Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Similar presentations


Presentation on theme: "Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions."— Presentation transcript:

1 Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions

2 How HTTPS Works

3 HTTP v. HTTPS HTTP doesn't encrypt data at all HTTP doesn't encrypt data at all You can sniff traffic with Wireshark, ettercap, etc. You can sniff traffic with Wireshark, ettercap, etc. Completely insecure Completely insecure HTTPS uses public-key encryption to secure data HTTPS uses public-key encryption to secure data Much safer, but it can still be cracked to some extent by a man-in-the-middle attack Much safer, but it can still be cracked to some extent by a man-in-the-middle attack

4 Components of HTTPS When you use a secure session (HTTPS), these protocols work together: When you use a secure session (HTTPS), these protocols work together: Address Resolution Protocol (ARP) Address Resolution Protocol (ARP) Domain Name System (DNS) Domain Name System (DNS) Secure Sockets Layers (SSL) Secure Sockets Layers (SSL)

5 ARP Request and Reply Client wants to find Gateway Client wants to find Gateway ARP Request: Who has 192.168.2.1? ARP Request: Who has 192.168.2.1? ARP Reply: ARP Reply: MAC: 00-30-bd-02-ed-7b has 192.168.2.1 ClientGateway Gmail.com ARP Request ARP Reply

6 Demonstration Sniffing ARP with Wireshark Start Wireshark capturing packets Start Wireshark capturing packets Clear the ARP cache Clear the ARP cache arp –d * arp –d * Ping the default gateway Ping the default gateway

7 DNS Query and Response Client wants to find Gmail.com Client wants to find Gmail.com DNS Query: Where is Gmail.com? DNS Query: Where is Gmail.com? DNS Response: DNS Response: Gmail.com is at 64.233.171.83 ClientGateway Gmail.com DNS Query DNS Response

8 Demonstration Sniffing DNS with Wireshark Start Wireshark capturing packets Start Wireshark capturing packets Clear the DNS cache Clear the DNS cache ipconfig /flushdns ipconfig /flushdns Ping Gmail.com Ping Gmail.com

9 SSL Handshake SSL handshake has three stages: SSL handshake has three stages: Hellos Certificate, Key Exchange, and Authentication "Change cipher spec" – handshake finished The Gateway just forwards all this traffic to the Web server ClientGateway Gmail.com Hellos Cert, Key Exch & Auth Chg Ciph Spec

10 Demonstration Sniffing SSL Handshake with Wireshark Start Wireshark capturing packets Start Wireshark capturing packets Open a browser and go to yahoo.com Open a browser and go to yahoo.com Click the My Mail button Click the My Mail button

11 Open a Socket to Port 443 This is the usual SYN, SYN/ACK, SYN TCP handshake This is the usual SYN, SYN/ACK, SYN TCP handshake Port 443 is used for HTTPS Port 443 is used for HTTPS

12 Hellos Client Hello Client Hello Server sends Hello Server sends Hello This exchange is used to agree on a protocol version and encryption method This exchange is used to agree on a protocol version and encryption method

13 Certificate, Key Exchange, and Authentication Server sends Certificate Server sends Certificate Client sends Public Key Client sends Public Key Client Authenticates Certificate with Certificate Authority (not visible) Client Authenticates Certificate with Certificate Authority (not visible)

14 Change Cipher Spec Server sends "Change Cipher Spec" Server sends "Change Cipher Spec" Client sends "Change Cipher Spec" Client sends "Change Cipher Spec" SSL Handshake is done, now client can send encrypted Application Data SSL Handshake is done, now client can send encrypted Application Data

15 Summary of HTTPS Process SSL handshake has three stages: SSL handshake has three stages: Hellos Certificate, Key Exchange, and Authentication "Change cipher spec" – handshake finished ClientGateway Gmail.com ARP DNS SSL/TLS

16 Man-in-the-Middle Attack

17 Summary of Attack Hacker intercepts traffic Must defeat ARP, DNS, and SSL ClientGateway Gmail.com ARP Forwarded DNS SSH Hacker

18 ARP Cache Poisoning The Linux utility 'arpspoof' sends a constant series of ARP REPLIES The Linux utility 'arpspoof' sends a constant series of ARP REPLIES This diverts Ethernet traffic to the hacker This diverts Ethernet traffic to the hacker Part of the 'dsniff' package Part of the 'dsniff' package

19 DNS Spoofing The Linux utility 'dnspoof' listens for DNS queries The Linux utility 'dnspoof' listens for DNS queries Sends DNS responses sending Web server data to the hacker Sends DNS responses sending Web server data to the hacker Part of the 'dsniff' package Part of the 'dsniff' package

20 IP Routing 'fragrouter' can forward packets to their correct destination 'fragrouter' can forward packets to their correct destination That allows normal Web surfing (HTTP) That allows normal Web surfing (HTTP) Part of the 'dsniff' package Part of the 'dsniff' package This could also be done with 'iptables' This could also be done with 'iptables'

21 SSL Spoofing 'webmitm' creates a Certificate and intercepts SSL handshakes 'webmitm' creates a Certificate and intercepts SSL handshakes Part of the 'dsniff' package Part of the 'dsniff' package

22 Limitations of the Attack The SSL spoofing is not perfect The SSL spoofing is not perfect You can't actually log in and read email You can't actually log in and read email Internet Explorer sends your password to the hacker before giving up on the connection Internet Explorer sends your password to the hacker before giving up on the connection Firefox doesn't send your password to the hacker Firefox doesn't send your password to the hacker

23 Sources Hacking videos from link l_15b Hacking videos from link l_15b How to decrypt SSL encrypted traffic using a man in the middle attack (Auditor).swf How to decrypt SSL encrypted traffic using a man in the middle attack (Auditor).swf MITM Hijacking.wmv MITM Hijacking.wmv SSL Handshake information from l_15a (cs.bham.ac.uk) SSL Handshake information from l_15a (cs.bham.ac.uk)


Download ppt "Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions."

Similar presentations


Ads by Google