SecurityTube, Wireless Lan Security Megaprimer notes: part 13 (SSL Man-In-The-Middle Attacks)

Vivek’s video for this part is here.

In this part Vivek shows us how to modify the requests as they pass though the system in a man in the middle attack. This allows us to change web requests and intercept SSL connections (though this will give an error on the client, it is usually ignored by the user).

We’re going to use DNS spoofing. The tool used is called dnsspoof.

This will sniff on an interface, whenever it sees a DNS request it will reply with the attacker machines IP.

We’re carrying on from the previous part, with a bridge setup which routes all traffic via our host to the internet.

0. We can run dnsspoof on the bridge as follows:

dnsspoof -i mitm

This will trigger on all DNS traffic not originating from the attacker machine.

The external DNS will ALSO reply. However dnsspoof will respond first, and therefore will be used.

1. Try and correct to a site from your client.

You should see the DNS lookup in the dnsspoof window.

2. Now all traffic will be going to our machine, but our machine doesn’t know how to reply. So we need to run a proxy here.

We use a proxy server included with backtrack called Burp suite.

Select Backtrack->Web Application Analysis->Web (frontend)->Burp suite from the programs menu.

NOTE: I couldn’t find this on backtrack 5 R1. To run Burp suite here I did the following:

cd /pentest/web/burpsuite
sh ./suite.bat

Your ads will be inserted here by

Easy AdSense Pro.

Please go to the plugin admin page to paste your ad code.

This will start a proxy on port 8080 by default. This is no good because requests are coming in on port 80 and 443 (for ssl)

Click Proxy, options, enter 80 in “local listener port” and click add.

Enter 443 in “local listener port” and click add.

3. Try and connect to a site on your client again. It’ll screw up. This is because the client isn’t configured to use a proxy…

4. Click on the port 80 line in burp suite. Select “support invisible proxying for non-proxy aware clients”. (do the same for port 443).

5. Select the intercept tab. Load a page on the client.

You should see the web request in burp suite. Remove the intercept. And try and load a page on the client.

You should see that it loads normally. You can also see the DNS requests in dnsspoof.

6. Turn the intercept on, and search for “antivirus” on the client. Note that you see the search in the intercept.

7. You can now edit the intercepted request, change “antivirus” to “pwned”. And click “forward”. You should see that your client gets search requests for the word “pwned”.

Neat! You can automate a lot of this using burpscript to other proxy servers such as delicate.

8. Now, enter gmail.com on your client.

You will get an error saying “Can not verify server identity”. Burp proxy, is performing the signing itself, and this is causing the error.

However, must users will just hit continue though this. Beyond this point, the login will look fine. Enable intercepts again. Login on the client, and you’ll be able to see the password in the intercept window.

Vivek has other videos on this see:

here and here.