Penetration Testing mailing list archives
RE: SSL MITM not on port 443
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 29 Aug 2008 20:58:29 -0500
On Thu, 2008-08-28 at 15:56 +0200, christopher.riley () r-it at wrote:
I've confirmed that I can get this working on a normal SSL based web server (obviously by agreeing to the insecure certificate). However I still had no luck with Ettercap on this service. I'm trying now with an iptables rule to forward between port 443 on the MITM machine to the target server on a higher port. It's just getting a chance to squeeze it in amongst the other things that need doing. I'll set aside some time at the weekend to throw this on my lab system at home and get it working somehow.
Why so complicated? Intercepting SSL with the ability to serve your own certificates is easily done with SSLProxy. Older versions only proxied clear-text listener ports into an SSL connection and you needed to use OpenSSL to do the reverse. But newer versions of SSLProxy also allow you to supply a certificate and listen as an SSL endpoint connecting back to a clear-text port. (client) --[SSL]--> (server) To intercept, change to: (client) --[SSL]--> (SSLProxy) --[clear-text]--> (SSLProxy) --[SSL]--> (server) You can sniff the traffic between the SSLProxies for clear-text analysis. Further, you can configure the left-side SSLProxy with any certificate you create. That should allow you to test if your client application handles invalid certificates correctly. I've used SSLProxy and OpenSSL in pentests almost a decade ago before ready-made SSL MITM tools like dsniff were available. They work quite nicely. You can run them both on the same machine. However, in one instance, I needed to permit a 2nd and 3rd machine to sniff the intercepted clear-text traffic, so we ran SSLProxy on one box and OpenSSL on another, and transmitted the clear-text across a hub that allowed the other machines to sniff the traffic too. A handy setup, especially when combined with ARP poisoning :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- SSL MITM not on port 443 christopher . riley (Aug 27)
- RE: SSL MITM not on port 443 Robbie Gill (Aug 27)
- Re: SSL MITM not on port 443 James Matthews (Aug 27)
- RE: SSL MITM not on port 443 christopher . riley (Aug 28)
- Re: SSL MITM not on port 443 Roman Fulop (Aug 28)
- Re: SSL MITM not on port 443 Ahmad Taha (Aug 28)
- RE: SSL MITM not on port 443 Shenk, Jerry A (Aug 29)
- RE: SSL MITM not on port 443 christopher . riley (Aug 29)
- RE: SSL MITM not on port 443 Frank Knobbe (Aug 30)
- RE: SSL MITM not on port 443 Robbie Gill (Aug 27)