MITM/HTTPS: Difference between revisions

From charlesreid1

(Created page with "Thinking more about how MITM attacks could be implemented against HTTPS, seeing if I can test any on the sandbox network at home. So far, what have I tried? * ARP spoofing wo...")
 
No edit summary
Line 15: Line 15:
* SSLSniff allows you to serve up fake certificates - there are potential attacks on how browsers check certificates. This is one where you have to try throwing everything at the wall, until something sticks, and now all your sheep are all people who use that browser.
* SSLSniff allows you to serve up fake certificates - there are potential attacks on how browsers check certificates. This is one where you have to try throwing everything at the wall, until something sticks, and now all your sheep are all people who use that browser.
* CreatePEM - if RSA is weak enough, you can brute-force crack it: http://blog.stalkr.net/2010/03/codegate-decrypting-https-ssl-rsa-768.html
* CreatePEM - if RSA is weak enough, you can brute-force crack it: http://blog.stalkr.net/2010/03/codegate-decrypting-https-ssl-rsa-768.html
*
 
=Flags=
 
{{MITMFlag}}

Revision as of 08:21, 26 August 2016

Thinking more about how MITM attacks could be implemented against HTTPS, seeing if I can test any on the sandbox network at home.

So far, what have I tried?

  • ARP spoofing works only against HTTP sites - using Bettercap works like a charm and it's easy to watch a sheep's HTTP traffic stream, but there's no tampering with HTTPS streams.
  • DNS spoofing works only against HTTP sites - using Bettercap or Dnsspoof can spoof DNS requests (although it is not working correctly); they cannot spoof HTTPS requests
  • SSLStrip is too old of an attack to work - many sites bypass it
  • SSLSniff using Moxie0's suggested null-byte and other certificate attacks did not work - against an up-to-date browser... did not check any older ones.

Dead ends:

  • ARP spoofing without a way to crack https
  • DNS spoofing without a way to crack https
  • Stealing private keys: getting private keys was just ridiculously stupidly impossible to actually do. Probably by design, but absolutely no way to learn that way.

Promising leads:

  • SSLSniff allows you to serve up fake certificates - there are potential attacks on how browsers check certificates. This is one where you have to try throwing everything at the wall, until something sticks, and now all your sheep are all people who use that browser.
  • CreatePEM - if RSA is weak enough, you can brute-force crack it: http://blog.stalkr.net/2010/03/codegate-decrypting-https-ssl-rsa-768.html

Flags


Defcon.png
monkey in the middle attacks
in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.

MITM

Wireless Attacks: MITM/Wireless

Wired Attacks: MITM/Wired


Layer 1 and 2 MITM Attacks:

MITM/Layer 1 and 2

Network Tap: MITM/Wired/Network Tap

Evil Twin Attack: Evil Twin  · MITM/Evil Twin


Layer 3 and 4 MITM Attacks:

MITM/Layer 3 and 4

Traffic Sniffing: MITM/Sniffing

ARP Poisoning: MITM/ARP Poisoning

Traffic Injection/Modification: MITM/Traffic Injection

DNS Attacks: MITM/DNS  · Bettercap/Failed DNS Spoofing Attack  · Bettercap/Failed DNS Spoofing Attack 2

DHCP Attacks: MITM/DHCP

WPAD MITM Attack: MITM/WPAD

Port Stealing: MITM/Port Stealing

Rushing Attack: MITM/Rushing Attack

Attacking HTTPS: MITM/HTTPS


Layer 5 MITM Attacks:

Session Hijacking: MITM/Session Hijacking


Toolz:

Ettercap  · Bettercap  · MITMf  · EvilFOCA

Wireshark  · Aircrack

Dsniff  · Arpspoof  · Dnsspoof

SSLSniff  · SSLStrip  · Frankencert

Driftnet  · Karma


MITM Labs: {{MITMLabs}}


Category:MITM  · Category:Attacks  · Category:Kali Attack Layers

Template:MITMLabs  · Template:MITMFlag

Flags  · Template:MITMFlag  · e




Retrieved from "https://charlesreid1.com/w/index.php?title=MITM/HTTPS&oldid=13351"