Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Superfish support for ssl-known-key?

From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 19 Feb 2015 12:59:31 -0600
On Thu, Feb 19, 2015 at 11:27 AM, David Fifield <david () bamsoftware com>
wrote:


There's this story about how lots of computers have a trusted root CA
with a known private key.


http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/

It seems like the kind of thing we should detect in ssl-known-key.nse.

http://nmap.org/nsedoc/scripts/ssl-known-key

However, if I understand correctly, we have to change ssl-known-key a
bit for it to work. Superfish will be the issuer certificate, not a leaf
certificate. It means we want to check every certificate in the chain,
not only the leaf.

Robert Graham says this is the key:

http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
https://github.com/robertdavidgraham/pemcrack/blob/master/test.pem

If so, then this is its fingerprint:

$ openssl x509 -noout -fingerprint -in test.pem
SHA1
Fingerprint=C8:64:48:48:69:D4:1D:2B:0D:32:31:9C:5A:62:F9:31:5A:AF:2C:BD

David Fifield



But how do we report it? It's not something one would expect to find on a
server, since it's used to MITM a client. If Nmap finds certs signed with
this root cert, I can see a few possibilities:

1. Nmap's traffic is being MITM'd by Superfish on the same machine. Not
sure if this is possible, since I don't know how it's actually modifying
the traffic.

2. Nmap's traffic is being MITM'd by someone on the LAN. This is a real
attack to watch for, since the certificate and key are now public, and it
can be assumed there are hundreds or thousands of Lenovo laptops which will
trust it.

3. The server actually has a Superfish-signed cert on the service. This
seems like the least-likely scenario, but it is the most-likely way that
someone would interpret the output of ssl-known-key, since Nmap isn't
normally used for detecting MITM.

Dan

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: