Theory
SSL or Secure Socket Layer is a protocol designed for secure communication over the internet. SSL creates a secure and encrypted tunnel between two parties. For example the client(laptop) and server(web application). SSL can be used in the HTTPS protocol for secure communications for online banking or other important online services.
The creator of sslstrip shows in 2009 how it is possible to attack SSL using a Man In The Middle Attack. SSL itself is secure and the encryption cannot be cracked if the SSL session is established. However it is possible to intercept the SSL traffic with a Man In The Middle Attack using Linux, Python, iptables and arpspoof. Normally the ssl session creates a secure tunnel between the client and server:
With a Man In The Middle Attack. The attacker sits between the client and server to intercept the traffic:
At this moment, 4 years later, you may aspect that the top 100 websites are protected against this attacks. So I tried this week a few websites. Some websites are indeed protected. However there are still many websites vulnerable. On the server side you can enforce the HTTPS protocol. So even if you attack the network. The website don’t work and you cannot fill in your credentials. In this case the attacker can’t sniff your credentials. However this cost money and resources.
Vulnerable websites 16-01-2014
| Organisation | Website URL | Website vulnerable |
|---|---|---|
| ASN Bank | asnbank.nl | YES |
| DigiD | digid.nl | YES |
| ING Bank | mijn.ing.nl | NO |
| SNS Bank | snsbank.nl | YES |
| twitter.com | NO | |
| Rabobank | bankieren.robobank.nl | YES |
| Fox-IT | fox-it.com | NO |
| ABN AMRO | abnamro.nl | NO |
| Friesland Bank | internetbankieren.frieslandbank.nl | NO |
| My Aegon | online.aegon.nl | NO |
| facebook.com | YES | |
| instagram.com | YES | |
| Tweakers | secure.tweakers.net | YES |
| Amazon | amazon.com | YES |
| Wikipedia | wikipedia.org | YES |
| linkedin.com | YES | |
| Blogspot | blogspot.com | NO |
| WordPress | wordpress.com | YES |
| Bing / Microsoft | bing.com | YES |
| Ebay | ebay.com | YES |
| MSN / Microsoft | msn.com | YES |
| Tumblr | tumblr.com | YES |
| Craigslist | craigslist.org | NO |
| Imgur | imgur.com | YES |
| reddit.com | YES | |
| Netflix | netflix.com | YES |
| Pirateproxy | pirateproxy.net | YES |
| Vimeo | vimeo.com | YES |
| Dropbox | dropbox.com | NO |
| Badoo | badoo.com | YES |
| Deviantart | deviantart.com | YES |
| 4shared | 4shared.com | YES |
| Walmart | walmart.com | YES |
| Sourceforge | sourceforge.net | YES |
| Ikea | ikea.com/nl/nl/ | YES |
| Domaintools | domaintools.com | YES |
| Steam | steampowered.com | YES |
| Scribd | scribd.com | YES |
| Bol | bol.com | YES |
| My Vodafone | my.vodafone.nl | YES |
Websites tested via:
Launch a Man In The Middle Attack on local test network.
Navigates to http://www.google.nl and typed the name of the organisation.
Via the company website I tested the login or homepage if the website is vulnerable.
It is also possible to manually type the company website link via the address bar with only the HTTP protocol. If the website is vulnerable it goes not automatically to the HTTPS protocol because they don’t enforce HTTPS. Or make the login page invisible if the HTTP protocol is used, so the user can’t login.
Practice
Let’s say we are driving around with a laptop (Backtrack 5 operating system and WIFI-antenna), searching for insecure, or even worse, wrong configured WIFI access points or Routers (WEP encryption or bad passwords). If we find a access point with WEP encryption. Within 5 minutes or less, we have cracked the WIFI password, can connect to the network and launch a Man In The Middle Attack on the network. Within minutes all the internet traffic from the network will be routed to our laptop. If the user connect to a website which is vulnerable for a Man In The Middle Attack we can reveal their username and password.
How to protect?
In order to mitigate a Man In The Middle attack you can use a browser add-on to enforce the HTTPS protocol. Or type the HTTPS link manually. Use bookmarks with HTTPS links. Security awareness to make sure you connected to a website with the HTTPS protocol. Click on the lock icon or world globe in the address bar to ensure the connection is secured and encrypted or not.
Look at the picture. Left side is NOT encrypted. On the right side the connection is secure and encrypted!
Geef een reactie