It discusses the weakness in the SSL certificate signing request which gets exploited for making fake certificates. Finally, the article shows how to run the SSLStrip tool on Windows and hijack the SSL successfully.
What is SSLStrip
The SSLStrip works by watching http traffic, then by acting as a proxy when a user attempts to initiate
an https session. While the user believes the secure session has been initiated, and SSLStrip has connected to the secure server via https, all traffic between the user and SSLStrip is http. The SSLStrip replaces all links with https:// in the page with http://. Warnings usually displayed by the browser don’t appear and the session appears normal to the end-user. Login details can then be harvested. The author of the tool Moxie Marlinspike says: This tool provides a demonstration of the HTTPS stripping attacks that were presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for
HTTPS links and redirects, and then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. An https padlock logo can be spoofed in the URL bar, to further lull the user into a false sense of security. While SSL is generally accepted as being secure, security researchers have claimed SSL communications can be intercepted. Researcher Mike Perry said he had been in discussions with Google regarding an exploit he planned to release, which would allow a hacker to intercept a user’s communications with supposedly secure websites over an unsecured Wi-Fi network.
Weakness of SSL in practice
The main weakness with conventional SSL certificates is that there are no standards for their issuance, nor any rules for what the fields in them are supposed to mean and which are required for authentication.
Marlinspike’s SSLStrip attack demonstrated the combination of several attack techniques to exploit
the above weaknesses and fool users/client applications into thinking they were using a trusted site/server, when in fact they were using a fake version of that site/server. He combined a number
of techniques; including man-in-the-middle, fake leaf node certificates and the null character attack.
SSL heavily rely on X509 certificate structure to prove authenticity. For the SSL it is the common
name field of the X509 certificate that is used to identify authentic servers. For example, Paypal will
use www.paypal.com in the common name field. The signing process heavily relies on the above
convention. The Certificate Authorities will sign www.paypal.com, they don’t care whether you are
requesting for anything.paypal.com or something.any thing.paypal.com – as long as you prove that you are paypal.com. X509 certificates are commonly formatted using ASN.1 notation. ASN.1 supports many string types but all of them are represented as some variations of PASCAL. In PASCAL character string the NULL characters are treated as normal characters. They don’t have any special meaning.So NULL characters can be included into the common name field of X509 certificates. So a signing request like
www.paypal.com.fakeorganization.com will be treated valid. The Certificate Authority will ignore prefix and sign the root domain fakeorganization.com. Now the thing is most contemporary SSL/TLS
implementation treat the field in X509 as C strings. And in C ” (NULL) means end of the string. So www.paypal.com.fakeorganization.com and www.paypal.com will be treated as identical. Thus the owner of the certificate for www.paypal.com\ 0.fakeorganization.com can successfully present his
certificate to the connections intended for original www.paypal.com.Here MITM happens on SSL.You can sign your own certificates using the valid certificate you got from Certificate Authority. Actually there is field in X509 certificates which needs to be set FALSE in order to restrict domain owner to act
as a Certificate Authority.Most CA’s didn’t explicitly set basicConstraints: CA=FALSE A lot of web browsers and other SSL implementations didn’t bother to check it, whether the field was there or not. Anyone with a valid leaf node certificate could create and sign a leaf node certificate for any other
domain The blueanarchy.org can create a valid certificate as paypal.com and use it.
How SSLStrip works
• It does an MITM (Man-In-The-Middle) on the HTTP connection.
• It replaces all the HTTPS links with HTTP ones but remembers the links which were changed.
• Communicates with the victim client on an HTTP connection for any secure link.
• Communicates with the legitimate server over HTTPS for the same secure link.
• Communication is transparently proxied between the victim client and the legitimate server.
• Images such as the favicon are replaced by imagesof the familiar secure lock icon, to build trust.
As the MITM is taking places all passwords, credentials etc are stolen without the Client knowing.
Performing the Hijack on Windows
The process of using SSLStrip on Windows machine is almost similar to Linux machine. Linux has Firewall management tool iptables for enabling Port Forwarding. The port forwarding utility actually accepts traffic on one port of the machine and redirects to another port on the same machine. Windows machine doesn’t have any inbuilt mechanism for port forwarding. There are mainly fours steps to perform the experiment:
• Turn your machine into IP forwarding mode.
• Setup iptables to redirect HTTP traffic to sslstrip.
• Run sslstrip.
• Run arpspoof to convince a network they should
send their traffic via your machine.
Prerequisite: Install Python as SSLStrip is a Python based tool. You need two machines running Windows
on same LAN- one for attacker, another for victim. Attacker’s machine is the machine where the SSLStrip runs. Also this is the machine where you will run the arpspoof command to spoof the traffic from Vitim machine. The port forwarding utility needs to be run on this machine as well.
Step 1:
Enable IP forwarding on Attacker’s Machine
Get the hacker machine into acting as a router as it needs to forward all the traffic coming to it to outside
internet.
• Start Registry Editor (Regedit.exe).
• In Registry Editor, locate the following registry key:
• HK EY _ LOCA L _ M ACHIN E\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters
• Set the following registry value:
• Value Name: IPEnableRouter
• Value type: REG _ DWORD
• Value Data: 1
• A value of 1 enables TCP/IP forwarding for all
network connections that are installed and used by
this computer.
• Quit Registry Editor. Restart the PC.
Step 2:
Set a firewall rule that forwards HTTP traffic from the victim to hacker’s machine for modification
This was most challenging and time consuming part of the experiment as I was unable to find single command, tool or utilities to do that. In Unix the an IPtables command would do thatsudo iptables -t nat -A PREROUTING -p tcp –destinationport 80 -j REDIRECT –to-port 10000 It tells all HTTP traffic from victim, coming on port 80 of hacker’s machine to redirect it on port 10000 on the same hacker’s machine. Port 10000 is used by SSLStrip tool by default. Tired of not finding any equivalent firewall utility for Windows to perform above rule fortunately I stumbled upon blog of Kenneth Xu (http://kennethxu.blogspot.com) and I finally found the following nice Java based TCP/IP port forwarding utility – (Download here http://code.google.com/p/portforward/downloads/list)
C:\>java -classpath commons-logging.jar;portforward.jar
org.enterprisepower.net.portforward.
Forwarder 80 localhost:10000
This command forwards all HTTP traffic received on port 80 of Hacker’s machine to port 10000 of the same machine. SSLStrip runs on port 10000 by default.
Step 3:
ARP spoof the target traffic to redirect to hacker’s
machine
Suppose the Victim machine’s IP is 192.168.1.10 and IP of the gateway is 192.168.1.1. It will poison the victim machine (192.168.1.10) MAC table and instead of sending the traffic to Gateway (192.168.1.1) it will send to the hacker’s machine falsely assuming it as the real gateway. Run the following command on attacker’s machine arpspoof –t 192.168.1.10 192.168.1.1 It will update the ARP table on Vitim’s machine with
changed gateway IP of attacker’s machine.
Step 4:
Run SSLStrip on hacker’s machine
Run the following command on Hacker’s machine python sslstrip.py -f lock.ico You can see the log file in the SSLStrip installation folder for logged credentials. The SSLStrip will log all the traffic coming from
Victim’s machine and strips the all the SSL link (https://) to http:// between the Victim and Hacker. Thus the traffic between the Victim to Hacker is transparent and in clear text Various options available with the SSLStrip:
Options:
• w , –write= Specify file to log to
(o
• p, –post Log only SSL POSTs. (default)
• s, –ssl Log all SSL traffic to and server
• a, –all Log all SSL and HTTP traffic to and from
server
• l , –listen= Port to listen on (default
10000)
• f, –favicon Substitute a lock favicon
• k, –killsessions Kill sessions in progress
• h Print this help message.
Real life examples
The following page appears on https:// in normal situation but here it is as http:// View page source can also reveal that links are stripped of SSL: see Gmail on http: see An example of Log file of SSLStrip,
Mitigation
User Education: User should be educated to always use https while requesting any sensitive page. As user only type domain.com that is redirected to https://domain.com may be vulnerable to SSLStrip.
EV SSL Certificates: There is no reliable information to back up the authentication of the domain name. To address this critical problem, certificate authorities and software companies joined to form the CA/Browser Forum and promulgate a new standard called EV SSL for Extended Validation SSL. For instance, they must validate that the organization exists as a legal entity, that any organization names are legal names for that organization, and that the applicant is authorized to apply for the certificate.
SSLStrip tool:
http://www.thoughtcrime.org/software/sslstrip/
NULL Prefix attack on SSL Certificates:
http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf
Black Hat presentation:
http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
(Topic is same as read in Hacking magazine June 2010 issue)
No comments:
Post a Comment