Use sslsplit to sniff tls/ssl connections-vulnerability warning-the black bar safety net

2015-05-12T00:00:00
ID MYHACK58:62201562290
Type myhack58
Reporter 佚名
Modified 2015-05-12T00:00:00

Description

I recently demonstrated how to use mitmproxty perform MiTM attack on HTTP(S)connection. When mitmproxy work to support HTTP-based communication, it does not know the other based on the TLS/SSL traffic, such as FTPS, SSL SMTP through SSL IMAP or some other covering TLS/SSL Protocol.

SSLsplit is a generic by all of the secure communication Protocol to perform the middle attack TLS/SSL proxy. Use SSLsplit to intercept the Save SSL-based traffic, which listens for any secure connection.

1, The working principle

SSLsplit and other SSL proxy tool is very similar: it can be used as between the client and server of the broker. As long as the traffic is redirected to SSLsplit running, change the default gateway, ARP spoofing or other means of servers, the SSLsplit start for SSL connections and pretends to be a client connected to the server. To do this, it will dynamically claim a certificate, using the CA certificate private key that the client trusts the signature.

For example, if a customer wants to use the Gmail SMTP server to send an e emailsmtp.gmai.com Port 4 6 5, The SSLsplit creates a certificate, and then pretending to be the Gmail mail server to the client. In the uplink direction to the real Gmil Server,SSLsplit connects to the client, much like the clothes moth a normal client-forwarding all the actual client write traffic.

If you to detail are interested, please view the how it works section of the blog, on HTTP interception with mitmproxy on. The basic concept is the same, it is relatively easy to understand.

2, The installation run SSLsplit

How to intercept SSL and non-SSL traffic.

2.1 traffic redirect

2.1.1 the use of ARP spoofing by publishing to the attacker's IP address, from the standard gateway MAC address mapping false to redirect the victim's traffic. You do not need physical access to the victims. View the arpspoof tool.

2.1.2 modify the victim's default gateway.

2.1.3 the easiest way is to have access to the victim device.

2.1.4 strengthen the DSN and can go back on the attacker the IP address of the DNS server entry. Look on DNS spoofing tutorial.

2.1.5 by modifying the/etc/hosts file to redirect each domain.

Mentioned above, the most simple way is to change the victim's default gateway address, which is changed to the attacker's IP. Ensure that the flow rate through your machine. Because we later need to install the CA certificate, we need physical access to the victim machine.

2.2 installation

Download and compile the SSLsplit

|

1

2

3

4

5

6

7

|

wget http://mirror.roe.ch/rel/sslsplit/sslsplit-0.4.7.tar.bz2

bunzip2 sslsplit-0.4.7. tar. bz2

tar xvf sslsplit-0.4.7. tar

cd sslsplit-0.4.7

apt-get install libssl-dev libevent-dev

make

mkdir /tmp/sslsplit

---|---

[1] [2] [3] [4] [5] [6] next