1 / 23

Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense. Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions. Last modified 5-11-09. How HTTPS Works. HTTP v. HTTPS. HTTP doesn't encrypt data at all You can sniff traffic with Wireshark, ettercap, etc. Completely insecure

peoplesr
Download Presentation

Hands-On Ethical Hacking and Network Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions Last modified 5-11-09

  2. How HTTPS Works

  3. HTTP v. HTTPS • HTTP doesn't encrypt data at all • You can sniff traffic with Wireshark, ettercap, etc. • Completely insecure • HTTPS uses public-key encryption to secure data • Much safer, but it can still be cracked to some extent by a man-in-the-middle attack

  4. Components of HTTPS • When you use a secure session (HTTPS), these protocols work together: • Address Resolution Protocol (ARP) • Domain Name System (DNS) • Secure Sockets Layers (SSL)

  5. ARP Request and Reply • Client wants to find Gateway • ARP Request: Who has 192.168.2.1? • ARP Reply: • MAC: 00-30-bd-02-ed-7b has 192.168.2.1 ARP Request ARP Reply Client Gateway Gmail.com

  6. DemonstrationSniffing ARP with Wireshark • Start Wireshark capturing packets • Clear the ARP cache • arp –d * • Ping the default gateway

  7. DNS Query and Response • Client wants to find Gmail.com • DNS Query: Where is Gmail.com? • DNS Response: • Gmail.com is at 64.233.171.83 DNS Query DNS Response Client Gateway Gmail.com

  8. DemonstrationSniffing DNS with Wireshark • Start Wireshark capturing packets • Clear the DNS cache • ipconfig /flushdns • Ping Gmail.com

  9. SSL Handshake • SSL handshake has three stages: • Hellos • Certificate, Key Exchange, and Authentication • "Change cipher spec" – handshake finished • The Gateway just forwards all this traffic to the Web server Hellos Cert, Key Exch & Auth Chg Ciph Spec Gmail.com Client Gateway

  10. DemonstrationSniffing SSL Handshake with Wireshark • Start Wireshark capturing packets • Open a browser and go to yahoo.com • Click the My Mail button

  11. Open a Socket to Port 443 • This is the usual SYN, SYN/ACK, SYN TCP handshake • Port 443 is used for HTTPS

  12. Hellos • Client Hello • Server sends Hello • This exchange is used to agree on a protocol version and encryption method

  13. Certificate, Key Exchange, and Authentication • Server sends Certificate • Client sends Public Key • Client Authenticates Certificate with Certificate Authority (not visible)

  14. Change Cipher Spec • Server sends "Change Cipher Spec" • Client sends "Change Cipher Spec" • SSL Handshake is done, now client can send encrypted Application Data

  15. Summary of HTTPS Process • SSL handshake has three stages: • Hellos • Certificate, Key Exchange, and Authentication • "Change cipher spec" – handshake finished ARP DNS SSL/TLS Client Gateway Gmail.com

  16. Man-in-the-Middle Attack

  17. Summary of Attack Hacker • Hacker intercepts traffic • Must defeat ARP, DNS, and SSL ARP DNS Forwarded SSH Client Gateway Gmail.com

  18. ARP Cache Poisoning • The Linux utility 'arpspoof' sends a constant series of ARP REPLIES • This diverts Ethernet traffic to the hacker • Part of the 'dsniff' package

  19. DNS Spoofing • The Linux utility 'dnspoof' listens for DNS queries • Sends DNS responses sending Web server data to the hacker • Part of the 'dsniff' package

  20. IP Routing • 'fragrouter' can forward packets to their correct destination • That allows normal Web surfing (HTTP) • Part of the 'dsniff' package • This could also be done with 'iptables'

  21. SSL Spoofing • 'webmitm' creates a Certificate and intercepts SSL handshakes • Part of the 'dsniff' package

  22. Limitations of the Attack • The SSL spoofing is not perfect • You can't actually log in and read email • Internet Explorer sends your password to the hacker before giving up on the connection • Firefox doesn't send your password to the hacker

  23. Sources • Hacking videos from link l_15b • How to decrypt SSL encrypted traffic using a man in the middle attack (Auditor).swf • MITM Hijacking.wmv • SSL Handshake information from l_15a (cs.bham.ac.uk)

More Related