Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Tunnel VPN over 443 and evading IDS

  1. #11
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    I'm not a cryptologist either, more of an amatuer at it. I also can't verify any on the claims of the inventor or his company. But they did claim the device would decrypt SSL on the fly in a MITM configuration.
    Thorn
    Stop the TSA now! Boycott the airlines.

  2. #12
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by compaq View Post
    Theres a openssl program that if you sniff the handshake will allow you to decode the connection, i thinks its this ssldump, on sourceforge
    The handshake shouldn't be enough because only the public keys are exchanged. You'll need the private keys if you want to decrypt anything. (Or am I missing something?).

    Is there any program that will let you set up an SSL MITM server on your own machine? For instance, let's say the victim wants to check internet banking over SSL; you arp-poison him so that all the traffic goes through your machine. You spoof the foreign server's public key so that you can decrypt everything, and you re-encrypt with the correct public key for forwarding it on. Has this been done already?
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  3. #13
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    The handshake shouldn't be enough because only the public keys are exchanged. You'll need the private keys if you want to decrypt anything. (Or am I missing something?).

    Is there any program that will let you set up an SSL MITM server on your own machine? For instance, let's say the victim wants to check internet banking over SSL; you arp-poison him so that all the traffic goes through your machine. You spoof the foreign server's public key so that you can decrypt everything, and you re-encrypt with the correct public key for forwarding it on. Has this been done already?
    __________________
    I thought the thread was about how can a ids know that it is legit ssl traffic, and as ettercap forwards the traffic on, or it won't decode, then finding out to block it with the firewall would be difficult even if you piped it to a file that got grep(just hope the ids and firewall arn't on the same machine).
    And I never liked ettercap.

  4. #14
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by compaq View Post
    I thought the thread was about how can a ids know that it is legit ssl traffic
    We're taking about the IDS device decrypting the SSL traffic to see if it actually contains the HTTP protocol. If it doesn't contain the HTTP protocol, the traffic will be blocked (e.g. this is a way of stopping people accessing a VPN).

    I have two questions:
    1) What does IDS stand for?
    2) What software is available for doing MITM on SSL traffic?
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  5. #15
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by theberries View Post
    The following outlines the real possibility of MITM on SSLVPN and explains the key exchanges:

    http://www.networkworld.com/community/node/31124
    I do my internet banking over SSL without any kind of authentification certificate... One day I'll log in to find my entire balance transferred to Ahasamabooboo Imyrianketago.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  6. #16
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by Virchanza View Post
    I have two questions:
    1) What does IDS stand for?
    Intrusion Detection System
    Quote Originally Posted by Virchanza View Post
    2) What software is available for doing MITM on SSL traffic?
    For example Ettercap.
    Quote Originally Posted by Virchanza View Post
    I do my internet banking over SSL without any kind of authentification certificate... One day I'll log in to find my entire balance transferred to Ahasamabooboo Imyrianketago.
    Is that even possible, I mean doesn't SSL by default mean that an authentication certificate will need to be in place? If it is properly signed or even valid anymore is of course another question entirely.
    -Monkeys are like nature's humans.

  7. #17
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default

    Quote Originally Posted by =Tron= View Post
    Is that even possible, I mean doesn't SSL by default mean that an authentication certificate will need to be in place? If it is properly signed or even valid anymore is of course another question entirely.
    Tron from what i know of the subject, a client sends a ClientHello message stating the strongest protocol version it supports.
    The Server then chooses the best supported method of cryptology and sends its ServerCertificate message to the client, in this the server requests a certificate from the client, so that the connection can be authenticated. After the client sends the certificate, thats the hello done.
    Now its time for the key, client sends a ClientKeyExchange message, which contains the PreMasterSecret, which is encrypted using the public key of the server certificate. Now the client sends a CertificateVerify message, which is a signature using the client's certificate's private key. This is how the Server know`s that the Client knows the private key of the certificate and therefore must own the certificate. Now with all these numbers and keys the master secret is made, all key data in this session from now on decends from this unique mastersecret. The client then sends a ChangeCipherSpec record, this tells the server all data from now is encrypted, "SSL FIRE UP" "I THINK"
    Lastly the client sends an encrypted Finished message, this contains a new hash and MAC over the previous handshake messages, if the server can decrypt the Client's Finished message, and verify the hash and MAC then everything ran smoothly and session will continue, if the decryption fails, the connection will be torn down, the server then sends a ChangeCipherSpec and its encrypted Finished message to which the client responds to make sure the protocool is working properly. Or its something very similar to that
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  8. #18

    Default

    Quote Originally Posted by Virchanza View Post
    2) What software is available for doing MITM on SSL traffic?
    In addition to what has been mentioned, I have successfully done SSL MiTM (in a lab and class environment) using a combination of:

    fragrouter
    dnsspoof
    webmitm
    arpspoof
    wireshark

    Success of this depends on the user not reviewing the presented certificate too closely.

  9. #19
    Member
    Join Date
    Jan 2008
    Posts
    194

    Default

    Quote Originally Posted by compaq View Post
    I thought the thread was about how can a ids know that it is legit ssl traffic, and as ettercap forwards the traffic on, or it won't decode, then finding out to block it with the firewall would be difficult even if you piped it to a file that got grep(just hope the ids and firewall arn't on the same machine).
    And I never liked ettercap.
    The thread has some good information on doing a MITM on SSL traffic. However, the original question was how to spoof the SSLVPN traffic and make it look like HTTPS traffic. The reason for that is some IDSs can look at the initialization packets and ascertain that the traffic is indeed VPN traffic. There on out, however, it's not able to decode the traffic and thus see its contents.

    My question is not how to do a MITM on SSL traffic, rather it's how to mask the SSL traffic so that an IDS will not block it.

    MITM on HTTPS is trivial. MITM on VPN is another beast and can be accomplished but that isn't the original point to the thread.

    I'll be capturing some VPN initialization packets so I'll share those once that's done.

  10. #20

    Default

    Quote Originally Posted by theberries View Post
    You have a VPN server setup on port 443 with the intention of getting the vpn tunnel through the firewall. However, an IDS is in place that is analyzing packets for valid https traffic (POST/GET).

    To the question: Do you know of any code/patch for OpenVPN that can impersonate valid HTTPS traffic? Can you think of any other methods for which this can be accomplished?

    Thanks!
    Have you tried to send your OpenVPN traffic through stunnel? I think stunnel will work with get/post type traffic (although it has been years since I used it and I don't have any captures around from it to look at)

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •