SSL Mitm Attacks
SSL Mitm Attacks
Performing a Man in the Middle Attack Using a Spoofed Certificate for Purposes of Decrypting SSL Traffic
1. Introduction
SSL (Secure Socket Layer) is the industry standard for delivering secure content to a web user with little knowledge required for setup on the user side. This paper will attack the SSL protocol and examine the effects of poor security education. We will be using a Man in the Middle attack to send the web user a spoofed certificate when he attempts to connect to a website via HTTPS.
1.1 Purpose
The attack that will be demonstrated in this paper is to be used for an educational purpose only. This paper should be used to promote security awareness and emphasize the concern that should be placed upon secure infrastructure. The authors of this guide will not be held responsible for any misuse of the information within.
1.2 Scope
This document is broken down into eight different categories, each explaining a new phase of the process. The eight sections are organized in this manner to add the option of following this guide as a checklist, for ease of use. The attack will begin with chapter three of this guide. If you already have a copy of iWhax, Whoppix, or Auditor you may wish to skip to that section. Chapter 2: Downloading iWhax or Whoppix Provides links to the software and discusses its origin. Chapter 3: Fragrouter Explains the fragrouter program and why IP forwarding is necessary to this attack. Chapter 4: Arpspoof Describes the process of an ARP cache poisoning. This is the heart of a Man in the Middle attack; we will discuss the theory behind the attack, as well as the process required to perform this operation. Chapter 5: Dnsspoof The software provides us with a simple way to complete the ARP cache poisoning by forging replies to arbitrary DNS addresses. Chapter 6: Webmitm This chapter will discuss a very important step, the forging of a certificate. Using the webmitm tool we can create a false certificate and transparently relay and save HTTP / HTTPS traffic redirected by dnsspoof. It will also present the user with the false certificate upon request to a secure site. Chapter 7: Sniffing Network Traffic with Ethereal We have chosen to use Ethereal as our network sniffer because of its intuitive interface, easily filtered traffic, and excellent dump files. Chapter 8: Testing a Connection on Your Home Network
Using a second computer on your network (the target for attack in this demonstration) it is now time to attempt to connect to a secure site. Chapter 9: Decrypting the SSL data with SSLdump We will use the ssldump tool to decrypt the SSLv3/TLS traffic and display the data in plaintext.
3. Fragrouter
3.1 Booting into iWhax
Since it is assumed that the user already knows how to run a Linux live cd, we will not cover the boot process in detail. Simply switch your boot device from the hard drive to the CD-rom, and make sure that the iWhax (or Whoppix) cd is in the tray when you boot the computer. However, to change the screen resolution, make a note to run the following command as a boot option: Knoppix Screen = 1600x1200 Obviously the screen resolution will be changed according to your monitors resolution capabilities. It is important to change this setting during the boot process because you may not be able to change it once the operating system is loaded.
4. ARPSPOOF
4.1 Principles
An ARP Cache Poisoning attack is used in order to position oneself in between two computers, or devices, that are communicating on a network. This is achieved by exploiting a weakness in the Address Resolution Protocol. We will send a series of faked ARP requests and responses to the devices we wish to attack, and convince each device that we are the other. In doing this, we silently sit between the two devices and are able to intercept any incoming or outgoing transmissions.
5. DNSSPOOF
This is the simplest step of the procedure. Simply open a new shell and run the command: dnsspoof (see picture on next page)
6. WEBMITM
6.1 Spoofing a Certificate
This step is the heart of the attack. We will be creating a spoofed certificate that will resemble a cert that the user would normally accept. The WEBMITM tool will then sit on the network and wait for someone to attempt to access a secure (ssl) site. As soon as that attempt is detected, WEBMITM will then send the user our fake certificate. Assuming that the user accepts the certificate, we will then have enough information to decrypt any traffic that is now intercepted.
When the user has accessed a secure site, and the attack has been successfully carried out, you may save the ethereal scan to a file. If you selected the option update packets in real time then you will begin to see a lot of HTTP, TLS, and SSL traffic as soon as the victim attempts to access a secure site. That is a queue that you can stop the ethereal scan and begin to crack the data. For test purpose continue to the next section before saving the ethereal scan.
This is for an education purpose only. Do not misuse this information, it is for prevention techniques only.