Monday, 28 April 2014

Sniffing encrypted SSL credentials with SSLStrip

I lot of people will tell you that there site is secure because they are using SSL. I see it pasted all over companies websites ensuring customers they are following the strictest security practises because they are using SSL. Aside from all of those people having recently been smacked in the face with an elephant size spanner courtesy of the recent SSL heartbleed vulnerability, all SSL really does is encrypt traffic to and from the site. This does nothing to protect the rest of the website. That is another subject all together though.

How can we sniff encrypted traffic?
If SSL encrypts the users traffic then how can we still sniff out the credentials? We will not actually be sniffing encrypted traffic. Due to the way SSL has been built it is possible for us to retrieve any connections destined for SSL and simply strip away the SSL layer.Building a secure protocol on top of an insecure protocol was not a good idea. When a user goes to an SSL enabled site they do not know it is SSL enabled. The browser sends the request via port 80. When the server sees the request it re-directs the user to port 443. Our job as the attacker is to sit in the middle and catch any requests that go to port 80 and come back as 443. When we capture the SSL packet on its way back from the server we strip out the SSL layer and send the normal http traffic to the victim. As they enter credentials and send them to the server we simply put the SSL layer back on and send it back to the server. So we are not actually sniffing "encrypted" traffic, but simple passing the packet inbetween us and server and alternating the data to be clear text to and from the victim.

Getting started
The tools I will be using for this attack are:
SSLStrip
ARPSpoof
IPTables
Ettercap

All of these tools come pre-loaded with Kali and Backtrack.

SSLStrip is where all of the core SSL magic happens. SSLStrip was created by Moxie Marlinspike and first demonstrated at Black Hat 2009. His original talk can be found at:
ARPSpoof is used to create the man in the middle attack by poisoning the victims arp-cache
IPTables are used to redirect any web traffic to port 8080. (SSLStrip will be running on port 8080)
Ettercap will be used to log any user credentials as they pass through. 

The Attack
First thing we need to do is enable routing on our PC. Without this our arp-poison will not work as incoming traffic cannot be routed back out to the internet and vice versa. Enable routing with the command:
sysctl -w net.ipv4.ip_forward=1

Next we need to position ourself in between the victim and the gateway. Do this with the command:
sudo arpspoof -i eth0 -t 192.168.1.7 192.168.1.254
Replace eth0 with your interface and the target and gateway IP with your victim and gateway.


Start SSLStrip listening on port 8080:
sudo sslstrip -k -l 8080


Now we need to listen for any traffic destined for port 80 and redirect it to SSLStrip running on port 8080. Use the command:
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080

Everything should be routing and forwarding as expected. The last thing we need to do to make life easier is run Ettercap to automatically extract any credentials that pass through:
ettercap -T -q -i eth0



The Results

CHROME
Interesting to note is that the first few connections to facebook with chrome seemed to work fine and then google figures out that there is some trickery going on and blocks the connection:




FireFox
Firefox also worked flawless the first couple of time and the figured out something was not right and would not let me continue:


Internet explorer
No real suprises here. IE didnt seem to care at all and just gave us a small warning that the ssl cert may be invalid. Nice how they also include two green ticks stating the certificate is valid. I could click past and sign into facebook.




Ettercap caught this login and displayed it clear text for us:




This tool takes some setting up and may not work correctly without some playing around which might compromise a pentest and alert the victim. To increase your hit rate you should probably get it setup and working correctly before the victim logs into the network. 



1 comment: