ssl impersonation in 5 minutes or less!
DESCRIPTION
SSL certificate impersonation… for shits and giggles! A quick 5 minute talk about SSL impersonation and why self-signed certs aren't a valid solution for your enterprise! BruCON 2011 Lightning TalkTRANSCRIPT
![Page 1: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/1.jpg)
![Page 2: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/2.jpg)
![Page 3: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/3.jpg)
Who, What, Why
• Who– Enterprises– Home Users– You!
• What– Self-Signed Certs
• Why– Because signing your own certs is bad m’kay!
![Page 4: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/4.jpg)
Why use self-signed certs?
• Easy– One-Click and you’re done
• Fast– No need to wait on a CA
• Default?– Default cert…– Ah just leave it
• It’s ONLY a test server!
![Page 5: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/5.jpg)
Self-signed cert in action
![Page 6: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/6.jpg)
![Page 7: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/7.jpg)
Self-signed cert in action
Enter Metasploit… the tool of champions
msf > use auxiliary/gather/impersonate_sslmsf auxiliary(impersonate_ssl) > set RHOST prodsap.company.comRHOST => prodsap.company.commsf auxiliary(impersonate_ssl) > run[*] Connecting to prodsap.company.com:443[*] Copying certificate /O=company.com/OU=Domain Control
Validated/CN=prodsap.company.com from prodsap.company.com:443[*] Beginning export of certificate files[+] Created required files from remote server prodsap.company.com:443[+] Files stored in ~/.msf/loot (.key|.crt|.pem)[*] Auxiliary module execution completed
![Page 8: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/8.jpg)
Self-signed cert in action
Enter Metasploit… the tool of champions
msf > use auxiliary/gather/impersonate_sslmsf auxiliary(impersonate_ssl) > set RHOST prodsap.company.comRHOST => prodsap.company.commsf auxiliary(impersonate_ssl) > run[*] Connecting to prodsap.company.com:443[*] Copying certificate /O=company.com/OU=Domain Control
Validated/CN=prodsap.company.com from prodsap.company.com:443[*] Beginning export of certificate files[+] Created required files from remote server prodsap.company.com:443[+] Files stored in ~/.msf/loot (.key|.crt|.pem)[*] Auxiliary module execution completed
![Page 9: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/9.jpg)
Result (0)
As near as darn a clone of the originalFingerprints + Serial Number differ
![Page 10: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/10.jpg)
Result (1)
All CN data is 100% cloned…Average users don’t care!
![Page 11: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/11.jpg)
But we DO pay attention!
Techies might notice… maybe!So give them a REASON why…
![Page 12: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/12.jpg)
But we DO pay attention!
OH, our self signed cert expired yesterday. I’ll sort that later ;)
![Page 13: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/13.jpg)
#WIMMING
![Page 14: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/14.jpg)
What else can it do!
• Self-signed certs for anything you like!– I’ll take a google.com please!
• Sign your own cert– with that CA signing keyyou stole from Diginotar– … or an internal corp CA you accidentally hacked ;)
• It makes coffee too!
![Page 15: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/15.jpg)
So what… this is weak sauce!
• It’s not new!• It’s not special!• I can do this in OpenSSL too!
• Yes, yes, and yes…– But this MSF module does it all for you– … in 15 seconds– … click, click, boom!
![Page 16: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/16.jpg)
Final Points
• Not in MSF SVN… yet!• Working on some small bugs– Windows 7 doesn’t like the cert?!!*&%
• Part of a bigger project to MITM SAP– I like SAP… – Easy to pick on!
• Available through SVN– chrisjohnriley-metasploit-modules.googlecode.com/svn/trunk/– Linked on http://c22.cc as well
![Page 17: SSL Impersonation in 5 minutes or less!](https://reader035.vdocuments.us/reader035/viewer/2022062216/558bcce9d8b42a9b0b8b45f8/html5/thumbnails/17.jpg)