Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
 
 
Who, What, Why <ul><li>Who </li></ul><ul><ul><li>Enterprises </li></ul></ul><ul><ul><li>Home Users </li></ul></ul><ul><ul>...
Why use self-signed certs? <ul><li>Easy </li></ul><ul><ul><li>One-Click and you’re done </li></ul></ul><ul><li>Fast </li><...
Self-signed cert in action
 
Self-signed cert in action <ul><li>Enter Metasploit… the tool of champions </li></ul><ul><li>msf >  use auxiliary/gather/i...
Self-signed cert in action <ul><li>Enter Metasploit… the tool of champions </li></ul><ul><li>msf >  use auxiliary/gather/i...
Result   (0) As near as darn a clone of the original Fingerprints + Serial Number differ
Result   (1) All CN data is 100% cloned… Average users don’t care!
But we DO pay attention! Techies might notice… maybe! So give them a REASON why…
But we DO pay attention! OH, our self signed cert expired yesterday. I’ll sort that later ;)
# WIMMING
What else can it do! <ul><li>Self-signed certs for anything you like! </li></ul><ul><ul><li>I’ll take a google.com please!...
So what… this is weak sauce! <ul><li>It’s not new! </li></ul><ul><li>It’s not special! </li></ul><ul><li>I can do this in ...
Final Points <ul><li>Not in MSF SVN… yet! </li></ul><ul><li>Working on some small bugs </li></ul><ul><ul><li>Windows 7 doe...
 
Upcoming SlideShare
Loading in …5
×

SSL Impersonation in 5 minutes or less!

6,093 views

Published on

SSL certificate impersonation… for shits and giggles!

A quick 5 minute talk about SSL impersonation and why self-signed certs aren't a valid solution for your enterprise!

BruCON 2011 Lightning Talk

Published in: Technology, Business
  • Be the first to comment

SSL Impersonation in 5 minutes or less!

  1. 3. Who, What, Why <ul><li>Who </li></ul><ul><ul><li>Enterprises </li></ul></ul><ul><ul><li>Home Users </li></ul></ul><ul><ul><li>You! </li></ul></ul><ul><li>What </li></ul><ul><ul><li>Self-Signed Certs </li></ul></ul><ul><li>Why </li></ul><ul><ul><li>Because signing your own certs is bad m’kay! </li></ul></ul>
  2. 4. Why use self-signed certs? <ul><li>Easy </li></ul><ul><ul><li>One-Click and you’re done </li></ul></ul><ul><li>Fast </li></ul><ul><ul><li>No need to wait on a CA </li></ul></ul><ul><li>Default? </li></ul><ul><ul><li>Default cert… </li></ul></ul><ul><ul><li>Ah just leave it </li></ul></ul><ul><li>It’s ONLY a test server! </li></ul>
  3. 5. Self-signed cert in action
  4. 7. Self-signed cert in action <ul><li>Enter Metasploit… the tool of champions </li></ul><ul><li>msf > use auxiliary/gather/impersonate_ssl </li></ul><ul><li>msf auxiliary(impersonate_ssl) > set RHOST prodsap.company.com </li></ul><ul><li>RHOST => prodsap.company.com </li></ul><ul><li>msf auxiliary(impersonate_ssl) > run </li></ul><ul><li>[*] Connecting to prodsap.company.com:443 </li></ul><ul><li>[*] Copying certificate /O=company.com/OU=Domain Control Validated/CN=prodsap.company.com from prodsap.company.com:443 </li></ul><ul><li>[*] Beginning export of certificate files </li></ul><ul><li>[+] Created required files from remote server prodsap.company.com:443 </li></ul><ul><li>[+] Files stored in ~/.msf/loot (.key|.crt|.pem) </li></ul><ul><li>[*] Auxiliary module execution completed </li></ul>
  5. 8. Self-signed cert in action <ul><li>Enter Metasploit… the tool of champions </li></ul><ul><li>msf > use auxiliary/gather/impersonate_ssl </li></ul><ul><li>msf auxiliary(impersonate_ssl) > set RHOST prodsap.company.com </li></ul><ul><li>RHOST => prodsap.company.com </li></ul><ul><li>msf auxiliary(impersonate_ssl) > run </li></ul><ul><li>[*] Connecting to prodsap.company.com:443 </li></ul><ul><li>[*] Copying certificate /O=company.com/OU=Domain Control Validated/CN=prodsap.company.com from prodsap.company.com:443 </li></ul><ul><li>[*] Beginning export of certificate files </li></ul><ul><li>[+] Created required files from remote server prodsap.company.com:443 </li></ul><ul><li>[+] Files stored in ~/.msf/loot (.key|.crt|.pem) </li></ul><ul><li>[*] Auxiliary module execution completed </li></ul>
  6. 9. Result (0) As near as darn a clone of the original Fingerprints + Serial Number differ
  7. 10. Result (1) All CN data is 100% cloned… Average users don’t care!
  8. 11. But we DO pay attention! Techies might notice… maybe! So give them a REASON why…
  9. 12. But we DO pay attention! OH, our self signed cert expired yesterday. I’ll sort that later ;)
  10. 13. # WIMMING
  11. 14. What else can it do! <ul><li>Self-signed certs for anything you like! </li></ul><ul><ul><li>I’ll take a google.com please! </li></ul></ul><ul><li>Sign your own cert </li></ul><ul><ul><li>with that CA signing keyyou stole from Diginotar </li></ul></ul><ul><ul><li>… or an internal corp CA you accidentally hacked ;) </li></ul></ul><ul><li>It makes coffee too! </li></ul>
  12. 15. So what… this is weak sauce! <ul><li>It’s not new! </li></ul><ul><li>It’s not special! </li></ul><ul><li>I can do this in OpenSSL too! </li></ul><ul><li>Yes, yes, and yes… </li></ul><ul><ul><li>But this MSF module does it all for you </li></ul></ul><ul><ul><li>… in 15 seconds </li></ul></ul><ul><ul><li>… click, click, boom! </li></ul></ul>
  13. 16. Final Points <ul><li>Not in MSF SVN… yet! </li></ul><ul><li>Working on some small bugs </li></ul><ul><ul><li>Windows 7 doesn’t like the cert?!!*&% </li></ul></ul><ul><li>Part of a bigger project to MITM SAP </li></ul><ul><ul><li>I like SAP… </li></ul></ul><ul><ul><li>Easy to pick on! </li></ul></ul><ul><li>Available through SVN </li></ul><ul><ul><li>chrisjohnriley-metasploit-modules.googlecode.com/svn/trunk/ </li></ul></ul><ul><ul><li>Linked on http://c22.cc as well </li></ul></ul>

×