RE: SSL MITM not on port 443

On Thu, 2008-08-28 at 15:56 +0200, christopher.riley@xxxxxxx wrote:
I've confirmed that I can get this working on a normal SSL based web
server (obviously by agreeing to the insecure certificate). However I
still had no luck with Ettercap on this service. I'm trying now with an
iptables rule to forward between port 443 on the MITM machine to the
target server on a higher port. It's just getting a chance to squeeze it
in amongst the other things that need doing. I'll set aside some time at
the weekend to throw this on my lab system at home and get it working
somehow.

Why so complicated? Intercepting SSL with the ability to serve your own
certificates is easily done with SSLProxy. Older versions only proxied
clear-text listener ports into an SSL connection and you needed to use
OpenSSL to do the reverse. But newer versions of SSLProxy also allow you
to supply a certificate and listen as an SSL endpoint connecting back to
a clear-text port.


(client) --[SSL]--> (server)

To intercept, change to:

(client) --[SSL]--> (SSLProxy) --[clear-text]--> (SSLProxy) --[SSL]-->
(server)

You can sniff the traffic between the SSLProxies for clear-text
analysis. Further, you can configure the left-side SSLProxy with any
certificate you create. That should allow you to test if your client
application handles invalid certificates correctly.

I've used SSLProxy and OpenSSL in pentests almost a decade ago before
ready-made SSL MITM tools like dsniff were available. They work quite
nicely. You can run them both on the same machine. However, in one
instance, I needed to permit a 2nd and 3rd machine to sniff the
intercepted clear-text traffic, so we ran SSLProxy on one box and
OpenSSL on another, and transmitted the clear-text across a hub that
allowed the other machines to sniff the traffic too. A handy setup,
especially when combined with ARP poisoning :)

Cheers,
Frank


Attachment: signature.asc
Description: This is a digitally signed message part

Relevant Pages

  • RE: SSL MITM not on port 443
    ... Have you ever done what you're trying to do on a "normal" SSL web ... My recommendation would be to set up a web server in your lab ... hopes that the client will accept that certificate. ... SSL MITM not on port 443 ...
    (Pen-Test)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Re: OWA 2003 w/ Smart Card Authentication.
    ... Exchange 2003 server via ActivSync. ... the IIS certificate. ... Whether or not authentication will succeed is completely dictated by ... Server's SSL certificate must be configured on root of v-server via ...
    (microsoft.public.exchange.connectivity)
  • Re: Publish SSL Web Server behind SBS2003
    ... > How to configure a certificate for use with a Web publishing rule in ISA ... > Server 2004 ... > RWW/OWA for SSL encryption. ... Right click the SSL Web Site and click Properties. ...
    (microsoft.public.windows.server.sbs)
  • Re: "Could not connect to server" error when accessing Outlook 200
    ... Perhaps when you connect via RDP, you have to use SSL. ... The server you are connected to is using a security certificate ... A certificate chain processed, but terminated in a root certificate which is ... Settings on the Advanced tab. ...
    (microsoft.public.outlook.installation)