC - DNSSEC
Blackhats Italia 2003Blackhats Italia 2003 2727
Local Attacks (3)Local Attacks (3)STP manglingSTP mangling
It is not a real MITM attack since It is not a real MITM attack since the attacker is able to receive the attacker is able to receive only “unmanaged” trafficonly “unmanaged” traffic
The attacker can forge BPDU with The attacker can forge BPDU with high priority pretending to be the high priority pretending to be the new root of the spanning treenew root of the spanning tree
Blackhats Italia 2003Blackhats Italia 2003 2828
Local Attacks (3)Local Attacks (3)STP mangling STP mangling - tools- tools
EttercapEttercap ((http://ettercap.sf.nethttp://ettercap.sf.net))
– Lamia pluginLamia plugin
Blackhats Italia 2003Blackhats Italia 2003 2929
Local Attacks (3)Local Attacks (3)STP mangling STP mangling - - countermeasurescountermeasures YESYES - Disable STP on VLAN - Disable STP on VLAN
without loopswithout loops
YESYES - Root Guard, BPDU Guard. - Root Guard, BPDU Guard.
Blackhats Italia 2003Blackhats Italia 2003 3030
Attack techniquesAttack techniquesFROM LOCAL TO FROM LOCAL TO
REMOTEREMOTE
Blackhats Italia 2003Blackhats Italia 2003 3131
Local to remote attacks Local to remote attacks (1)(1)DHCP spoofingDHCP spoofing
The DHCP request are made in The DHCP request are made in broadcast. broadcast.
If the attacker replies before the real If the attacker replies before the real DHCP server it can manipulate:DHCP server it can manipulate:
– IP address of the victimIP address of the victim– GW address assigned to the victimGW address assigned to the victim– DNS addressDNS address
Blackhats Italia 2003Blackhats Italia 2003 3232
Local to remote attacks Local to remote attacks (1)(1)DHCP spoofing DHCP spoofing - countermeasures- countermeasures
YESYES - detection of multiple DHCP - detection of multiple DHCP repliesreplies
Blackhats Italia 2003Blackhats Italia 2003 3333
Local to remote attacks Local to remote attacks (2)(2)ICMP redirectICMP redirect
G1
AT
H
T
LAN
The attacker can forge ICMP redirect packet in order to Redirect traffic to himself
ICMP redirect to AT
Blackhats Italia 2003Blackhats Italia 2003 3434
Local to remote attacks Local to remote attacks (2)(2)ICMP redirect ICMP redirect - tools- tools
IRPAS icmp_redirectIRPAS icmp_redirect (Phenoelit) (Phenoelit)((http://www.phenoelit.de/http://www.phenoelit.de/irpasirpas//))
icmp_rediricmp_redir (Yuri Volobuev) (Yuri Volobuev)
Blackhats Italia 2003Blackhats Italia 2003 3535
Local to remote attacks Local to remote attacks (2)(2)ICMP redirect ICMP redirect - countermeasures- countermeasures
YESYES - Disable the ICMP REDIRECT - Disable the ICMP REDIRECT
NONO - Linux has the “secure redirect” - Linux has the “secure redirect” options but it seems to be ineffective options but it seems to be ineffective against this attackagainst this attack
Blackhats Italia 2003Blackhats Italia 2003 3636
Local to remote attacks Local to remote attacks (3)(3)IRDP spoofingIRDP spoofing The attacker can forge some The attacker can forge some
advertisement packet pretending to be advertisement packet pretending to be the router for the LAN. He/she can set the router for the LAN. He/she can set the “preference level” and the “lifetime” the “preference level” and the “lifetime” at high values to be sure the hosts will at high values to be sure the hosts will choose it as the preferred router.choose it as the preferred router.
The attack can be improved by sending The attack can be improved by sending some spoofed ICMP Host Unreachable some spoofed ICMP Host Unreachable pretending to be the real routerpretending to be the real router
Blackhats Italia 2003Blackhats Italia 2003 3737
Local to remote attacks Local to remote attacks (3)(3)IRDP spoofing IRDP spoofing - tools- tools
IRPAS IRPAS by Phenoelitby Phenoelit((http://www.phenoelit.de/http://www.phenoelit.de/irpasirpas//))
Blackhats Italia 2003Blackhats Italia 2003 3838
Local to remote attacks Local to remote attacks (3)(3)IRDP spoofing IRDP spoofing - countermeasures- countermeasures
YESYES - Disable IRDP on hosts if the - Disable IRDP on hosts if the operating system permit it.operating system permit it.
Blackhats Italia 2003Blackhats Italia 2003 3939
Local to remote attacks Local to remote attacks (4)(4)ROUTE manglingROUTE mangling
The attacker can forge packets for the gateway (GW) pretending to be a router with a good metric for a specified host on the internet
The netmask should be big enough to win against other routes
INTERNET GW AT
H
Blackhats Italia 2003Blackhats Italia 2003 4040
Local to remote attacks Local to remote attacks (4)(4)ROUTE manglingROUTE mangling Now the problem for the attacker is to send Now the problem for the attacker is to send
packets to the real destination. He/she packets to the real destination. He/she cannot send it through GW since it is cannot send it through GW since it is convinced that the best route is AT.convinced that the best route is AT.
INTERNET GW AT
H
D
AT2Tunnel
Blackhats Italia 2003Blackhats Italia 2003 4141
Local to remote attacks Local to remote attacks (4)(4)ROUTE mangling ROUTE mangling - tools- tools
IRPASIRPAS (Phenoelit) (Phenoelit)((http://www.phenoelit.de/http://www.phenoelit.de/irpasirpas//))
Nemesis Nemesis (http://www.packetfactory.net/Projects/neme(http://www.packetfactory.net/Projects/nemesis/)sis/)
Blackhats Italia 2003Blackhats Italia 2003 4242
Local to remote attacks Local to remote attacks (4)(4)ROUTE mangling ROUTE mangling - countermeasures- countermeasures
YESYES - Disable dynamic routing - Disable dynamic routing protocols on this type of scenarios protocols on this type of scenarios
YES YES - Enable some ACL to block - Enable some ACL to block unexpected updateunexpected update
YESYES - Enable authentications on - Enable authentications on the protocols that support themthe protocols that support them
Blackhats Italia 2003Blackhats Italia 2003 4343
Attacks techniquesAttacks techniquesREMOTE SCENARIOSREMOTE SCENARIOS
Blackhats Italia 2003Blackhats Italia 2003 4444
Remote attacks (1)Remote attacks (1)DNS poisoningDNS poisoning
Type 1 attackType 1 attack– The attacker sends a request to the victim The attacker sends a request to the victim
DNS asking for one hostDNS asking for one host
– The attacker spoofs the reply which is The attacker spoofs the reply which is expected to come from the real DNSexpected to come from the real DNS
– The spoofed reply must contain the correct The spoofed reply must contain the correct ID (brute force or semi-blind guessing)ID (brute force or semi-blind guessing)
Blackhats Italia 2003Blackhats Italia 2003 4545
Remote attacks (1)Remote attacks (1)DNS poisoningDNS poisoning
Type 2 attackType 2 attack– The attacker can send a “dynamic The attacker can send a “dynamic
update” to the victim DNSupdate” to the victim DNS
– If the DNS processes it, it is even If the DNS processes it, it is even worst because it will be authoritative worst because it will be authoritative for those entriesfor those entries
Blackhats Italia 2003Blackhats Italia 2003 4646
Remote attacks Remote attacks (1)(1)DNS poisoning DNS poisoning - tools- tools
ADMIdPackADMIdPack
Zodiac Zodiac (http://www.packetfactory.com/Projects/zodia(http://www.packetfactory.com/Projects/zodiac)c)
Blackhats Italia 2003Blackhats Italia 2003 4747
Remote attacks Remote attacks (1)(1)DNS poisoning DNS poisoning - - countermeasurescountermeasures YESYES - Use DNS with random - Use DNS with random
transaction ID (Bind v9)transaction ID (Bind v9)
YESYES - DNSSec (Bind v9) allows the - DNSSec (Bind v9) allows the digital signature of the replies. digital signature of the replies.
NONO - restrict the dynamic update to - restrict the dynamic update to a range of IP (they can be spoofed)a range of IP (they can be spoofed)
Blackhats Italia 2003Blackhats Italia 2003 4848
Remote attacks Remote attacks (2)(2)Traffic TunnelingTraffic Tunneling
Router 1
Gateway
INTERNET
Server
Client
Fake host
Attacker
Tunnel GRE
Blackhats Italia 2003Blackhats Italia 2003 4949
Remote attacks Remote attacks (2)(2)Traffic Tunneling Traffic Tunneling - tools- tools
EttercapEttercap (http://ettercap.sf.net)(http://ettercap.sf.net)– Zaratan pluginZaratan plugin
TunnelXTunnelX (http://www.phrack.com)(http://www.phrack.com)
Blackhats Italia 2003Blackhats Italia 2003 5050
Remote attacks Remote attacks (2)(2)Traffic Tunneling Traffic Tunneling - - countermeasurecountermeasure YESYES - Strong passwords and - Strong passwords and
community on routerscommunity on routers
Blackhats Italia 2003Blackhats Italia 2003 5151
Remote attacks Remote attacks (3)(3)ROUTE manglingROUTE mangling
The attacker aims to hijack the traffic The attacker aims to hijack the traffic between the two victims A and Bbetween the two victims A and B
The attack will collect sensitive The attack will collect sensitive information through:information through:– traceroutetraceroute– portscanning portscanning – protoscanningprotoscanning
Quite impossible against link state Quite impossible against link state protocolsprotocols
Blackhats Italia 2003Blackhats Italia 2003 5252
Remote attacks Remote attacks (3)(3)ROUTE manglingROUTE mangling
Scenario 1 aScenario 1 a(IGRP inside the AS)(IGRP inside the AS)
A B
The attacker pretends to be the GW
R1
R2
Blackhats Italia 2003Blackhats Italia 2003 5353
Remote attacks Remote attacks (3)(3)ROUTE manglingROUTE mangling
Scenario 1 b Scenario 1 b (IGRP inside the AS)(IGRP inside the AS)
A BR1
R2
R3
Blackhats Italia 2003Blackhats Italia 2003 5454
Remote attacks Remote attacks (3)(3)ROUTE manglingROUTE mangling
Scenario 2 aScenario 2 a((the traffic does not pass thru thethe traffic does not pass thru the AS)AS) AS 1 AS 2
BG 1 BG 2
BG 3
AS 3
BGP
RIP
Blackhats Italia 2003Blackhats Italia 2003 5555
Remote attacks Remote attacks (3)(3)ROUTE manglingROUTE mangling
IRPASIRPAS di Phenoelit di Phenoelit((http://www.phenoelit.de/irpas/)http://www.phenoelit.de/irpas/)
Nemesis Nemesis ((http://www.packetfactory.net/Projects/nemehttp://www.packetfactory.net/Projects/nemesis/)sis/)
Blackhats Italia 2003Blackhats Italia 2003 5656
Remote attacks Remote attacks (3)(3)ROUTE mangling ROUTE mangling - - countermeasurecountermeasure YESYES - Use routing protocol - Use routing protocol
authenticationsauthentications
Blackhats Italia 2003Blackhats Italia 2003 5757
ConclusionsConclusions
The security of a connection relies on:The security of a connection relies on:– a proper configuration of the client (avoiding ICMP a proper configuration of the client (avoiding ICMP
Redirect, ARP Poisoning etc.) Redirect, ARP Poisoning etc.) – the other endpoint infrastructure (es. DNS dynamic the other endpoint infrastructure (es. DNS dynamic
update),update),– the strongness of a third party appliances on which we the strongness of a third party appliances on which we
don’t have access (es. Tunnelling and Route Mangling).don’t have access (es. Tunnelling and Route Mangling).
The best to protect a communication is the correct The best to protect a communication is the correct and conscious use of criptographic suitesand conscious use of criptographic suites– both client and server sideboth client and server side– at the network layer (ie. IPSec)at the network layer (ie. IPSec)– at transport layer (ie. SSLv3) at transport layer (ie. SSLv3) – at application layer (ie. PGP).at application layer (ie. PGP).
Blackhats Italia 2003Blackhats Italia 2003 5858
– Marco Valleri Marco Valleri <[email protected]><[email protected]>
– Alberto Ornaghi Alberto Ornaghi <[email protected]><[email protected]>