nerdexam
GIAC

GCIH · Question #363

A user is asking for an upgrade to Internet Explorer, because he constantly gets annoying windows popping up whenever he visits his online banking site from his laptop when on the corporate network. H

The correct answer is A. It is likely that someone is spoofing DNS and running a Monkey-in-the-Middle attack to spy on the. Certificate warning pop-ups that appear only on the corporate network when visiting HTTPS banking sites indicate a Man-in-the-Middle attack intercepting SSL traffic. An attacker is presenting a forged certificate, causing the browser to warn the user.

Web Application Attacks & Post-Exploitation

Question

A user is asking for an upgrade to Internet Explorer, because he constantly gets annoying windows popping up whenever he visits his online banking site from his laptop when on the corporate network. He claims that after clicking 'Yes' in the message boxes that pop up he is able to continue working. When he takes his laptop home, he does not get these same pop ups. What is a possible explanation for this, and what should the administrator do?

Options

  • AIt is likely that someone is spoofing DNS and running a Monkey-in-the-Middle attack to spy on the
  • BIt is likely that the user's browser has not been patched against the latest SSL vulnerabilities. The
  • CIt is likely that the user's machine has been compromised and is being used as an ARP spoofing
  • DIt is likely that the machine has been infected with a backdoor which has taken over control of the

How the community answered

(35 responses)
  • A
    69% (24)
  • B
    17% (6)
  • C
    9% (3)
  • D
    6% (2)

Why each option

Certificate warning pop-ups that appear only on the corporate network when visiting HTTPS banking sites indicate a Man-in-the-Middle attack intercepting SSL traffic. An attacker is presenting a forged certificate, causing the browser to warn the user.

AIt is likely that someone is spoofing DNS and running a Monkey-in-the-Middle attack to spy on theCorrect

When a user receives SSL certificate warnings exclusively on the corporate network and not at home, it strongly indicates that an attacker on that network is performing a Man-in-the-Middle attack, possibly via DNS spoofing, to intercept encrypted banking traffic. The browser warns because the certificate presented does not match the legitimate site or is not trusted. The administrator should investigate the corporate network for rogue devices or compromised infrastructure performing SSL interception and capture traffic to confirm.

BIt is likely that the user's browser has not been patched against the latest SSL vulnerabilities. The

Unpatched SSL vulnerabilities on the browser would cause issues regardless of which network the user is connected to, not exclusively on the corporate network.

CIt is likely that the user's machine has been compromised and is being used as an ARP spoofing

ARP spoofing could facilitate a MITM attack, but this choice does not explain the certificate warnings or the network-specific behavior described in the scenario.

DIt is likely that the machine has been infected with a backdoor which has taken over control of the

A backdoor infection would manifest with different symptoms and would not be limited to producing SSL certificate warnings only when the user is on the corporate network.

Concept tested: SSL Man-in-the-Middle attack via DNS spoofing

Source: https://owasp.org/www-community/attacks/Manipulator-in-the-middle_attack

Topics

#DNS spoofing#MITM attack#SSL certificate warnings#network interception

Community Discussion

No community discussion yet for this question.

Full GCIH Practice