SSL testing problem.

212 views
Skip to first unread message

RobB

unread,
Mar 10, 2011, 6:06:14 PM3/10/11
to mallor...@googlegroups.com
I'm trying to setup an SSL MitM attack to basically just intercept the authentication credentials of a user running a remote proprietary client on winXP. The Auth part is done via SSL and then afterwards a new tunnel is handed off to a UDP protocol. I uncommented the HTTPS section in the mallory.py file and I now see the cert being intercepted, generated, and sent to my client under test. However shortly after that the session drops completely with an error. 

I did a packet cap on a good session going through mallory and a bad session. On the good session there is a packet for a change cipher, and another packet for an encrypted handshake. On the bad session, those 2 packets are concatenated together. I'm not entirely sure this is the problem, but I'm thinking it might be at least the start.

I've been clearing the SSL cache on the client system in between tests, so i know it's not cached certs.

I also tried using the nonstandardssl option and put it on 443 anyways.

What else can I try? Any idea how to make the packets come through in the right sequencing without concatenating?

Thanks,
Rob

Jeremy Allen

unread,
Mar 10, 2011, 11:33:29 PM3/10/11
to mallor...@googlegroups.com
Rob,

This is an interesting result. Mallory's UDP support is pretty small and it just covers the basics. We have not spent a lot of time working on UDP.

As far as the SSL handling goes it is important to understand if Mallory was failing when going to the server or if it was the client failing when connecting to the Mallory proxy. If you can post some sanitized logs of your error that would be helpful.

Thanks,

Jeremy (@bitexploder)

RobB

unread,
Mar 11, 2011, 12:01:04 AM3/11/11
to mallor...@googlegroups.com
Here's some sanitized logs from Mallory with it's default DEBUG logging. As far as I can tell the client closed the connection because it didn't like the SSL response from the proxy. I've also added the sanitized text export of captures from wireshark on the mallory proxy on the ppp0 side.




[*] [2011-03-10 18:05:00,224] INFO:main: got connection from: 192.168.10.234:1175
[*] [2011-03-10 18:05:00,224] DEBUG:SSLProtocol: Initializing
[*] [2011-03-10 18:05:00,224] DEBUG:Mallory.main: created a <class 'protocol.sslproto.SSLProtocol'> class
[*] [2011-03-10 18:05:00,224] DEBUG:SSLProto: configure_server_socket
[*] [2011-03-10 18:05:00,735] DEBUG:SSLProto: Getting common name from socket
[*] [2011-03-10 18:05:00,740] DEBUG:SSLProto: got CN: server.domain.local
+ '[' -z server.domain.local ']'
+ DOMAIN=server.domain.local
+ OPENSSL=openssl
+ '[' '!' -d ca ']'
+ mkdir -p certs
+ openssl genrsa -out certs/server.domain.local.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.................................................................................+++
e is 65537 (0x10001)
+ cp openssl-cert.cnf certs/server.domain.local.cnf
+ echo 'commonName = server.domain.local'
+ openssl req -new -key certs/server.domain.local.key -out certs/server.domain.local.csr -config certs/server.domain.local.cnf
+ openssl req -text -in certs/server.domain.local.csr -out certs/server.domain.local.csr.info
+ openssl ca -batch -config openssl-ca.cnf -in certs/server.domain.local.csr -out certs/server.domain.local.cer
Using configuration from openssl-ca.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 33 (0x21)
        Validity
            Not Before: Mar 10 23:05:00 2011 GMT
            Not After : Dec  4 23:05:00 2013 GMT
        Subject:
            commonName                = server.domain.local
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Subject Key Identifier: 
                D1:69:A4:4D:B2:3F:E2:D5:3B:B9:94:6C:6A:67:7D:52:7F:73:E0:D5
            X509v3 Authority Key Identifier: 
                keyid:84:39:A5:38:E7:82:EF:D2:26:B9:34:2B:2E:F7:25:62:AD:79:BF:DE

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
Certificate is to be certified until Dec  4 23:05:00 2013 GMT (1000 days)

Write out database with 1 new entries
Data Base Updated
+ openssl x509 -text -in certs/server.domain.local.cer -out certs/server.domain.local.cer.info
[*] [2011-03-10 18:05:00,988] INFO:TcpProtocol.forward_any(): Setting up forward for client-->server ('192.168.10.234', 1175)-->('IP.IP.IP.IP', 443)
[*] [2011-03-10 18:05:00,995] INFO:TcpProtocol.forward_any(): Setting up forward for client-->server ('192.168.10.234', 1175)-->('IP.IP.IP.IP', 443)
[*] [2011-03-10 18:05:01,004] DEBUG:forward_any(): [c2s] CLOSE
[*] [2011-03-10 18:05:01,005] DEBUG:forward_any(): conndata:clientip:192.168.10.234, clientport:1175, serverip:IP.IP.IP.IP, serverport:443 conncount:0, direction:c2s
[*] [2011-03-10 18:05:01,111] DEBUG:forward_any(): [s2c] CLOSE
[*] [2011-03-10 18:05:01,111] DEBUG:forward_any(): conndata:clientip:192.168.10.234, clientport:1175, serverip:IP.IP.IP.IP, serverport:443 conncount:0, direction:s2c

bad_session.txt
good_session.txt

Jeremy Allen

unread,
Mar 11, 2011, 9:18:13 AM3/11/11
to Mallory Proxy
Raj and I will take a look at this one.

Thanks,
>  bad_session.txt
> 57KViewDownload
>
>  good_session.txt
> 59KViewDownload
Reply all
Reply to author
Forward
0 new messages