Project Report Commented

8/6/2019 Project Report Commented

1/21

Abstract

In the present day,almost all organizations, businesses and many individuals have websites. With the

advent of E-commerce, most of the businesses have shifted their service transactions online. This

involves secure transmission of confiden tial information over the internet. In general HTTPS( Hyper

Text Transfer Protocol Secure ) which is a combination of HTTP and SSL/TLS is used for carrying

out such secured transactions and communications. But in reality, the web-services and HTTPS are

vulnerable in some way. This project aims to provide some details of the complex HTTPS protocol

and its vulnerabilities using the MITM (Man in The middle ) attack and means to protect it. In the

project we make use of freely available tools like Wireshark, dsniff, ssldump, DecaffeinatID, Packet

Builder, SSLstrip on different operating systems like Windows and Ubuntu. The scope for further

improvement could be to develop more secure protocols and better security measurements.

1.Introduction

Since the widespread reach of the internet many businesses and organizations have thought of

reaching( extending their services) to their clients using Internet as an important medium. In the

present day it is easy to configure and manage a website. The cl ients access the websites using easy

to use web browsers like Internet Explorer, Google Chrome, and Firefox. But the mechanism and the

underlying software implementation are very complex. HTTPS which is a client/server application is

the protocol which has been used to provide secure communication for many years now. HTTPS

refers to the combination of the application layer HTTP and transport layer SSL/TLS to implementsecure communication between the web-browser and web-server.

SSL was first implemented by Netscape for their Netscape navigator web browser in 1994. Since

there were many security flaws in the second version SSL 3.0 was developed.Later the Internet

Engineer Task Force (IETF) standardized the TLS protocol (which is very much similar to SSL

protocol) to be used as the transport layer protocol with HTTP for secure communication.


2/21

Implementat onof Hack ng HTTPS

AsGma

usesHTTPSand inorderto test thevu

nerabilitiesofHTTPSwecreatedaGmail id

The

email-idhave thefollowingdetailswhichareusedfortestingpurpose

Username:pro

ecthttps

Password:siueece595

Inordertodecrypt theHTTPSmessagesusing theMan-in-the-middle-attackwehave tofollow the

followingsteps

METHOD I

1 Arpspoofing Using thearpspoofcommandfrom thedsniffpackage spoofthe ip-addressoftheGateway

routertobeat theMacaddressofthehackersmachine This isdone inordertoattain

all themessagesfrom the target machine to therouter

Openanew terminal anduse thecommand

sudoarpspoof i interface t target ip-addressgateway ip-address

After running this command

the hacker machine will keep sending ARPreplies to the target

machine telling the Gateway IP is at thehackersMAC addressThe target machinebelieves this

andupdates its ARPcacheandwill thensend itsInternet traffic to thehackersmachine insteadof

theGateway

Comment [v1]:Hadingnotperfect orgram

notproper

Comment [v2]:Formationnotperfect


3/21

2. IPFowarding-This isdone inordertoput thehackersmachine inforwardingmodeortomakeit act asarouter.Thereceivedpacketsareforwarded to thegatewayforfurtherrouting

and the

target machinedoesnot noticeanydifference.

Openanew terminal anduse thecommand.

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Onexecuting thiscommandthehackersmachinestartsforwarding theIPpackets to thegateway.

3. DNSspoof-This ispart of thedsniffsoftwarepackageforUbuntu .ThiscommandstartsaDNSserveron thehackersmachine.Thehackersmachinespoofs theDNSaddressof therequested

websiteby itsown ip-addressandprovides itsowncertificateforverification.


sudo dnsspoof i interface


4/21

4. Webmitm-This isalsopart ofthednsiffsoftwarepackageforUbuntu.Webman-in-the-middleisasoftwarewhichgenerates imitatedcertificates.Thesoftwareproduces X.509certificates.The

certificateproduced isself-certifiedand is inresponse to thequeryof the targetmachine.Some

Webbrowsersdonot accept self-certifiedcertificateswhich is theonlyway the target machine

can tell thewebsite isbeing impersonated.


sudo webmitm.

Nowall thepacketsfrom the target machine to thegateway

routerpass through thehackers

machineandareforwarded to thegateway. Thesummaryofoperations thusfaris:

Thehackersmachinesends ARP replies to the target machinewhichupdatesits ARPcacheand

sendsall itsInternetpackets to thehackersmachine.Thehackersmachinereceives therequests to

connect to a website and it replies with its own ip-address and the self-generated certificate.The

originalpacketsareforwarded to thehttpswebsiteas thehackermachine isset toforwardingmode.

Target MachineHackersMachineGatewayWebsite

In order to keep track of all of the communicationand decrypt the datawehave to record all the

packets for further analysis. This canbe done usingpacket sniffing softwareWireshark and SSL

dumpsoftwares.

5. Network sniffing-In order to sniff

capture the databeing sent we use wireshark which is anetworksniffingsoftware. Inanew terminal weopenwiresharkby thecommand.

sudo wireshark


5/21

A GUI pops up from whichwe have to select the required interface for monitoring. Wireshark then

starts capturing data.


6/21

6. On the targets machine,which is a windows machine, now open Internet explorer. In thatbrowser, go to gmail.com. We will see a security warning that the certificate is not genuine, but

as most of the users are unaware of what it is, press con nue o he webs e.

7. When we reach the Gmai website login, login the website using the following detailsUsername

projecthttps

Password siueece595

Then presss Sign in

Comment [v3]: Not proper grammar


7/21

This will send the username and password to Gmail. The man-in-the-middle attack is not

perfect, so the login process will not complete and Internet Explorer will just hang. However, it

goes far enough to send the entered username and password to the hacker.

8. After Wireshark has captured a sufficient amount of data ( the username and password) , i.e.,after a considerable amount of time, it is halted by pressing the stop button and the dump file is

saved in the root directory using the filename feb18.

9. Decryption We use ssldump software in order to decrypt the SSL/TLS encrypted messages.The input for this command would be the saved wireshark dump file, the webmitm certificate

and for the output we have to specify the output filename.

In a new terminal type the command

sudo ssldump r

lename k key

led > ou

!pu

!

le-name


8/21

where the filenamehere is thewiresharksaved file and the keyfile is the certificatewhichwill beusedby ssldump to decrypt themessages. Thed option is to decrypt application

datawhichcontains theusernameandpasswordandotherdetails.

Afterexecutionof thiscommand"

thehackersdecrypts thehttpsmessagesandwrites them

to an output file. In order to obtain the required details likepassword#

username" we can

searchforthemusing thepatternmatchinggrepcommand

Theusageofthecommand

cat outputfi$e | grep Passwd/Emai

$

The grep commanddisplays the lines containing the required expression to the standard

output.

METHODII

1. Arpspoofing Using thearpspoofcommandfrom thedsniffpackage % spoofthe ip-addressoftheGateway

&

routertobeat theMacaddressofthehackersmachine.This isdone inorderto

attainall themessagesfrom the targetmachine to therouter.


sudo arpspoof i interface t target ip-address gateway ip-address


9/21

2. IPFowarding-This isdone inordertoput thehackersmachine in forwardingmode.ThismakesourUbuntumachine intoarouter.Therecievedpacketsareforwarded to thegateway

forfurtherrouting ' and the target machinedoesnot findanydifference.


sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Onexecuting thiscommand thehackersmachinestartsforwarding theIPpackets.

3. Port Rerouting-Thiscommandsetsup the iptables in Ubuntu toredirect http trafficfromport80 toadesiredport, in thiscase8080whichwillbe listened tobysslstrip.

Onanew terminal type thecommand

iptab(es -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080


10/21

Weareforwarding thepacketsfromport80 toport 8080as thesslstripsoftware isgoing to

listenfortrafficonport8080.

4. SSLstrip-SSLstrip is thesoftwarewhichstrips thessl part of thecommunicationbetweenthe target machineandhackermachineandconverts into just normal HTTP.Not manyusers

takenoticeoftheabsenceofhttps in the linkaddressand thepadlockin theirbrowsers.

Inanew terminal, enterassuperuserandenter into the root folderand thenenter into the

sslstrip-0.7folderusing thecommand

cdsslstrip-0.7

thenenterthecommand

sudo python ./ss )strip.py a ) 8080where a is to listenforall trafficand

-l specifies theport numberto listenon, in thiscaseport 8080


11/21

This command executes apythonscript writtenby Moxie Marlinspikewhich establishes a

http connectionbetween the target machine andthe hacker machine and at the other side

establishes a https connectionbetween the hacker machine and the web server. The

webserverwill stillbe thinking it is indirect connectionwith the target machine.

Thecapturedandencrypteddata isstored in thesslstrip.logfile in thesslstrip-0.7folder.

5. On the targets machine, openInternet explorer. In that browser, go to gmail.com.If weobserve the link in the addressbar we will see that the connection is no longer a HTTPS

connection.Most oftheusersdonot realize it andfall inthe trap.They just continueentering

theirusernamesandpasswords.

6. Whenwereach theGma0 lwebsite login, login thewebsiteusing thefollowingdetailsUsername:projecthttps

Password:siueece595

ThenpresssSign in

Comment [v4]:Notpropergrammar


12/21

Hereweareable to login into theaccountbut in thehttpversion, which isvisuallyalmost the

same.Wecanobserve thehttp linkin theredcircle.


13/21

7. Grep.-Inordertoobtain therequireddetails likepassword1 usernamewecansearchforthemusing thepatternmatchinggrepcommand

Theusageofthecommand

cat ss2strip.

2og | grep Passwd/Emai

2

The grep command displays the lines containing the requiredexpression to the standard

output.


14/21

HTTPS Attack Protection scheme.

In order to safeguard confindential data which is being transmitted on the web we implemented four

simple defender techniques. The first technique uses Static ARP Tables ,the second technique uses a

freely available software for windows called DecaffienatID which is similar to Arpwatch for linux

systems. The third and fourth techniques scan for active NIC cards in promiscuous mode.

Using Static ARP

We can observe, in both the methods we used to hack the HTTPS communication, we used

arpspoofing.It is done to trick both the target machine and the Gateway. MITM attack is one of the

major threats in any network which have to be avoided. This can be avoided by using static arp

tables. As most of the modern networks are switched networks it is enough to configure the switch.

But if it is not a switched network it has to be set on each machine on the network.

To statically set the ARP table on a windows machine.

1. Run the command prompt as an administrator.2. Type ne 3sh c 4 n 3 er5 ace 4pv4 6 3. The prompt will change to netsh interface ipv4.4. Then type add neighbors Local Area Connection IP-Address MAC address

In our case ip address 7 146.163.133.254 MAC Address 7 00-a0-c9-08-83-e1

Which can be verified using the command arpa in another command prompt shell.


15/21

Once the ARP entries on the target machines are set to static they dont update their caches. So any

attempt to arp spoof these machines will fail.

Using DecaffeinatID

DecaffeinatedID is a simple software which keeps track of changes. It keeps monitoring the ARP

cache and if it finds any changes in ARPto-IP mapping it notifies a message . This software can be

set up at the target machines side where it notifies if there is any change in the ARP table.

The message obtained when the MAC address of the router/Gateway is changed this message pops

on to the screen.

This helps prevent spoofing and it will inform the administrator of which machine is trying to spoof.


16/21

The disadvantage of this is it sometimes is unreliable and in the situation where, a NIC card goes

faulty and is replaced but it still uses the same IP address it gives a warning.

For this software to work, install it and run it asan administrator. It keeps the logs of the events in a

text file.

Using ICMP (Echo) request.

Decrypting HTTPS is accomplished by running ARP Spoof and capturing the data. Most of the data

capturing softwares put the NIC card into promiscuous mode. Promiscuous mode is a special

reception mode where the network card ignores the destination M AC address and sends all packets

received to the kernel for processing.In this technique we try to detect the NIC cards which are in

active promiscuous mode by fooling the NIC card to respond to a packet which is not destined for

that particular NICs MAC address.The technique would be to send a packet to every IP address;

while specially crafting the MAC address so that it's value is certainly non-existent on the network.

We did this with the help of Packet Builder which is a packet editing software.

1. Open the Colasoft Packet Builder software.2. Press the Add button, for which a Add packet window pops up.3. In the Select Template menu select IP packet, then press OK.4. In the Decode Editor Window you will get a IP packet module.5. In the Destination Address field enter 01 8 01 8 01 8 01 8 01 8 01 as the MAC address.6. In the Source Address field enter your Interface MAC address. In our case it is

008 23 8 5A:B4:F0:04.

7. In the Protocol field of Internet Protocol section enter 1 which corresponds to a ICMPpacket.

8. In Source IP field enter your IP, in our case it is 146.163.133.31.9. In Destination IP field enter the Hackers IP, in our case it is146.163.133.30.10.In the Type field of the ICMP section enter 8. It makes the packet a ICMP Echo packet

(ping).


17/21

11.Press the Adapter Button and select the suitable interface on which the packet has to be sent.12.Then turn on Wireshark and start the capturing mode on the same interface.13.Then select the ICMP packet from the Packet list and Press Send repeatedly.

If the capturing software is not turned on the hackers machine we will not get any response

to the ping messages as shown in the following figure.


18/21

14.Now turn on the Packet sniffing software on the Hackers Machine and repeat step 13.The Hackers machine now responds to the ping packets as its NIC card has been set to

promiscuous mode.

We can observe that, even though the packe is not addressed to the Hacker machines MAC id which

is 00:1b:21:6e:18:c7, the NIC card forwards it to the operating system. The O perating system

responds to the ping packet as it contains the correct IP address. For a general scan of the network,

this would need to be done for each possible IP in the network to detect machines running sniffing

softwares.

Using ARP Request.

In this technique also we try to detect the NIC cards which are in active promiscuous mode by

fooling the NIC card to respond to a packet which is not destined for that particular NICs M AC

address. Generally all the ARP requests are broadcasted with a destination address of FF-FF-FF-FF-

FF-FF so that all the machines on the networklisten to it and send it to the operating system ,but

only the machine with the matching IP address responds to it. In order to detect the machine in

promiscuous mode we will generate an ARP request packet with a destination MAC address not

being FF:FF:FF:FF:FF:FF but some random address which is certainly non-existent on the network.

If the machine is in promiscuous mode it ignores the destination address and further processes it.

We implemented this technique using Colasoft Packet Builder.

1. Open the Colasoft Packet Builder software.2. Press the Add button, for which a Add packet window pops up.


19/21

3. In the Select Template menu select ARP packet, then press OK.4. In the Decode Editor Window you will get a ARP packet module.5. In the Destination Address field enter 01:01:01:01:01:01 as the MAC address.6. In the Source Address field enter your Interface MAC address. In our case it is

00:23:5A:B4:F0:04.

7. In Source IP field ofARP section enter your IP, in our case it is 14 6.163.133.31.8. In Destination IP field enter the Hackers IP, in our case it is 146.163.133.30.9. And the Type field in the ARP should be 1 forARP request.

10.Press the Adapter Button and select the suitable interface on which the packet has to be sent.11.Then turn on Wireshark on the target machine and start capturing packets on the same

interface.

12.Then select the ARP packet from the Packet list and press Send repeatedly.If the capturing software is not turned on the hackers machine we will not get any response

to the ping messages as shown in the following figure.


20/21

13.Now turn on the Packet sniffing software on the Hackers Machine and repeat step 12.The Hackers machine now responds to the ping packets as its NIC card has been set to

promiscuous mode. Observe the packets captured on wireshark. We can see that now we get

ARP replies stating that 146.163.133.30 is on machine 00:1B:21:6E:18:C7.


21/21

Project Report Commented

Documents

Transcript of Project Report Commented