home Tips Interception of data from an SSL connection (we read the mail of local users via https). Ettercap instructions: man-in-the-middle attack (MitM), password interception, HSTS bypass, data substitution on the fly, use of custom filters and plugins, hooking on

Interception of data from an SSL connection (we read the mail of local users via https). Ettercap instructions: man-in-the-middle attack (MitM), password interception, HSTS bypass, data substitution on the fly, use of custom filters and plugins, hooking on

Ways to hack and protect the session from theft

Most sites on the Internet are open to external influences from hackers. Even large-scale expensive Internet projects are hacked: they leave traces or take away the database. As a result, the owner of the resource suffers, as well as visitors.

To avoid hacking problems, a number of measures are required during development. Some preventive actions need to be carried out during the operation of the site.

In past articles, I showed how servers are performed, as well as servers. Today we will talk about interception and protection of sessions by hackers.

Site session

PHP is probably the most common server-side programming language for websites. In php, a website session is started using the session_start() command. Before starting, you can specify Extra options. The session usually stores important personal information about the user: login, name, password, ..

Session Hijacking

There are 2 ways to store the session ID: in cookies and in address bar. The first option is more secure than the second, but both are hackable to varying degrees. This type The hack is called session hijacking.

Let the identifier be stored in the site url. A logged-in visitor, walking through the pages of your site, decides with someone. When publishing a link, he gives the link with his session ID. If the site does not have any additional protection methods, then by clicking on such a link, a new visitor will already be logged in as the first user, if the session has not yet ended. Then do what you want on the site within the limits allowed by the rules.

Things are more complicated with cookies, but everything is also quite easily intercepted. Many sites do not filter browser scripts when users publish information. A potential hacker places such a script on a page. A logged in visitor visits a page... The script reads the cookie value or address bar and passes the session ID to another site. The other site belongs to the hacker. Further, everything is simple. A cookie is forged or the address of a site page with the desired session ID is entered.

Session Hacking

When a session starts, session files are created in the temporary directory. These files store information. If used, then, usually, the temporary folder for storing sessions is shared by all sites on the server. Further, in a certain way, the session data is read by its own script. To do this, the attacker must have an account on the same server. As a result, if a password from a site or a credit card number with a cvv code is stored in the session, then all this useful information fall into the hands of an attacker.

Session data hack protection

Store the session in cookies. Harder to take.
Bind the session to the ip address of the computer. When entering from another ip, a new session is created depending on the script settings.
Bind the session to the browser's user agent. When you log in from another browser, the session is reset to zero.
Encrypt parameters passed to the session. If an attacker gets the session file, he will not be able to read it. Although if you have certain skills, it is also possible to decrypt the session.
Store session IDs in a separate folder. In php, there is a session_save_path($path_to_dir) command for this. The same setting can be written in the php.ini file. The parameter is called session.save_path.
Use session_set_save_handler() in php to override how the session is stored. And since PHP 5.4, you can pass an object of type SessionHandlerInterface to session_set_save_handler().

Many users do not even realize that by filling in the login and password when registering or authorizing on a closed Internet resource and pressing ENTER, this data can easily be intercepted. Very often they are transmitted over the network in an unsecured form. Therefore, if the site on which you are trying to log in uses the HTTP protocol, then it is very easy to capture this traffic, analyze it using Wireshark, and then use special filters and programs to find and decrypt the password.

The best place to intercept passwords is the core of the network, where the traffic of all users goes to closed resources (for example, mail) or in front of the router to access the Internet when registering on external resources. We set up a mirror and we are ready to feel like a hacker.

Step 1. Install and run Wireshark to capture traffic

Sometimes for this it is enough to select only the interface through which we plan to capture traffic, and click the Start button. In our case, we capture wirelessly.

Traffic capture has begun.

Step 2. Filtering captured POST traffic

We open the browser and try to log in to any resource using the username and password. Upon completion of the authorization process and the opening of the site, we stop capturing traffic in Wireshark. Next, open the protocol analyzer and see a large number of packets. This is the stage where most IT professionals give up because they don't know what to do next. But we know and we are interested in specific packets that contain POST data that is generated on our local machine when filling out a form on the screen and sent to remote server when you click the "Login" or "Authorization" button in the browser.

Enter a special filter in the window to display captured packets: http.request.method == "POST"

And instead of a thousand packages, we see only one with the data we are looking for.

Step 3. Find the username and password

Quick click right button mouse and select from the menu Follow TCPSteam

After that, text will appear in a new window, which in the code restores the page content. Let's find the "password" and "user" fields, which correspond to the password and username. In some cases, both fields will be easy to read and not even encrypted, but if we are trying to capture traffic when accessing very well-known resources such as: Mail.ru, Facebook, Vkontakte, etc., then the password will be encoded:

HTTP/1.1 302 Found

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"

Set-Cookie:password= ; expires=Thu, 07-Nov-2024 23:52:21 GMT; path=/

Location: loggedin.php

Content Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

So in our case:

Username: networkguru

Password:

Step 4Determine the type of encoding to decrypt the password

We go, for example, to the site http://www.onlinehashcrack.com/hash-identification.php#res and enter our password in the identification window. I was given a list of encoding protocols in order of priority:

Step 5: Decrypt User Password

At this stage, we can use the hashcat utility:

~# hashcat -m 0 -a 0 /root/wireshark-hash.lf /root/rockyou.txt

At the output, we received a decrypted password: simplepassword

Thus, with the help of Wireshark, we can not only solve problems in the operation of applications and services, but also try ourselves as a hacker by intercepting passwords that users enter in web forms. You can also find out passwords for mailboxes users using simple filters to display:

The POP protocol and filter looks like this: pop.request.command == "USER" || pop.request.command == "PASS"
The IMAP protocol and filter will be: imap.request contains "login"
SMTP protocol and you will need to enter the following filter: smtp.req.command == "AUTH"

and more serious utilities for decrypting the encoding protocol.

Step 6. What if the traffic is encrypted and using HTTPS?

There are several options for answering this question.

Option 1. Connect to the disconnect between the user and the server and capture the traffic at the moment the connection is established (SSL Handshake). At the time of connection establishment, the session key can be intercepted.

Option 2: You can decrypt HTTPS traffic using a session key log file written by Firefox or Chrome. To do this, the browser must be configured to write these encryption keys to a log file (FireFox-based example) and you must receive this log file. Essentially, you need to steal the session key file with hard drive another user (which is illegal). Well, then capture the traffic and apply the received key to decrypt it.

Clarification. We're talking about the web browser of a person whose password is being stolen. If we mean decrypting our own HTTPS traffic and want to practice, then this strategy will work. If you're trying to decrypt other users' HTTPS traffic without access to their computers, it won't work - that's what encryption and privacy are for.

After receiving the keys according to option 1 or 2, you need to register them in WireShark:

Go to the menu Edit - Preferences - Protocols - SSL.
Set the flag "Reassemble SSL records spanning multiple TCP segments".
"RSA keys list" and click Edit.
Enter data in all fields and write the path in the file with the key

AT last years there is a change in the trend in the strategy of attacks by special services on the most important security protocol for the Internet TLS/SSL. From now on, a direct cryptographic attack and hacking is no longer only extreme, but often unnecessary within the framework of modern world a measure where money and financial gain become the main driving force.

Due to the importance of this issue, as part of a series of publications, the site offers an overview of the security of the TLS / SSL protocol stack, while considering consistent and systematic strategies for weakening these protocols by intelligence agencies.

A third of the secure traffic in the world is generated cryptographic means with a deliberately weakened PRNG?

Removed from the channel

As a seed, let's turn to the Russian example - the latest court hearing in the case of the former owner payment system Chronopay Pavel Vrublevsky, accused of a DDoS attack against Aeroflot.

The essence of the key plot boiled down to the fact that the court requested internal correspondence between the participants in this criminal process, which they conducted through personal accounts on Facebook. Despite the fact that it contained the most important incriminating information, the insidious American social network did not heed the request of Russian justice and denied access to the private correspondence of citizens of the Russian Federation. And then the very dramatic turning point in this story takes place - the FSB, in executing the court decision, independently “extracts” the correspondence of these citizens.

“The Central Information Bureau of the FSB, in accordance with the Law “On Operative-Investigative Activities”, carried out an independent retrieval of information from the communication channels of these persons and recorded it on a DVD.”

Indeed, later the defense side was able to verify that the necessary personal correspondence was “removed from the network in full and to the extent” against the will of Facebook. At the same time, the defendants themselves in this case denied providing the investigation with their passwords and self-incriminating correspondence. You can find flashy news headlines like “The Russian FSB Hacked Facebook Servers” on RuNet, but you shouldn’t jump so far with conclusions.

Firstly, all communication sessions with Facebook are carried out exclusively over the secure HTTPS communication protocol. Secondly, since the last contacts of the defendants and this decision court (and, consequently, the investigative actions of the FSB to enforce this decision) a lot of time has passed. From what kind of “channel” could these “data from the past” be “removed” if the defendants themselves have not gone online since then, being under investigation?

They ignored these direct questions put to the representatives of the FSB during the trial. The most obvious version of the answer suggested itself: the HTTPS traffic with this correspondence was sniffed / stored by the FSB in advance and somehow subsequently hacked.

It is interesting that almost a similar case was recorded earlier in the materials of the same case. The FSB CIB, citing the protocol of the investigation, “by saving and analyzing the Internet connection traffic of one of the accused, recovered the login and password from the botnet control panel” (physically located on a server in the United States), after which it seized remote control over this botnet. So, access to the same web panel was carried out by the defendants, again, exclusively via an encrypted HTTPS connection in compliance with security measures (for example, without saving passwords on their local computer).

Thus, we state the existence of problems with the security of HTTPS, citing amazing cases of overcoming the "protection" of TLS/SSL by the Russian special services.

modus operandi

To crack an encrypted HTTPS session, you need to solve two main tasks: to be able to listen (intercept) traffic, and also to be able to decrypt the data encapsulated in such a secure packet.

We will not dwell on the first point, since special services have physical access to almost any channel. Those who follow the latest news from SORMomostroeniya are already aware that, in accordance with the new law, from July 1, 2014, all Russian providers are required to install special equipment on their networks to record and store their transit Internet traffic in full for a period at least 12 hours. Moreover, the security forces will have direct access to all stored and transit data arrays.

Gmail tells me: "Your account or computer may have been affected by hackers supported by certain countries"
— Roman Dobrokhotov (@Dobrokhotov) September 9, 2014

If we talk about listening to HTTPS sessions, then we immediately note important point- the need for "active mode" listening in some cases, because the saved traffic can not always be hacked later. We are talking about the so-called progressive secrecy mode (forward secrecy, FS) for the HTTPS protocol, which prevents the possibility of recovering data after the end of the communication session (even if an attacker can later obtain valid site keys). The presence of such a mode obliges the attacker to "forge the iron while it is hot" - that is, to crack data in real time, which in the vast majority of cases is hardly technically possible.

The bad news is that Facebook, like most other major Internet portals, does not use forward secrecy mode because it creates an additional serious burden on an already overloaded social machine. In addition, the use of such advanced DH algorithms may adversely affect compatibility with some popular browsers. Now it's easy to see why, according to Netcraft statistics as of summer 2013, approximately 70-99% of the SSL connections observed in this monitoring were not using FS at all.

That is, in the vast majority of cases, an attacker can safely store your HTTPS traffic for later picking and hacking (for example, when the private server key becomes known).

Above is a performance drop measurement on a 6-core web server processor with DHE enabled and disabled, respectively. DHE is chosen as the most popular and exemplary implementation of Perfect Forward Secrecy. For example, Google, whose services support almost all crypto-innovations and means of protecting its users (this is a striking exception to the general Internet practice), implements short-lived (“ephemeral”) PFS session keys based on ECDHE_RSA. And it's very, very expensive, believe me!

Given this remark, we will assume that everything is more or less clear with traffic interception. Now let's consider what to do next with the saved encrypted stream.

It seems that the general algorithm in this case will look something like this: when intercepting the traffic of interest, the HTTPS session is intercepted by hypothetical special services Information system receives a search request for the corresponding server key to its database. If such a key is not found, it is queued for further calculation (cracking). Taking into account the remark about the actual unavailability of the FS option, it always makes sense to silently accumulate (write) the traffic of interest without waiting for the system to respond about the readiness / availability of the key for decryption in real time.

With regard to the mentioned database from server keys, then back in the summer of 2013, Cnet published information and an example document of an NSA request to a large Internet company that wished to remain anonymous. According to this source, it became known that other major Internet sites (Google, Microsoft, Apple, Yahoo, AOL, Verizon, AT&T, etc.) received the same requests. Cnet has officially contacted these organizations for comment. similar request, but in the vast majority of cases, the companies refused to either confirm or deny such interactions with the NSA.

“Once again I wipe my feet on the myth that open source is the path to reliability. This bug in Debian OpenSSL was almost two years old."

Indeed, it was possible to close this vulnerability only after the uproar in the press. The Debian project itself called the situation with a long-standing bug in its OpenSSL repository "a rather strange story."

If we talk about the notorious hardware "bookmarks", then recently they have blossomed in a violent color already in the most unexpected places: from irons to coffee machines. So according to Spiegel, a special department of the NSA "Special Access Operations" (Tailored Access Operations, TAO) for a long time carried out a mass interception of the purchased most different companies and countries of computer (and not only) equipment on the way from the supplier to the addressee. At the same time, the intercepted equipment, shipped to the customer of interest to the NSA, quickly passed through the secret TAO “factory”, where modified software or “bugs” were introduced into it. Such intervention in the supply chain for its own purposes, denoted by the special term "interdiction", was rated by the NSA itself as one of the "most effective types of modern operations."

NSA plans to infect potentially millions of computers with malware as part of its Tailored Access Operations

When enabled All traffic (encrypted and unencrypted) or Encrypted only the agent uses SSL certificate spoofing technology to intercept data transmitted in secure web sessions. When establishing a secure connection with a server, the agent replaces the original server certificate with a certificate with the same name, but issued by the agent's root certificate. The system allows you to use both a pre-installed certificate and a manually created certificate with signing authority as a root.

The system allows you to manually install certain certificates for substitution when intercepting sessions of the corresponding servers (websites, programs) by linking the certificate to the server.

In some cases, the use of a non-original certificate may make it impossible to establish an encrypted connection to the server. In this case, it is necessary to exclude the corresponding servers from interception, i.e. prohibit the substitution of SSL certificates when connecting to such servers. This will restore the functionality of such sites or programs, but they will not intercept encrypted traffic.

To configure the interception of SSL traffic:

In the tab window Agent settings profilein the profile editing area select tab Network traffic control.
Click the button SSL Interception Options and follow the recommendations of the current paragraph.

Selecting the SSL certificate spoofing mode

In the settings window, select an acceptable interception mode:

For automatic generation agent SSL root certificate during installation to the user's computer, select the option Auto mode . The generated root certificate will be placed in the trusted certificate issuers database and automatically used by the agent to issue child certificates signed by default with the issuer name Falcongaze SecureTower .

To change the name of the certificate issuer, which will be indicated in the connection security information, specify the desired name in the field Name in SSL certificate .

To use a custom SSL certificate as a root certificate when intercepting encrypted traffic, select an option User mode. The user certificate must be pre-generated and added to the system database. To specify a certificate from the system database, select its name in the drop-down listUser Certificateor click the buttonUser certificates foradding certificate and private key files to the system database.

In the window that opens, click the button Add Certificate and specify the certificate and key files in one of the following ways:

To generate a new certificate, click the button Generate Certificate. In the window that opens, enter the name of the new certificate, its validity period, and specify the paths where the newly created certificate (*.cer) and private key (*.pvk) files will be stored. Click the Generate button.

If you want to add a certificate that was previously generated in PFX format, click the button Convert from certificate in PFX format. Specify the path and password to the certificate file in PFX format, as well as the path to the certificate (*.cer) and private key (*.pvk) files to which you want to convert original file. Click the Convert button to complete the conversion.

Click Next on the window Adding User Certificatesto continue the procedure additions . In the window that opens, enter a unique name with which the added certificate will be signed, and a comment (optional).

Click Done to complete the process. The certificate will be added to the user certificate database of the SecureTower system. Click OK to complete the addition.Added custom the certificate will be automatically placed by the agent in the database of trusted creators (if this has not been done previously by the network administrator) and will then be used to issue child certificates.

Note.

When using user mode, it is recommended that the network administrator distribute the user certificate to all computers on the network using group policies or manually. This will ensure successful certificate authentication. Otherwise, the certificate will be automatically added by the agent to the trusted certificate store.

Binding an SSL certificate to a server

To determine the "server-certificate" match, click the button Certificate bindingsand follow the guidelines below:

To bind to a specific root certificate server on the tab Root Certificates, press the button Add a site certificate. Enter hostname ( Domain name) to which child certificates will be issued and to which the root certificate will be bound in the Host name (IP address) field. Select one of the pre-installed root certificates from the field drop-down list Root Certificate or click the button User certificates to add and specify the certificate and private key files on the user's computer.
To bind an already existing certificate to a specific server, select the tab User certificates. The agent will not generate new child certificates for the servers specified in this tab, but will use certificates specified by the user for the substitution procedures. In the window that opens, in the Host name (IP address) field, enter the host name (domain name) to which the certificate will be bound. Select one of the certificates in the drop-down list of the Certificate : field (if certificates have already been added before) or click the button User certificates to select user certificates from a list, or to add and specify certificate and private key files on the user's computer.

Note.

To fill in the field Hostname (IP address) the use of the IP address of the host is allowed, but only in cases where the host name was not determined during the connection and only the IP address is known.

Excluding servers from intercepting encrypted traffic

To work with exceptions from the certificate spoofing process, click the buttonSSL Server Exceptions.

The exclusion manager window displays a list of servers (hosts) excluded from the replacement process by default. To add a new exclusion, click the button Add an exception.

In the input field of the dialog box that opens, enter the server (host) name (for example, accounts.google.com), case-sensitive, and click the Add button. The system allows you to use the introduction of names by mask (are the characters ? and * allowed, for example, using *.microsoft.* will avoid duplicate Microsoft resources in the exclusion list) to exclude resources of the same family. The entered name will appear in the exclusion list.

Next, you need to select the exclusion mode: Spoof certificates only for the SSL servers listed above, or Substitute SSL - certificates for all servers, except for those mentioned above. In the first case, the system will spoof certificates only for servers listed in the exclusion list (and, therefore, will be able to intercept the corresponding traffic). For all others, the certificates will not be spoofed, and the interception of the corresponding encrypted traffic will be impossible. In the second case, the system will replace certificates for all servers, except for those specified in the list of exceptions.

To perform other operations with exceptions, follow the relevant recommendations in paragraph

I will show and tell you how to use the sslstrip utility to intercept data that is transmitted over a secure SSL connection.
The sslstrip utility in my example (after performing an ARP-spoofing attack on the victim) will intercept the request of the victim's web client to establish a secure SSL connection and force it to use the insecure HTTP protocol. Next, I'll just look at what the victim is doing, not paying attention to the fact that she reads mail not via HTTPS, but via HTTP.

You will see how easy it is to organize attacks type MITM on SSL using the arp-spoof technique and the sslstrip program.

In my example, the victim is a virtual machine with an IP of 10.10.11.163 (an ordinary car with Windows), the PC from which I attack is 10.10.11.85 with the Kali OS installed and with sslstrip (this utility is preinstalled in the pentester Kali\BackTrack Linux distributions). Between us is a gateway with IP 10.10.11.1.

1. When the victim enters gmail.com, he is sent to the address https://gmail.com and this is normal. Naturally, we do not see passwords and logins to the victim's mail in the clear.

2. I enable traffic routing on a PC with Kali:

echo "1" > /proc/sys/net/ipv4/ip_forward

and configure iptables so that all http traffic is directed to port 81:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 81

arpspoof -i eth0 -t 10.10.11.163 10.10.11.1

now the victim's traffic goes through my car and (according to my iptables rule) is forwarded to port 81.

3. Run sslstrip

sslstrip -a -l 81 -w /root/Desktop/ssllog.txt

this will create a log file right on the desktop and start writing intercepted http traffic into it (actually, HTTPS will be intercepted, but it will be stripped). Well, in general, I start watching this file on the console:

tail -f /root/Desktop/ssllog.txt

4. Victim goes to his mail

To read mail, the victim, as always, climbs into MS Explorer (hehe) and enters gmail.com there. But for some reason the browser does not redirect the victim to https (in the http address bar)! The figure below shows what the victim will see at the last moment before I find out her password and login.

The victim clicks "Login" ... and on my window, where the intercepted traffic was displayed, I see the following:

As you can see, the password 1q2w3e4r5t6y...

To avoid the threats associated with interception of the beginning of an SSL connection, you must:
- do not use gadgets in untrusted networks, even if it is very necessary (a villain can arrange a MITM with a much higher probability, say, at an airport by installing a rogue wireless access point than by breaking corporate network your organization);
- encrypt mail with symmetric encryption protocols (I write and think about PGP);
- pay a normal salary to the administrator so that he does not have a desire to spy on your employees in this way;
- keep track of the ARP table and use hardware / software that monitors podbny attacks;
- regularly update the software from trusted legal sources.

Keep in mind that this article illustrates what is prohibited by law and the examples in it are provided to show how easy it is to attack SSL for educational purposes only.

Just about the complex. Programs. Iron. Internet. Windows