ssl impersonation in 5 minutes or less!
DESCRIPTION
SSL certificate impersonation… for shits and giggles! A quick 5 minute talk about SSL impersonation and why self-signed certs aren't a valid solution for your enterprise! BruCON 2011 Lightning TalkTRANSCRIPT
Who, What, Why
• Who– Enterprises– Home Users– You!
• What– Self-Signed Certs
• Why– Because signing your own certs is bad m’kay!
Why use self-signed certs?
• Easy– One-Click and you’re done
• Fast– No need to wait on a CA
• Default?– Default cert…– Ah just leave it
• It’s ONLY a test server!
Self-signed cert in action
Self-signed cert in action
Enter Metasploit… the tool of champions
msf > use auxiliary/gather/impersonate_sslmsf auxiliary(impersonate_ssl) > set RHOST prodsap.company.comRHOST => prodsap.company.commsf auxiliary(impersonate_ssl) > run[*] Connecting to prodsap.company.com:443[*] Copying certificate /O=company.com/OU=Domain Control
Validated/CN=prodsap.company.com from prodsap.company.com:443[*] Beginning export of certificate files[+] Created required files from remote server prodsap.company.com:443[+] Files stored in ~/.msf/loot (.key|.crt|.pem)[*] Auxiliary module execution completed
Self-signed cert in action
Enter Metasploit… the tool of champions
msf > use auxiliary/gather/impersonate_sslmsf auxiliary(impersonate_ssl) > set RHOST prodsap.company.comRHOST => prodsap.company.commsf auxiliary(impersonate_ssl) > run[*] Connecting to prodsap.company.com:443[*] Copying certificate /O=company.com/OU=Domain Control
Validated/CN=prodsap.company.com from prodsap.company.com:443[*] Beginning export of certificate files[+] Created required files from remote server prodsap.company.com:443[+] Files stored in ~/.msf/loot (.key|.crt|.pem)[*] Auxiliary module execution completed
Result (0)
As near as darn a clone of the originalFingerprints + Serial Number differ
Result (1)
All CN data is 100% cloned…Average users don’t care!
But we DO pay attention!
Techies might notice… maybe!So give them a REASON why…
But we DO pay attention!
OH, our self signed cert expired yesterday. I’ll sort that later ;)
#WIMMING
What else can it do!
• Self-signed certs for anything you like!– I’ll take a google.com please!
• Sign your own cert– with that CA signing keyyou stole from Diginotar– … or an internal corp CA you accidentally hacked ;)
• It makes coffee too!
So what… this is weak sauce!
• It’s not new!• It’s not special!• I can do this in OpenSSL too!
• Yes, yes, and yes…– But this MSF module does it all for you– … in 15 seconds– … click, click, boom!
Final Points
• Not in MSF SVN… yet!• Working on some small bugs– Windows 7 doesn’t like the cert?!!*&%
• Part of a bigger project to MITM SAP– I like SAP… – Easy to pick on!
• Available through SVN– chrisjohnriley-metasploit-modules.googlecode.com/svn/trunk/– Linked on http://c22.cc as well
