Penetration Testing mailing list archives

Re: Re: HTTPS proxy tool that resigns SSL certs

From: one2 () onetwo com
Date: 7 Jun 2006 00:46:50 -0000

Thanks to everyone who responded. Appologies for the question being a little vague - I was a little eager to gain an
answer before knowing my final question.

My ultimate goal is to perform a MITM attack on an SSL connection, and be undetected by the user - ie. no security
prompt by the browser - and without the victim system being previously compromised, or having access to import a
certificate into the browser.

The response that came closest to what I was after was from Phil Fredrick. With a little modification to his solution,
and assuming we are on the same lan as the victim, we have the following;

- Attacker purchases a valid SSL certificate for www.attacker.com
- Attacker sets up website https://www.attacker.com on the attacking machine
- Attacker performs DNS Spoofing to redirect victim https requests to www.attacker.com
- This provides a valid SSL certificate to the victim - ie. no security prompt
- Attacking machine gets and passes on (proxies) the original page requested by victim (also allowing modification to
the page as necessary)

Basically you are still acting as a proxy, but using DNS spoofing and a valid SSL cert, the victim is not prompted by
the browser.

The only flaw with this process is that the victim will now have https://www.attacker.com in the address bar of their
browser. One solution is to try to make the SSL certificate's URL as close as possible to the site you wish to spoof
(www.h0tmail.com), so that it isn't easily noticeable to the end-user. This would, however, limit the attacker to
intercepting hotmail requests ... My preferable solution, would be to either to use an IE exploit that allows spoofing
in the address bar (assuming IE), or simply buffering the URL so that the end user can't see www.attacker.com

Other concepts that I was looking at, and would like to hear responses on, are;

1. Using a null-cipher, allowing an attacker to present the 'SSL' pages to the user over HTTP - and therefore not
causing the browser to produce a security warning. I understand that some companies do this to perform content
filtering on SSL connections. Would be interested to hear if any tools implement this functionality for MITM attacks.

2. Using "certificate chaining", which may allow an attacker to sign whatever certificates they like, and will be
trusted. RSA (aka "verisign") sells a certificate service seemingly specifically for this purpose - RSA Root Signing
Service. More info on this below;

RSA Security - RSA Root Signing Service
http://www.rsasecurity.com/node.asp?id=1267

[...]

Getting to the Root of e-Business

Organizations using certificate management software can issue digital certificates under their privately branded root
... However, web browsers and other external applications will not recognize certificates issued by private-root
certificate authorities and therefore may not trust such certificates. The RSA Root Signing Service extends the value
of the certificate management software by enabling enterprises to "chain" their certificate authority to RSA Security's
trusted root, thereby ensuring ubiquitously recognized and trusted client-side and server-side certificates.

[...]

So this means that using the RSA Root Signing Service I would be able to sign a certificate for www.hotmail.com and
have it chained back to RSA Security's trusted root, meaning that browsers would accept the certificate as valid - and
no security prompt.

Looking forward to your responses.

One2

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------

Current thread:

Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 01)
- <Possible follow-ups>
- Re: HTTPS proxy tool that resigns SSL certs Robert BARABAS (Jun 01)
- Re: HTTPS proxy tool that resigns SSL certs Tobias Glemser (Jun 01)
- Re: HTTPS proxy tool that resigns SSL certs Huzeyfe Onal (Jun 02)
  - Re: HTTPS proxy tool that resigns SSL certs Phil Frederick (Jun 05)
    - Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 06)
- RE: HTTPS proxy tool that resigns SSL certs Steve Abatangle (Jun 06)
  - Re: HTTPS proxy tool that resigns SSL certs Nathan Keltner (Jun 06)
- Re: Re: HTTPS proxy tool that resigns SSL certs one2 (Jun 06)
  - Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 07)
    - RE: HTTPS proxy tool that resigns SSL certs Ritesh Rekhi (Jun 08)
    - Re: HTTPS proxy tool that resigns SSL certs silentw (Jun 08)
    - Re: HTTPS proxy tool that resigns SSL certs Rogan Dawes (Jun 09)