.

Some complex questions about ssl stripping and re-encrypting ssl traffic?

<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Thu Feb 24, 2011 11:28 am

Some complex questions about ssl stripping and re-encrypting ssl traffic?

I have been studying a lot regarding cryptography these days,
I tried to learn the indpeth operations of the ssl stripping,but i got strucked at a point,so tought of asking here,

As far as i have learnt First attacker capturing or listening the victims traffic with arp spoofing/arp poisoning(in most cases) and applys ssl stripping and decode the traffic and passing it back as a "http" traffic to the victim ,this is how i assume ssl stripping works,


1)like the same way can we strip out a ssh or any kind of encrypted traffic?

2)if suppose a victim is using multiple encryptions means what will happen?
for example say a victim is using a vpn,inside the vpn he is using some ssh tunneling to access the g-mail account,so now at this stage 3 layers of encryptions are there

i.e ssl for vpn,ssh encryption,another ssl for g-mail,now at this junction is it possible for a attacker to strip out these multiple encryptions?

3)Also why not the ssl encryption developers are not developing a technology that can verify data integrity like the IP-SEC standards? why they are merely developing some complex algorithms and focusing more and more on increasing the strength on the encryption,why they are not focusing any thing on data integrity?


4)i have been thinking about some LAW enforcement level ssl decryption after i seen the following device
  Code:
http://www.wired.com/threatlevel/2010/03/packet-forensics/


what makes me amuzed was,there are class of hackers just strip the ssl and access the plain text,this is the most come scenarios we are seeing in the real world,but there exists another side,which is being missed by most of the professionals,the law enforcement guys are using like this


victim aka bad guy ------->ssl stripping by law enforcement( and after decryption ,they have been re-encrypting the  traffic because they have valid digital certificates from the COA's all over the world)--------------->
victim's destination,..

even tough we don't have a root certificate , As a pen-tester is it possiblefor us  to do like the above?

Because i don't want my victim to know that i am stripping his traffic,that is the main thing i am willing to learn..


hope i will get my doubts cleared...
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Thu Feb 24, 2011 2:40 pm

Re: Some complex questions about ssl stripping and re-encrypting ssl traffic?

you are missing a very important point: man-in-the-middle
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Thu Feb 24, 2011 8:24 pm

Re: Some complex questions about ssl stripping and re-encrypting ssl traffic?

couldn't get your exact point sir,yes i know this is a MITM attack?i am bit confused sir...
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Mar 11, 2011 9:17 pm

Re: Some complex questions about ssl stripping and re-encrypting ssl traffic?

No, they're not passing HTTP back to the user; they're swapping out the legitimate cert with an untrusted one. The users will be alerted of this, but most will simply click-through. Have you seen the presentation by the creator of sslstrip? It's worth watching: http://www.thoughtcrime.org/software/sslstrip/
The day you stop learning is the day you start becoming obsolete.
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Fri Mar 25, 2011 9:47 pm

Re: Some complex questions about ssl stripping and re-encrypting ssl traffic?

It's not just that, there is more too it. I you type www.paypal.com into your browser you will go to paypal and be redirected to https. SSLStrip will negotiate the secure traffic with the server, but then rewrite it so the user is never sent to the SSL site. No need to see any cert errors on the client side.

I don't believe it is implemented yet, but since you are in the middle of the connection you can mess with the nline Certificate Status Protocol (OCSP). "Applications are required to check for revocation of the certificate before accepting it. The application should support both CRL and OCSP, although OCSP is clearly the wave of the future and the only scalable approach.
(In his presentation Marlinspike suggests a method for bypassing OCSP by returning a “Try again later” code, in which case the application typically gives up and authenticates. The EV rules state: “If the application cannot obtain a response using one service, then it should try all available alternative services.” This precludes the lazy behavior described by Marlinspike.)"
(ref: http://extendedvalidationsslcertificates.com/)

The "Try again later" code is the only response from the server that is not encrypted. If I remember correctly, most of the browsers will continue to the site if they can't get a good OCSP response, but you might want to double check.
twitter.com/timmedin | http://blog.securitywhole.com

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 3 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software