GrabDuck

SSL MITM ATTACK USING ETTERCAP

:

Today I will be talking about SSL based MITM attacks using ettercap. First, we need to discuss our network layout. Our network consists of a dual home Linux box acting as the gateway with dhcp service enabled and two host machines connected to a switch.The IP addresses of the  the LAN machine are as follows :

A BackTrack Machine with IP address of 192.168.220.138. Also make note of its mac address.

A windows XP machine with IP address of 192.168.220. The IP address of the dual homed Gateway is 192.168.220.2.

Both the machines have 192.168.220.2 as their default gateway.
The arp entries in the windows box before the ARP poisioning attack looks like this :


We will be using ettercap to arp posion the windows machine so that the MAC address of the defualt gateway will point to the MAC address of the  Backtrack machine. Once this is accomplished the windows machine will route all the packets via the backtrack machine. When HTTPS traffic comes to the backtrack machine ; this traffic can now be forwarded to a fake SSL server which sits in between the actual site requested by the client and the client. Fortunately, ettercap already has such a server and all we need to do is setup some forwarding rules using iptables. This can be done by editing the /etc/etter.conf file.
Open up the /etc/etter.conf file and change the following lines :

ec_uid = 0
ec_gid = 0

Also enable the redirect  rules :

redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"


We  also need to turn on IP Forwarding in our Backtrack Machine so that it functions as a router.

sysctl -w net.ipv4.ip_forward=1

And then launch the ARP poisoning attack using the following command :

ettercap --text --quiet  -i eth0  --mitm  arp:remote  /192.168.220.2/  /192.168.220.136/

--text :  Launch Text Mode
--quiet : be quiet and not verbose
-i eth0 : interface to be used

--mitm arp:remote : Launch man in the middle attack using arp poisioning. The 'remote' option is needed to be able to sniff the remote traffic the hosts make through the gateway.

Now , if we check the arp table  in the  windows machine we will see that the arp poisoning has been successful and that the MAC address of the default gateway now points to the MAC address of the backtrack machine. If we check the iptables rules in the Backtrack machine we will see that the HTTPS traffic is being redirected to the port 59264 where ettercap is listening with its own mini HTTPS service.

Now when we try to open a secure http page from the windows machine ; the browser will generate a warning message stating that the certificate being used is a self signed certificate. If client ignores this warning and tries to authenticate we will be able to capture his credentials.

Please note that this attack can be improved by the use of SSLStrip tool.

SSL Certificate Error  :


We can mitigate the risks of ARP spoofing attacks by :

[1] Using ARPWATCH : You can use the arpwatch utility in Linux which constantly monitors mac address and IP address pair. It can generate syslog messages and can also e-mail the security admin if there is a change in the mac/ip address pair.

[2] Using static MAC binding : You can bind an ip address to a mac address in the host machines. In Linux this can be done using the following command :

arp -s ip-address mac-address

root@lin-bin-box:~# arp -s 192.168.220.56 aa:11:22:c5:00:90

[3] DAI : If you are using cisco switches then you can use the dynamic arp inspection feature of such switches to mitigate the risk associated with arp poisioning attacks.