.

[help]Sniffing encrypted traffic with-out breaking the encryption?

<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Thu Feb 10, 2011 12:15 am

[help]Sniffing encrypted traffic with-out breaking the encryption?

I have been playing with sniffers in some networks,but after a point i am bored of traditional sniffing,most people here using some sort of encryptions like ssl,ssh,IP-SEC,Also as IP-V4 addresses are going to get exhausted in a few days,so IP-V6 with default IP-SEC will be implemented every where in the future i think,I tought of learning some advanced sniffing techniques,Also i looked in to traditional ssl stripping,but it is easily detectable,i am looking for some ways to sniff the encrypted traffic with-out breaking the encryption,i hope it would be tough,but i believe still it is possible,..
Looking for some help,ideas,reference from the members here,

Hope i will get some useful inputs...
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Thu Feb 10, 2011 7:37 am

Re: [help]Sniffing encrypted traffic with-out breaking the encryption?

This is where you would learn the hardcore stuff about encryption,ssl,ssh etc etc and learn exactly how the encryption works as well as the handshakes

You will there have more knowledge about how it works, only then can you come up with your own method of breaking an existing connection, bruteforce maybe?
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Thu Feb 10, 2011 8:54 am

Re: [help]Sniffing encrypted traffic with-out breaking the encryption?

Unless I'm missing something obvious, what's stopping you from capturing the packets to a pcap file?  You can always capture the packets and analyze them afterward.  It would seem like gibberish with the encryption in place, but if you know of a vulnerability in the cryptography then decrypting it wouldn't be a problem.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Thu Feb 10, 2011 12:08 pm

Re: [help]Sniffing encrypted traffic with-out breaking the encryption?

Just like yatz said, the use of some encryption mechanism won't stop you from capturing the traffic. Here cryptography is providing a confidentiality service, that will stop you from from having access to the plain text, and unless you find some weakness in the algorithm itself or the implementation (or somehow you get the keys) you won't be able to have the plain text.
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Thu Feb 10, 2011 1:48 pm

Re: [help]Sniffing encrypted traffic with-out breaking the encryption?

First of all instead of trying to break the encryption,is it possible to steal the private key of the victim with-out getting in to his system?

Also i had seen some guys doing like this in my real life,that is what makes me inspired to ask this question,because IP-SEC,ssh,ssl looks secured only to certain people :),

Also i am looking in to the future,where IPV6 with default IP-SEC will be used every where :(


So tought of learning some thing useful for my future,Also i am not a great crypto-expert,if i prefered to study those what are the things i should do?

Also is there any ways to do the above things i mentioned?

looking for some more inputs...
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Feb 10, 2011 3:57 pm

Re: [help]Sniffing encrypted traffic with-out breaking the encryption?

Alright so here goes in real ugly fashion:

What is involved in an encrypted connection 101:


  Code:
1) Client --> Server
2) Client --> network --> Server
3) Client --> network --> Can we agree on an algorithm to send secure data? --> Server (pre sending packets)



With this said, you need to be in the stream of client server to make this happen. As the Client, you're sending #3 in order to establish a secure connection. This will involved coming to an agreement where the Client and Server can communicate based on predefined parameters. E.g., SSL, keys, etc.

You need to perform the following:


  Code:
Client -->  | Intercept --> Server (sent as you)
You -------/

You (acting as a proxy, MITM, etc.) --> Hi, I'm Client, here is my key||cert, let's talk --> Server



Server will respond and negotiate with you depending on what it is your HIJACKING/MITM at this point (will only work on SSL this explanation)

The following occurs:


  Code:
Server --> Agreed, I saw your cert, let's get started --> Client (which is you via Proxy MITM)



Thus the conversation begins>

From Client to server


  Code:
1) Client --> (intercepted and passed to you) --> You read, copy, re-encrypt --> Send YOUR ENCRYPTED VERSION --> Server



From Server to you


  Code:
1) Server --> yup, yup, here is your data --> Client (which is you) --> YOUR MACHINE (read, copy, re-encrypt) --> Hey! I'm your server connection here is your encrypted data --> Client



As to previous post: "This is where you would learn the hardcore stuff about encryption,ssl,ssh etc etc and learn exactly how the encryption works as well as the handshakes", good luck getting by CBC. There is a lot more to understand than handshakes, so if terms like confusion, diffusion, EEE, EDE, CBC, glitching and timing make you punch it in to Google, one need learn A LOT. So to put it bluntly, matter-of-factly, even if you 'had the skills' to do this, you wouldn't be posting on forums of how to break it so here is an olive branch.

Under VPNs there are usually two modes, main mode and aggressive mode. Aggressive mode IS tap-able but you need to know alot about TOCTTOU, race conditions and so on. Even with main mode, it's still doable (although I haven't seen it personally, but have read about the theory) however when PFS is involved, its an altogether 'nother story.

If you want to learn more about WHY things are an issue, I suggest Googling: "key establishment problem" (quick link posted). As for "stealing keys", anything is possible however, what do you think you'd be able to do if you compromised my machine, stole my key and tried to connect to a trusted address with my IP bound? Blind spoofing? Sure, you can send, but you'd never receive unless you're on the same network as me and then you'd have to DoS me to oblivion. Because you're doing blind spoofs to send, the server WILL respond to me since it believes its talking to me. At that point, my machine in a confused state sends an RST: "I didn't set up this connection... What are you talking about?" to the server. Server drops the connection never giving you a full conversation... What did you accomplish. You're better off trying to get a client to download say a customized dropper, traverse to their machine and log from either endpoint once its decrypted


1) http://www.corelan.be:8800/index.php/20 ... enos-cjfv/
2) http://www.securityfocus.com/archive/1/408478
3) http://www.springerlink.com/content/2ykbd7x4xv9l7l5f/

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software