"HTTPS REQUEST WITHOUT SSL CERTIFICATE HOSTNAME VERIFICATION " not detecting any vulnerability

[swaraj...@gmail.com]

Hi Alex,

Thank you for your support,

I am trying to detect the  vulnerable traffic with the help of nogotofail MiTM tester app,

I have install and configured the following both apps,

1) nogotofail

    Configuration   nogotofail --> settings --> Attacks

       Probability of attack -- 100% 

       Custom list of attacks -- Checked 

  

 

 2) nogotofail MiTM tester 

In the following table,  Vertical header are the attacks performed (nogotofail --> settings --> Attacks) and Horizontal left most column is the nogotofail MiTM tester --> TLS/SSL --> options 

The table contains the log result for the MiTM server 

BENCHMARK TEST RESULTS 

	NO ATTACK	TLS MiTM using an anonymous server	Client Heartbleed	Reject TLS/SSL handshake	Reject TLS handshake	Early CCS	TLS cert for wrong hostname	Self-signed TLS cert	TLS MiTM by replacing SSL servers key	superfishmitm
NORMAL TLS CONNECTION	OK	SSL exception: [('SSL routines', 'SSL3_GET_CLIENT_HELLO', 'no shared cipher')]	Handshake fail	Handshake fail	Handshake fail	Client not vulnerable	SSL exception: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert certificate unknown')]	SSL exception: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert certificate unknown')]	Client not vulnerable	SSL exception: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert certificate unknown')]
HTTPS REQUEST WITHOUT SSL CERTIFICATE CHAIN-OF-TRUST CHECK	OK	SSL exception: [('SSL routines', 'SSL3_GET_CLIENT_HELLO', 'no shared cipher')]	Handshake fail	Handshake fail	Handshake fail	Client not vulnerable	Handshake fail	NG	Client not vulnerable	NG
HTTPS REQUEST WITHOUT SSL CERTIFICATE HOSTNAME VERIFICATION	OK	SSL exception: [('SSL routines', 'SSL3_GET_CLIENT_HELLO', 'no shared cipher')]	Handshake fail	Handshake fail	Handshake fail	Client not vulnerable	SSL exception: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert certificate unknown')]	SSL exception: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert certificate unknown')]	Client not vulnerable	SSL exception: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert certificate unknown')]
HTTPS REQUEST WITHOUT SERVER AUTHENTICATION	OK	SSL exception: [('SSL routines', 'SSL3_GET_CLIENT_HELLO', 'no shared cipher')]	Handshake fail	Handshake fail	Handshake fail	Client not vulnerable	NG	NG	Client not vulnerable	NG

***

OK = No vulnerability detects, and HTTP request succeeded.

NG = HTTP request succeeded and MiTM attack success.

SSL Exception = HTTP request failed due to SSL exception. Not vulnerable to attack.

Handshake Fail = HTTP request failed due to handshake failure. Not vulnerable to attack.

Client not vulnerable = HTTP request succeeded but not vulnerable to attack.

My Question is 

Why HTTPS REQUEST WITHOUT SSL CERTIFICATE HOSTNAME VERIFICATION  is not showing any Vulnerability to any of the attack?? 

According to my understanding it should be  Vulnerable to "TLS cert for wrong hostname". It should show  MiTM attack success in the server log 

FYI

I tried to modify NoSslCertificateHostnameVerificationTest.java class 

i commented  //SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();

and added

SSLSocketFactory sslSocketFactory = TlsUtils.getTrustAllSSLSocketFactory();

And the output was expected, HTTPS REQUEST WITHOUT SSL CERTIFICATE HOSTNAME VERIFICATION   was Vulnerable to "TLS cert for wrong hostname" ( MiTM attack success)

Regards,

Swaraj Waikar 

[Alex Klyubin]

For the "TLS cert for wrong hostname" attack, did you obtain a valid certificate from a public CA and set up nogotofail MiTM to use this certificate?

--
You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/f45a4cef-2581-4db9-bc44-38f38b995ea4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.