Mitm attacks against SSL

Author: szzm8767 (1
Article) date: October 11, 2011 at pm

1 man-in-the-middle attack Overview

Man-in-the-middle attack (mitm) is a long-standing network intrusion method, and still has a wide range of development space today, such as SMB session hijacking, DNS spoofing, and other attacks are typical mitm attacks. In short, the so-called mitm attack intercepts normal network communication data and conducts data tampering and sniffing, while the communication parties have no idea.


With the continuous development of computer communication network technology, mitm attacks are becoming more and more diversified. At first, attackers only need to set the network card to a hybrid mode and disguise it as a proxy server to listen for specific traffic. This is because many communication protocols are transmitted in plain text, such as HTTP, FTP, and telnet. Later, with the switch replacing the hub, simple sniffing attacks were no longer successful and ARP spoofing was required. Nowadays, more and more service providers (online banking and email login) are adopting encrypted communication. SSL (Secure Sockets Layer) is a widely used technology, HTTPS and ftps are built on them. The author will take the common Gmail mailbox login as an example to explore the two methods for implementing SSL mitm attacks.

2. Environment Construction

Network Environment:

Ingress Gateway: 192.168.18.254;

Hosts attacked: 192.168.18.102, vmwarevm;

Hosts attacked: 192.168.18.100, windows7, and ie9;


Target:

● Gmail email login (HTTPS protocol)

● Account: test0101.ssl@gmail.com

● Password: abcd7890

3. Two man-in-the-middle attacks against SSL
3.1 Cain & Abel

Cain & Abel is a network attack tool developed by oxid. It for Microsoft operating systems. It is easy to operate and powerful, especially known for ARP spoofing attacks. Cain not only implements mitm attacks against HTTP, but also attacks against HTTPS. The basic attack process is:

1) ARP spoofing allows attackers to intercept network traffic of all target hosts;

2) the attacker is not a simple relay. On the one hand, the attacker performs an SSL handshake with the browser on the server side and another SSL handshake with the target server as an SSL client;

3) by establishing two SSL connections, attackers can become a "man-in-the-middle ".


Because SSL handshakes require mutual identity authentication through certificates, attackers do not know the private key used by the target server. In this case, the attack must be successful, attackers must forge a certificate. The browser usually sends a warning to the user and determines whether to trust the certificate. The following is a detailed text description.

Normal Gmail login screen.


The attacker needs to choose whether to trust the certificate. The forged certificate information is very different from the real certificate.




After logging on to the mailbox, you can see that the certificate error prompt is still very eye-catching.


The attacker has successfully sniffed the logon username and password of the Gmail mailbox.


Through the above analysis, we can find that the user's judgment on the forgery of certificates is the key to the success of the attack, if the user has a strong security awareness and rich network knowledge, the possibility of being attacked will be greatly reduced. After all, the security tips in the browser are still very eye-catching. I believe that with the increasing popularity of network knowledge, the survival space of such attacks will be squeezed.

3.2 sslstrip

Although Cain & Abel can implement SSL attacks, the limitations of certificate forgery are still obvious. sslstrip was a method for SSL attacks proposed by moxie Marlinspike at the 09 Black Hat conference, the idea is very simple:

1) ARP spoofing allows attackers to intercept network traffic of all target hosts;

2) attackers use the user's negligence on HTTPS and HTTP in the address bar to replace all HTTPS connections with HTTP;

3) at the same time, establish a normal HTTPS connection with the target server;

4) because HTTP Communication is transmitted in plain text, attackers can perform sniffing easily.


I will use backtrack as the attack platform. Backtrack is a penetration testing toolkit based on Linux. At present, there are many tutorials on using backtrack to crack wireless wi-fi passwords in major domestic forums, in fact, it also has extremely powerful functions in other fields.

Step 1: Enable kernel packet forwarding and modify the/proc/sys/NET/IPv4/ip_forward file with the content 1;
#echo 1 > /proc/sys/net/ipv4/ip_forward


Step 2: port forwarding. 10000 is the listening port of sslstrip;
#iptables -t nat -A PREROUTING
-p tcp --destination-port 80 -j REDIRECT --to-ports 10000

Step 3: shell1, ARP spoofing;
#arpspoof -i eth0 -t 192.168.18.100
192.168.18.254


Step 4: shell2: Enable sslstrip;
#sslstrip -a -k -f


Step 5: Obtain the username and password for logging on to the Gmail mailbox through sniffing;
#ettercap -T -q -i eth0


If this method is omnipotent, let's take a look at the changes in the attacker's browser.

As you can see, there are no unsafe warnings or prompts on the webpage, but the original HTTPS connection has been replaced by the HTTP connection and is confusing, the webpage icon is changed to a silver lock pattern. However, false information is false. On the one hand, you cannot view any certificate information. In addition, if you enter https: // before the website, the web page cannot be opened. Therefore, sslstrip is not a universal attack method.

4. Summary
The purpose of this article is to tell readers that, as network security technologies are changing with each passing day, attack methods are also quietly changing. SSL-encrypted communication does not necessarily ensure the privacy and integrity of communication, for this reason, I have demonstrated two methods of intermediary SSL attacks, the former is a conventional approach, and the latter is a different approach. We hope that you will be vigilant in the future to accurately identify whether your communication is under attack, especially when completing important operations, such as online banking transactions.

Category: University blog Grand Prix