Re: Re: HTTPS proxy tool that resigns SSL certs

From: one2@onetwo.com
Date: Tue Jun 06 2006 - 20:46:50 EDT

Next message: Adam.Chesnutt: "Re: Some new SSH exploit script?"
Previous message: David M. Zendzian: "RE: Some new SSH exploit script?"
Maybe in reply to: Rogan Dawes: "Re: HTTPS proxy tool that resigns SSL certs"
Reply: Rogan Dawes: "Re: HTTPS proxy tool that resigns SSL certs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) Thanks to everyone who responded. Appologies for the question being a little vague - I was a little eager to gain an answer before knowing my final question.

My ultimate goal is to perform a MITM attack on an SSL connection, and be undetected by the user - ie. no security prompt by the browser - and without the victim system being previously compromised, or having access to import a certificate into the browser.

The response that came closest to what I was after was from Phil Fredrick. With a little modification to his solution, and assuming we are on the same lan as the victim, we have the following;

- Attacker purchases a valid SSL certificate for www.attacker.com
- Attacker sets up website https://www.attacker.com on the attacking machine
- Attacker performs DNS Spoofing to redirect victim https requests to www.attacker.com
- This provides a valid SSL certificate to the victim - ie. no security prompt
- Attacking machine gets and passes on (proxies) the original page requested by victim (also allowing modification to the page as necessary)

Basically you are still acting as a proxy, but using DNS spoofing and a valid SSL cert, the victim is not prompted by the browser.

The only flaw with this process is that the victim will now have https://www.attacker.com in the address bar of their browser. One solution is to try to make the SSL certificate's URL as close as possible to the site you wish to spoof (www.h0tmail.com), so that it isn't easily noticeable to the end-user. This would, however, limit the attacker to intercepting hotmail requests ... My preferable solution, would be to either to use an IE exploit that allows spoofing in the address bar (assuming IE), or simply buffering the URL so that the end user can't see www.attacker.com

Other concepts that I was looking at, and would like to hear responses on, are;

1. Using a null-cipher, allowing an attacker to present the 'SSL' pages to the user over HTTP - and therefore not causing the browser to produce a security warning. I understand that some companies do this to perform content filtering on SSL connections. Would be interested to hear if any tools implement this functionality for MITM attacks.

2. Using "certificate chaining", which may allow an attacker to sign whatever certificates they like, and will be trusted. RSA (aka "verisign") sells a certificate service seemingly specifically for this purpose - RSA Root Signing Service. More info on this below;

RSA Security - RSA Root Signing Service
http://www.rsasecurity.com/node.asp?id=1267

[...]

Getting to the Root of e-Business

Organizations using certificate management software can issue digital certificates under their privately branded root ... However, web browsers and other external applications will not recognize certificates issued by private-root certificate authorities and therefore may not trust such certificates. The RSA Root Signing Service extends the value of the certificate management software by enabling enterprises to "chain" their certificate authority to RSA Security's trusted root, thereby ensuring ubiquitously recognized and trusted client-side and server-side certificates.

[...]

So this means that using the RSA Root Signing Service I would be able to sign a certificate for www.hotmail.com and have it chained back to RSA Security's trusted root, meaning that browsers would accept the certificate as valid - and no security prompt.

Looking forward to your responses.

One2

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

Next message: Adam.Chesnutt: "Re: Some new SSH exploit script?"
Previous message: David M. Zendzian: "RE: Some new SSH exploit script?"
Maybe in reply to: Rogan Dawes: "Re: HTTPS proxy tool that resigns SSL certs"
Reply: Rogan Dawes: "Re: HTTPS proxy tool that resigns SSL certs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:03 EDT