Penetration Testing mailing list archives

RE: SSL MITM not on port 443

From: "Robbie Gill" <rgill () arubanetworks com>
Date: Wed, 27 Aug 2008 10:24:18 -0700


Try pointing the application to a MITM proxy like Paros
(http://www.parosproxy.org/index.shtml) or WebScarab
(http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project). Such
a proxy sits in the middle of the client application and the server and
presents its own certificate to both sides so it can MITM the connection
between the client and the server. You should be able to see all
communication clear text in the proxy. A security savvy client
application will throw a warning to indicate that it is being presented
with a ssl cert, it doesn't trust or recognize. 

If the application accepts the MITM ssl cert presented by the proxy
without any warnings etc., it is vulnerable. 


-Robbie  


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of christopher.riley () r-it at
Sent: Wednesday, August 27, 2008 4:33 AM
To: pen-test () securityfocus com
Subject: SSL MITM not on port 443

I've come across a problem in a pentest that I'm working on right now
that 
I thought the members of the list might be able to assist me with.

I'm working with a propriatary software (written in C++) that
communicates 
on a high port number using HTTPS. I'm trying to test to see if the 
software can be fooled into accepting a false certificate and then
traffic 
decoded into clear text.

So far I've tried Ettercap, webmitm and CAIN without much luck. The 
closest I can get is Ettercap capturing the communication, however it 
doesn't offer a forged certificate and all captured traffic is still 
encrypted using the normal server certificate. Not  much of a MITM
attack. 
I've confirmed that Ettercap works as advertised against a couple of
sites 
in Internet Explorer and all seems to work normally.

Does anybody know of a way to force Ettercap to perform an SSL mitm even

though the port isn't associated with HTTPS ? or maybe you can suggest a

better tool for the job ? I can control where the application looks for 
the server, so I can divert it through some kind of forwarding proxy if 
needed ?

Thanks,

Chris Riley

----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien,
DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail
dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche
Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. 
Correspondence with above mentioned sender via e-mail is only for
information purposes. This medium may not be used for exchange of
legally-binding communications.
----------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

SSL MITM not on port 443 christopher . riley (Aug 27)
- RE: SSL MITM not on port 443 Robbie Gill (Aug 27)
  - Re: SSL MITM not on port 443 James Matthews (Aug 27)
  - RE: SSL MITM not on port 443 christopher . riley (Aug 28)
    - Re: SSL MITM not on port 443 Roman Fulop (Aug 28)
    - Re: SSL MITM not on port 443 Ahmad Taha (Aug 28)
    - RE: SSL MITM not on port 443 Shenk, Jerry A (Aug 29)
    - RE: SSL MITM not on port 443 christopher . riley (Aug 29)
    - RE: SSL MITM not on port 443 Frank Knobbe (Aug 30)