Gregory's Server
That's not how that works.
When we talk about exchanging credentials in the clear, we're talking stuff like telnet where a MitM can just dump your password via Wireshark. An ssh connection sets up a secure tunnel between the systems, and then compares cryptographic hashes. The plain text password never is stored on disk anywhere, just the one way salted hash of the password.
@JessTheUnstill
Yup. This device is probably transmitting stuff in the clear because it’s got a web server running without encryption. The “normal” answer would be to enable TLS on your web server, but how do you do that when you’re embedded and cant just bake in CA-signed TLS certs?
The thing that interests me about this failure is that you can pass-the-hash to get in.
@tknarr @colin_mcmillen @bagder
@JessTheUnstill
Yup. This device is probably transmitting stuff in the clear because it’s got a web server running without encryption. The “normal” answer would be to enable TLS on your web server, but how do you do that when you’re embedded and cant just bake in CA-signed TLS certs?
The thing that interests me about this failure is that you can pass-the-hash to get in.