Log in / Register
Home arrow Computer Science arrow Understanding Network Hacks
< Prev   CONTENTS   Next >

7.12 SSL Sniffing

The whole web security as well as the security of services like SMTP, IMAP, POP3, IRC, Jabber, ICQ or even complete VPNs with regard to encryption and authentication, is based on the Secure Socket Layer protocol or SSL for short.

SSL itself is based on x509 certificates, Certificate Authorities (CA), that build a Public Key Infrastructure (PKI) and use public key algorithms to encrypt and sign data. What sounds rather complex and massively includes beautiful words like authority, encryption and certificate, must simply be great and secure, right? ;)

But how exactly is SSL operating under the hood? A CA, that means some company or state, generates a public key keypair. The public part of the key pair is delivered to everyone as it is being used to examine the authenticity of a certificate. The private key serves for signing of certificates. A certificate is nothing more than a public key combined with some meta data such as Common Name (for example a host or domain name) and some address data.

A website that wants to secure its services with SSL generates a new public key pair. The public key together with the meta data like name and address is packaged into a Certificate Signing Request (CSR). In a minute we will look into that in detail. The CSR is sent to a Certificate Authority, that signs the CSR with its own private key and thus generates a certificate out of it. This certificate is saved on the protected webserver.

If a browser now connects to a webpage by using the protocol HTTPS it initiates a SSL handshake. In a Client Hello message the client sends the SSL/TLS versions as well as encryption/authentication mechanisms it supports. If the server speaks a combination of them it responds with a Server Hello message including the server certificate. Optionally the server can request the certificate of the client. Once the client has verified the signature of the servers certificate, with the help of the CAs public key that is integrated into the browser, it sends the server a random number encrypted with the public key found in the server certificate. This random number is used to generate the session key with which the whole traffic gets encrypted. Finally both sites acknowledge the success of the handshake sending a Client finishedor Server finished message.

So far so good. This procedure, by the way, is common for all SSL protocols

not only for HTTPS but we remind ourselves of one of the basic principles that simplicity is the key to security.

Have a look at the long list of CAs that your browser trusts. You could get dizzy. The quality of SSL security is only as good as the security of all those companies and institutions. However, some do not seem as good at protecting their systems as they should be. For example, DigiNotar, that got quite a lot of fame for being misused to issue certificates for popular web pages like Google and Facebook that were later used for man-in-the-middle attacks. A few weeks later the KPN affiliate Gemnet stuck out negatively for forgetting to protect their Phpmyadmin installation with a password. It is your decision if you would like to trust such companies.

An attacker does not even necessarily need a valid certificate to successfully infiltrate a HTTPS connection! He or she can just hope for the users gullibility or the common “click ok as fast as you can” reflex to circumvent the security of the system. We will write a tiny tool to demonstrate this. It utilizes the mitmproxy module written by Aldo Cortesi.

Mitmproxy like Scapy is a Python module that you can integrate into your programs as well as a stand-alone tool.

Mitmproxy as a tool consists of two programs: mitmdump, that describes itself as a Tcpdump for HTTP (so it shows the traffic that flies by) and mitmproxy, an intercepting web proxy, which cannot only display traffic but also has the possibility to directly manipulate it.

First of all let's program a rudimentary HTTPS sniffer with the help of the libmproxy module, but before we dive into the source code we quickly generate a self-signed certificate with openssl.

The first step is to generate a new private key. Enter anything as password. This key is our own CA.

openssl genrsa -des3 -out server.key 1024

With the next command we remove the password from the key to be able to easily import it into our program.

openssl rsa -in -out server.key

Then we use this key to create a Certificate Signing Request (CSR). Therefore we must enter some certificate meta data (or just enter, enter, enter, enter. . . for some default values).

openssl req -new -key server.key -out server.csr

Last but not least we sign the CSR with our private key. This is all a CA is doing besides maintaining a list of revoked certificates called CRL.

openssl x509 -req -days 365 -in server.csr

-signkey server.key -out server.crt

Now we take care of our HTTPS sniffing source code.

1 #!/usr/bin/python


3 from libmproxy import controller, proxy


5 class Sniffer(controller.Master):

6 def run(self):

7 try:

8 return

9 except KeyboardInterrupt:

10 self.shutdown()



13 def handle_request(self, request):

14 print "Got request " + str(request.headers)

15 request._ack()


17 def handle_response(self, response):

18 print "Got response " + str(response.headers)

19 print response.content

20 response._ack()



23 port = 1337

24 ssl_config = proxy.SSLConfig("cert.pem")

25 proxy_server = proxy.ProxyServer(ssl_config, port)

26 m = Sniffer(proxy_server)


28 print "Running proxy on port " + str(port)


We implement a class Sniffer to handle requests and responses. It inherits from the class controller.Master and overrides the run method, that is responsible for reacting on KeyboardInterrupt events. Thereby it's possible for us to terminate the sniffer when the user presses CTRL-C or something similar.

Furthermore, we overwrite the handle_request and handle_response methods, that get invoked when a HTTP(S) request or response is received. In both functions we just dump all packet headers and, if it is a response, additionally the packets payload. Afterwards we send an ACK to acknowledge the request or response.

Last but not least we create a Proxy instance which loads our self-signed SSL certificate and turns it over to the Sniffer class.

You can now configure your browser to use localhost as a proxy on port 1337 and you should be able to see all HTTPS requests and their responses on the console. Be aware that binary data such as images could brick your terminal or at least lead to funny reactions.

Sure, it is not very helpful if you have to tell your victim to reconfigure the browser in order to be able to read the traffic. The sniffer can be combined with a man in the middle attack like DNS spoofing and then be used transparently. First you spoof your own IP. This will connect the victim to your host instead of the desired destination. Then you forward the traffic via IP forwarding.

What is still missing is a short example on how to use the tool mitmproxy to intercept requests and manipulate them. Start the tool by executing mitmproxy and configure your browser to use localhost and port 8080 as proxy.

In the mitmproxy window enter i followed by ~q to trigger it's intercepting mode and catch all requests. Now just browse an URL and it should show up in mitmproxy with a prepending ! which means this request got caught. Press Enter to have a look at the request details and e to open the default editor in order to manipulate the request. After saving your changes press a to accept the manipulated request and send it instead of the original one.

Additionally Mitmproxy offers a scriptable Python Event interface, so you can write a few lines of Python that get automatically triggered for events like “Got Request” or “Got Response”, but this is beyond the scope of this book. An introduction to this topic can be found under the following URL: mitmproxy. org/doc/scripts.html.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science