Results 1 to 9 of 9

Thread: SSL on the fly MITM

  1. #1
    Member imported_onryo's Avatar
    Join Date
    Apr 2009
    Posts
    109

    Default SSL on the fly MITM

    Anybody know of a program/plugin that can copy a real ssl cert and inject a fake copy on the fly? Using ettercap as MITM on a rouge AP. Yeah I know there will be a warning. Would be really cool to get this working with remote_browser.

    All the best
    onryo
    Let me explain officer, I am not a hacker. I am a security tester of sorts!

  2. #2
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    ettercap does this with a self-signed cert. "real" would mean you have access to a trusted cert for the same domain.. ?

  3. #3
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

  4. #4
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    Im not 100% sure but I believe that SSL strip may be able todo this.

  5. #5
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    What the rest said above is proable what your after.
    This was a old SSL exploit, , want work but the theory might be good to look at..


    Mozilla Firefox Certificate Spoofing

    #########################################
    Application: Mozilla Firefox
    Vendors: http://www.mozilla.com
    Version: 0.9.1 / 0.9.2
    Platforms: Windows
    Bug: Certificate Spoofing (Phishing)
    Risk: High
    Exploitation: Remote with browser
    Date: 25 July 2004
    Author: Emmanouel Kellinis
    e-mail: me@cipher(dot)org(dot)uk
    web: http://www.cipher.org.uk
    List : BugTraq(SecurityFocus)/ Full-Disclosure
    #########################################


    =======
    Product
    =======
    A popular Web browser,good alternative of IE and
    "The web browser" for linux machines,
    used to view pages on the World Wide Web.

    ===
    Bug
    ===

    Firefox has caching problem, as a result of that someone can
    spoof a certificate of any website and use it as his/her own.
    The problem is exploited using onunload inside < body> and
    redirection using Http-equiv Refresh metatag,document.write()
    and document.close()

    First you direct the redirection metatag to the website
    of which you want to spoof the certificate, then inside
    the < body> tag you add onulnoad script so you can control
    the output inside the webpage with the spoofed certificate.

    After that you say to firefox, as soon as you unload this page
    close the stream, aparently the stream you close is
    the redirection website, you do that with
    document.close().

    Now you can write anything you want , you do that
    using document.write(). After writing the content of you choice
    you close the stream again , usually firefox wont display your content,
    although if you check the source code you see it , so the last thing
    is to refresh the new page (do that using window.location.reload()),
    after that you have your domain name in the url field , your content
    in the browser and the magic yellow Lock on the bottom left corner,
    if you pass your mouse over it you will see displayed the name of
    the website you spoofed the certificate, if you double click on it you
    will check full information of the certificate without any warning !

    You dont need to have SSL in your website ! it will work with
    http.

    Additional using this bug malicious websites can bypass content
    filtering using SSL properties.


    =====================
    Proof Of Concept Code
    =====================

    < HTML>
    < HEAD>
    < TITLE>Spoofer< /TITLE>
    < META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
    < /HEAD>
    < BODY
    onunload="
    document.close();
    document.writeln('< body onload=document.close();break;>
    < h3>It is Great to Use example's Cert!');

    document.close();
    window.location.reload();
    ">
    < /body>


    ================================================== =======
    *PK:http://www.cipher.org.uk/files/pgp/c...public.key.txt
    ================================================== =======

  6. #6
    Member imported_onryo's Avatar
    Join Date
    Apr 2009
    Posts
    109

    Default SSL cert on the fly

    Thx guys, (never seen a chick hang out here)
    I have had SSLstrip working in the past and even posted some mail that Moxie sent me here on the forms. In short SSLstrip is really cool but MUCH to slow. I have also made dumps that I later decrypted after giving the "vic" a fake cert.

    The thing is that I have like 30+ ppl hanging on a karma like airbase rouge AP. Got -P -C working etc. Since ettercap is doing all the arp work I often hit the remote_browser plug in to see what is going on.

    It would be really cool if there was a way to auto copy all the issuer info on the cert and send a self singed one. Yeah the "vic" will get the browser warning from hell In short this is what I need.

    1) auto copies info on real cert info, injects fake self singed one.
    2) does this on the fly. No dumps

    All the best
    onryo
    Let me explain officer, I am not a hacker. I am a security tester of sorts!

  7. #7
    Just burned his ISO Wummi's Avatar
    Join Date
    May 2009
    Posts
    17

    Default

    Quote Originally Posted by onryo View Post
    Thx guys, (never seen a chick hang out here)
    I have had SSLstrip working in the past and even posted some mail that Moxie sent me here on the forms. In short SSLstrip is really cool but MUCH to slow. I have also made dumps that I later decrypted after giving the "vic" a fake cert.

    The thing is that I have like 30+ ppl hanging on a karma like airbase rouge AP. Got -P -C working etc. Since ettercap is doing all the arp work I often hit the remote_browser plug in to see what is going on.

    It would be really cool if there was a way to auto copy all the issuer info on the cert and send a self singed one. Yeah the "vic" will get the browser warning from hell In short this is what I need.

    1) auto copies info on real cert info, injects fake self singed one.
    2) does this on the fly. No dumps

    All the best
    onryo
    uhm ettercap does exactly that with its SSL dissector...

    EDIT: look into the etter.conf, check the redir command is set right

    redir_command_on
    You have to provide a valid command (or script) to enable tcp redirection at kernel level in order to be able to use SSL dissection. Your script should be able to get 3 parameters:

    %iface
    The network interface on which the rule must be set

    %port
    The source port of the packets to be redirected (443 for HTTPS, 993 for imaps, etc).

    %rport
    The internally bound port to which ettercap listens for connections.

    NOTE: this script is executed with an execve(), so you can't use pipes or output redirection as if you were in a shell. We suggest you to make a script if you need those commands.

    redir_command_off
    This script is used to remove the redirect rules applied by 'redir_command_on'. You should note that this script is called atexit() and thus it has not high privileges. You should provide a setuid program or set ec_uid to 0 in order to be sure that the script is executed successfully.

  8. #8
    Member imported_onryo's Avatar
    Join Date
    Apr 2009
    Posts
    109

    Default

    Wummi are you sure that will copy the real cert? A few years back it just injected a premade cert and made a dump. The old way (if self installed) was something like uncommenting 2 lines after filling in the needed port info etc in the etter.conf? If this does copy the real cert I am going to shit egg rolls of joy!! Of course it will be self signed. I just assumed it worked like before. I am on a Winho machine for the next few hours Can't wait to try this out.

    BTW read your first posts. Love to see new ppl here have something contribute. Thx and welcome

    All the best
    onryo
    Let me explain officer, I am not a hacker. I am a security tester of sorts!

  9. #9
    Just burned his ISO Wummi's Avatar
    Join Date
    May 2009
    Posts
    17

    Default

    Quote Originally Posted by onryo View Post
    Wummi are you sure that will copy the real cert? A few years back it just injected a premade cert and made a dump. The old way (if self installed) was something like uncommenting 2 lines after filling in the needed port info etc in the etter.conf? If this does copy the real cert I am going to shit egg rolls of joy!! Of course it will be self signed. I just assumed it worked like before. I am on a Winho machine for the next few hours Can't wait to try this out.

    BTW read your first posts. Love to see new ppl here have something contribute. Thx and welcome

    All the best
    onryo

    thx for the welcome! ettercap works how you need it.

    here's the real cert in firefox 2 :

    hxxp://666kb.com/i/b9bb3mu6e1w97nnrw.jpg

    here's the one ettercap sends:

    hxxp://666kb.com/i/b9bb3yitblc3cay3g.jpg


    sorry it's german, but you should understand enough

    PS: meh cant post urls for now...


    EDIT: in bt4 you just need to uncomment the lines for iptables in etter.conf

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •