MITM/HTTPS: Difference between revisions
From charlesreid1
m (Admin moved page MITM HTTPS to Man in the Middle/HTTPS) |
No edit summary |
||
| Line 2: | Line 2: | ||
So far, what have I tried? | So far, what have I tried? | ||
* ARP spoofing works only against HTTP sites - | * ARP spoofing with [[Bettercap]] works only against HTTP sites - works like a charm and it's easy to watch a sheep's HTTP traffic stream, but there's no tampering with HTTPS streams. | ||
* DNS spoofing | * DNS spoofing with [[Bettercap]] or [[Dnsspoof]] works only against HTTP sites - can spoof DNS requests (although it is not working correctly); they cannot spoof HTTPS requests | ||
* SSLStrip is too old of an attack to work - many sites bypass it | * [[SSLStrip]] is too old of an attack to work - many sites bypass it | ||
* SSLSniff | * [[SSLSniff]] still holds promise. It is a certificate server, so you can use it to server fake certificates. Using Moxie0's suggested null-byte and other certificate attacks did not work - against an up-to-date browser... did not check any older ones. Could load fake root certificates on sheep's machine, could find vulnerabilities in certificate-checking mechanism, could find way to legitimately self-sign certificates, could crack private key. | ||
Dead ends: | Dead ends: | ||
| Line 14: | Line 14: | ||
Promising leads: | Promising leads: | ||
* SSLSniff allows you to serve up fake certificates - there are potential attacks on how browsers check certificates. This is one where you have to try throwing everything at the wall, until something sticks, and now all your sheep are all people who use that browser. | * SSLSniff allows you to serve up fake certificates - there are potential attacks on how browsers check certificates. This is one where you have to try throwing everything at the wall, until something sticks, and now all your sheep are all people who use that browser. | ||
* CreatePEM - if RSA is weak enough, you can brute-force crack it: http://blog.stalkr.net/2010/03/codegate-decrypting-https-ssl-rsa-768.html | * CreatePEM - if RSA is weak enough, you can brute-force crack it to obtain a private key from a public key: http://blog.stalkr.net/2010/03/codegate-decrypting-https-ssl-rsa-768.html | ||
* Scapy-SSL_TLS - a Scapy utility library that describes itself as follows: | |||
"An offensive stack for SSLv2, SSLv3 (TLS), TLS, DTLS penetration testing providing easy access to packet crafting, automatic dissection, encryption, decryption, session tracking, automated handshakes, TLSSocket abstraction, cryptography containers, predefined hooks, SSL sniffing including minimalistic PCAP stream decryption (RSA_WITH_*), fuzzing and security scanning (Renegotiation, Heartbleed, Poodle, Logjam/Freak, various Buffer overflows, ...)." | |||
=Flags= | =Flags= | ||
{{MITMFlag}} | {{MITMFlag}} | ||
Revision as of 08:30, 26 August 2016
Thinking more about how MITM attacks could be implemented against HTTPS, seeing if I can test any on the sandbox network at home.
So far, what have I tried?
- ARP spoofing with Bettercap works only against HTTP sites - works like a charm and it's easy to watch a sheep's HTTP traffic stream, but there's no tampering with HTTPS streams.
- DNS spoofing with Bettercap or Dnsspoof works only against HTTP sites - can spoof DNS requests (although it is not working correctly); they cannot spoof HTTPS requests
- SSLStrip is too old of an attack to work - many sites bypass it
- SSLSniff still holds promise. It is a certificate server, so you can use it to server fake certificates. Using Moxie0's suggested null-byte and other certificate attacks did not work - against an up-to-date browser... did not check any older ones. Could load fake root certificates on sheep's machine, could find vulnerabilities in certificate-checking mechanism, could find way to legitimately self-sign certificates, could crack private key.
Dead ends:
- ARP spoofing without a way to crack https
- DNS spoofing without a way to crack https
- Stealing private keys: getting private keys was just ridiculously stupidly impossible to actually do. Probably by design, but absolutely no way to learn that way.
Promising leads:
- SSLSniff allows you to serve up fake certificates - there are potential attacks on how browsers check certificates. This is one where you have to try throwing everything at the wall, until something sticks, and now all your sheep are all people who use that browser.
- CreatePEM - if RSA is weak enough, you can brute-force crack it to obtain a private key from a public key: http://blog.stalkr.net/2010/03/codegate-decrypting-https-ssl-rsa-768.html
- Scapy-SSL_TLS - a Scapy utility library that describes itself as follows:
"An offensive stack for SSLv2, SSLv3 (TLS), TLS, DTLS penetration testing providing easy access to packet crafting, automatic dissection, encryption, decryption, session tracking, automated handshakes, TLSSocket abstraction, cryptography containers, predefined hooks, SSL sniffing including minimalistic PCAP stream decryption (RSA_WITH_*), fuzzing and security scanning (Renegotiation, Heartbleed, Poodle, Logjam/Freak, various Buffer overflows, ...)."
Flags
 |
monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired
Layer 1 and 2 MITM Attacks: Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin · MITM/Evil Twin
Layer 3 and 4 MITM Attacks:
ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS · Bettercap/Failed DNS Spoofing Attack · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS
Session Hijacking: MITM/Session Hijacking
Toolz:
SSLSniff · SSLStrip · Frankencert
MITM Labs: {{MITMLabs}}
Category:MITM · Category:Attacks · Category:Kali Attack Layers Template:MITMLabs · Template:MITMFlag Flags · Template:MITMFlag · e |