Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: sslsniff 0.6

  1. #11
    Just burned his ISO
    Join Date
    May 2009
    Posts
    11

    Default

    ok awaiting .... does this work only on ie 6?

  2. #12
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Quote Originally Posted by Jimmy Kane View Post
    OK awaiting .... does this work only on IE 6?
    Unfortunately yes and only some times. Some times I got the known to us "assio read error 2" or "got SSL exception". I tried out with *\x00 certs with Firefox browser 3.0.11 with no luck. Don't know yet why this happend since FF was fixed after 3.0.13.

    Security Advisories for Firefox 3.0:
    Security Advisories for Firefox 3.0

    and Security Advisory 2009-42
    MFSA 2009-42: Compromise of SSL-protected communication

    Also tried the leaf cert with IE 7, but my wife's habit is to install any security patches for everything. I will setup a VM with XP and IE 7 unpatched to test with.

    If you want, PM me to send you instructions how to install it, since you are possessed with it. For now I don't want to post any wrong instructions and put people in trouble. I do prefer to test first.

    Nick.

  3. #13
    Just burned his ISO
    Join Date
    May 2009
    Posts
    11

    Default

    I am ok with the install .... But when i have sslsniff running in targeted mode with the wildcard cert.
    Most of the time it wont sniff but when it sniffs i get the known cert warning then i press accept (testing) and the connection want continiue.
    in the sslsniff log i see a error with ssl .... i dont know why.... even Moxie Marlynspike doensn't .... Lol
    Anyways if you want the targeted mode then you must have one ca cert ex. paypal. I have tried that....
    No certificate warning but no pass/key sniffing and the connection goes on with sll.....

    I dont know what to do....

    Ps if you want anything to ask Moxie i could mail him ( he should respond)....

  4. #14
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Hi Jimmy
    I believe we starting to find a solution here. I said we starting because after all we talking about SSL. And SLL is a tough subject. I am not expecting to compile sslsniff, find one or certificates and...voila. It requires allot of reading, experimentation and time.

    Anyway, I have never had succeed with targeted mode. I got the same results with you. Certificate warning from client's browser - accept from client - SSL exception from sslsniff's log.

    BTW what browser your clients are using and what version?
    I am asking that because AFAIK wildcard certs are not accepted from IE.

    https://www.noisebridge.net/pipermai...er/008400.html

    It won't work for exploiting the bug for software written with the WIN32 api, they don't accept (for good reason) *
    Did you try to deny OCSP requests from clients ? (-d option)
    The following is how I get to sniff SSL sessions from clients (IE6 only):
    Code:
    sslsniff -a -d -s 10000 -c /sslsniff-0.6/leafcert.pem -w /sslsniff.log
    and a screen shot:
    http://uploadingit.com/file/kqjkpo7p...ng_expired.JPG

    as you can see I get only a warning that the cert has expired. The date was not changed.

    No certificate warning but no pass/key sniffing and the connection goes on with sll.....
    What do you mean by that? Your sslsniff session is bypassed and you got from your clients "real" SSL connection? (It happened many times to me)

    Also when I tried to do client fingerprint (using airbase for fake wlan and sslsniff is running on 192.168.2.129:10000)
    Code:
    iptables -t nat -A PREROUTING -i at0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.129:10000
    I got connection time out. The same result as the above came up when I do browser specific attack.

    Code:
    sslsniff -a -d -s 10000 -f ie -h 80 -c /sslsniff-0.6/leafcert.pem -w /sslsniff.log
    Ps if you want anything to ask Moxie i could mail him ( he should respond)....
    Maybe I will. Thank you for offering.At least he understand what am I asking for. I will do some testing no soon than this weekend. It's a busy week for me.

    Keep in touch Jimmy.

    Nick.

    PS Try to do authority mode attack in IE6 with the expired leafcert.pem. At least you should see this God damn thing to work.

  5. #15
    Just burned his ISO
    Join Date
    Nov 2009
    Posts
    1

    Default

    Hi Guys,

    Just wondering how you are getting on with SSLSniff, i played around with it yesterday on 8.10 and i had a little success however i'm at a loss with the whole wildcard cert, both the one that comes with SSLSniff and the one posted over at Noisebridge too.

    If i can help in anyway let me know

    Finux

    Just to let you guys know i tested Firefox version 3.0 and it picked up the cert straight away saying it was revoked, i was running the minus -d option and downloaded firefox from oldapps.com/firefox.php?

    However 2.0.0.20 was no problems

    I used the pretty much standard stuff i found in the SSLSniff package, and i think the paypal cert i pulled of here

  6. #16
    Just burned his ISO
    Join Date
    May 2009
    Posts
    11

    Default y?

    Any progress made Nick?
    For me none. I had no luck at all and from now on it is a waste of time....
    I prefer ettercap filters.... ;-)

  7. #17
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Quote Originally Posted by Jimmy Kane View Post
    Any progress made Nick?
    For me none. I had no luck at all and from now on it is a waste of time....
    I prefer ettercap filters.... ;-)
    From time to time I am reading about certificates, what is SSL etc. I am not kind of person who gives up so easily. I am trying different things but in the end I got no significant progress. If I got some I will let you know.

    Nick.

    Quote Originally Posted by finux View Post
    ....i played around with it yesterday on 8.10....
    It will be nicer if you were running BT.

  8. #18
    Just burned his ISO
    Join Date
    May 2009
    Posts
    11

    Default yes

    I am also palying a long time now with tls connections. One of my favourites is sslstrip. But it is only fot http protocols.... This is it's weak point....
    Anyway I am studying now more about TLS and SSL and maybe it will help...
    Recently i read an exploit in packet-storm about renegotiating TLS it was a pretty good one.... Recommend it for many people (who do a little reading before practising attack's).
    I will keep you informed with any progress i make .... And Nick please keep us informed too......
    In most of the forums i read there are few people that like to "temper" with SSL ...

    Be good dudes
    [I]"Everything that is communication comes from ... quartz crystals..." [/I]

  9. #19
    Senior Member Nick_the_Greek's Avatar
    Join Date
    Jan 2010
    Location
    Greece
    Posts
    181

    Default

    Quote Originally Posted by Jimmy Kane View Post
    .... And Nick please keep us informed too......
    Don't worry Jimmy.

    When you get (if not) your own kids, the word "own" will disappear at the moment. The "own" will be replaced with "take" and "share".

    What I am trying to say (maybe unsuccessfully) is, that I am a sharing guy.

    If I got something important or new I will let you know.

    Nick

  10. #20
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by Nick_the_Greek View Post
    When you get (if not) your own kids, the word "own" will disappear at the moment. The "own" will be replaced with "take" and "share".
    Kids? What about "wife"?!

    I swear I've written something similar to this before somewhere but I can't find it. Anyway, an idea to prod some people along with - when you use iptables to redirect to a socket, that socket (that program) can do a lookup and request where you are going. So if I redirect to 192.168.1.3:8888 and have my program do a lookup, it can see that the connection was actually going to 92.23.220.121*. If that connection is found to have an SSL certificate on it, there is no reason one couldn't write a quick bit of code to generate a fresh certificate, sign it with a valid domain root cert, and pass it along.

    Getting the valid domain root cert is difficult, as is making all this happen fast enough for the user, but there it is - ssl sniffing by breaking the single chain into two - the same way sslsniff does it I imagine, but working on anything you care to build it for.

    There are limitations, I leave them up to the reader to discover and discuss.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •