Embed Size (px)
Citation preview
Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network
DefenseDefenseLecture 15Lecture 15
Man in the Middle Attack to get Passwords from Man in the Middle Attack to get Passwords from HTTPS SessionsHTTPS Sessions
How HTTPS WorksHow HTTPS Works
HTTP v. HTTPSHTTP v. HTTPS
HTTP doesn't encrypt data at allHTTP doesn't encrypt data at all You can sniff traffic with Wireshark, ettercap, You can sniff traffic with Wireshark, ettercap,
etc.etc. Completely insecureCompletely insecure
HTTPS uses public-key encryption to HTTPS uses public-key encryption to secure datasecure data Much safer, but it can still be cracked to some Much safer, but it can still be cracked to some
extent by a man-in-the-middle attackextent by a man-in-the-middle attack
Components of HTTPSComponents of HTTPS
When you use a secure session (HTTPS), When you use a secure session (HTTPS), these protocols work together:these protocols work together: Address Resolution Protocol (ARP)Address Resolution Protocol (ARP) Domain Name System (DNS)Domain Name System (DNS) Secure Sockets Layers (SSL)Secure Sockets Layers (SSL)
ARP Request and ReplyARP Request and Reply
Client wants to find GatewayClient wants to find Gateway ARP Request: Who has 192.168.2.1?ARP Request: Who has 192.168.2.1? ARP Reply:ARP Reply:
MAC: 00-30-bd-02-ed-7b has 192.168.2.1
Client Gateway Gmail.com
ARP Request
ARP Reply
DemonstrationDemonstrationSniffing ARP with WiresharkSniffing ARP with Wireshark
Start Wireshark capturing packetsStart Wireshark capturing packets Clear the ARP cacheClear the ARP cache
arp –d *arp –d * Ping the default gatewayPing the default gateway
DNS Query and ResponseDNS Query and Response
Client wants to find Gmail.comClient wants to find Gmail.com DNS Query: Where is Gmail.com?DNS Query: Where is Gmail.com? DNS Response:DNS Response:
Gmail.com is at 64.233.171.83
Client Gateway Gmail.com
DNS Query
DNS Response
DemonstrationDemonstrationSniffing DNS with WiresharkSniffing DNS with Wireshark
Start Wireshark capturing packetsStart Wireshark capturing packets Clear the DNS cacheClear the DNS cache
ipconfig /flushdnsipconfig /flushdns Ping Gmail.comPing Gmail.com
SSL HandshakeSSL Handshake
SSL handshake has three stages:SSL handshake has three stages: Hellos Certificate, Key Exchange, and Authentication "Change cipher spec" – handshake finished
The Gateway just forwards all this traffic to the Web server
Client Gateway Gmail.com
Hellos
Cert, Key Exch & Auth
Chg Ciph Spec
DemonstrationDemonstrationSniffing SSL Handshake with Sniffing SSL Handshake with
WiresharkWireshark
Start Wireshark capturing packetsStart Wireshark capturing packets Open a browser and go to yahoo.comOpen a browser and go to yahoo.com Click the My Mail buttonClick the My Mail button
Open a Socket to Port 443Open a Socket to Port 443
This is the usual SYN, SYN/ACK, SYN This is the usual SYN, SYN/ACK, SYN TCP handshakeTCP handshake
Port 443 is used for HTTPSPort 443 is used for HTTPS
HellosHellos Client HelloClient Hello Server sends HelloServer sends Hello
This exchange is used to agree on a protocol version This exchange is used to agree on a protocol version and encryption methodand encryption method
Certificate, Key Exchange, and Authentication
Server sends CertificateServer sends Certificate Client sends Public KeyClient sends Public Key Client Authenticates Certificate with Client Authenticates Certificate with
Certificate Authority (not visible)Certificate Authority (not visible)
Change Cipher Spec
Server sends "Change Cipher Spec"Server sends "Change Cipher Spec" Client sends "Change Cipher Spec"Client sends "Change Cipher Spec" SSL Handshake is done, now client can SSL Handshake is done, now client can
send encrypted Application Datasend encrypted Application Data
Summary of HTTPS ProcessSummary of HTTPS Process
SSL handshake has three stages:SSL handshake has three stages: Hellos Certificate, Key Exchange, and Authentication "Change cipher spec" – handshake finished
Client Gateway Gmail.com
ARP
DNS
SSL/TLS
Man-in-the-Middle Man-in-the-Middle AttackAttack
Summary of AttackSummary of Attack
Hacker intercepts traffic
Must defeat ARP, DNS, and SSL
Client Gateway Gmail.com
AR
P Forwarded
DN
S
SS
H
Hacker
ARP Cache PoisoningARP Cache Poisoning
The Linux utility 'arpspoof' sends a The Linux utility 'arpspoof' sends a constant series of ARP REPLIESconstant series of ARP REPLIES
This diverts Ethernet traffic to the hackerThis diverts Ethernet traffic to the hacker Part of the 'dsniff' packagePart of the 'dsniff' package
DNS SpoofingDNS Spoofing
The Linux utility 'dnspoof' listens for DNS The Linux utility 'dnspoof' listens for DNS queriesqueries
Sends DNS responses sending Web Sends DNS responses sending Web server data to the hackerserver data to the hacker Part of the 'dsniff' packagePart of the 'dsniff' package
IP RoutingIP Routing
'fragrouter' can forward packets to their 'fragrouter' can forward packets to their correct destinationcorrect destination
That allows normal Web surfing (HTTP)That allows normal Web surfing (HTTP) Part of the 'dsniff' packagePart of the 'dsniff' package This could also be done with 'iptables'This could also be done with 'iptables'
SSL SpoofingSSL Spoofing
'webmitm' 'webmitm' creates a creates a Certificate and Certificate and intercepts SSL intercepts SSL handshakeshandshakes Part of the Part of the
'dsniff' 'dsniff' packagepackage
Limitations of the AttackLimitations of the Attack
The SSL spoofing is not perfectThe SSL spoofing is not perfect You can't actually log in and read emailYou can't actually log in and read email
Internet Explorer sends your password to the Internet Explorer sends your password to the hacker before giving up on the connectionhacker before giving up on the connection
Firefox doesn't send your password to the Firefox doesn't send your password to the hackerhacker
Sources Sources
Hacking videos from link l_15bHacking videos from link l_15b How to decrypt SSL encrypted traffic using a How to decrypt SSL encrypted traffic using a
man in the middle attack (Auditor).swfman in the middle attack (Auditor).swf MITM Hijacking.wmvMITM Hijacking.wmv
SSL Handshake information from l_15a SSL Handshake information from l_15a (cs.bham.ac.uk)(cs.bham.ac.uk)
