of 21
8/6/2019 Project Report Commented
1/21
Abstract
In the present day,almost all organizations, businesses and many individuals have websites. With the
advent of E-commerce, most of the businesses have shifted their service transactions online. This
involves secure transmission of confiden tial information over the internet. In general HTTPS( Hyper
Text Transfer Protocol Secure ) which is a combination of HTTP and SSL/TLS is used for carrying
out such secured transactions and communications. But in reality, the web-services and HTTPS are
vulnerable in some way. This project aims to provide some details of the complex HTTPS protocol
and its vulnerabilities using the MITM (Man in The middle ) attack and means to protect it. In the
project we make use of freely available tools like Wireshark, dsniff, ssldump, DecaffeinatID, Packet
Builder, SSLstrip on different operating systems like Windows and Ubuntu. The scope for further
improvement could be to develop more secure protocols and better security measurements.
1.Introduction
Since the widespread reach of the internet many businesses and organizations have thought of
reaching( extending their services) to their clients using Internet as an important medium. In the
present day it is easy to configure and manage a website. The cl ients access the websites using easy
to use web browsers like Internet Explorer, Google Chrome, and Firefox. But the mechanism and the
underlying software implementation are very complex. HTTPS which is a client/server application is
the protocol which has been used to provide secure communication for many years now. HTTPS
refers to the combination of the application layer HTTP and transport layer SSL/TLS to implementsecure communication between the web-browser and web-server.
SSL was first implemented by Netscape for their Netscape navigator web browser in 1994. Since
there were many security flaws in the second version SSL 3.0 was developed.Later the Internet
Engineer Task Force (IETF) standardized the TLS protocol (which is very much similar to SSL
protocol) to be used as the transport layer protocol with HTTP for secure communication.
8/6/2019 Project Report Commented
2/21
Implementat onof Hack ng HTTPS
AsGma
usesHTTPSand inorderto test thevu
nerabilitiesofHTTPSwecreatedaGmail id
The
email-idhave thefollowingdetailswhichareusedfortestingpurpose
Username:pro
ecthttps
Password:siueece595
Inordertodecrypt theHTTPSmessagesusing theMan-in-the-middle-attackwehave tofollow the
followingsteps
METHOD I
1 Arpspoofing Using thearpspoofcommandfrom thedsniffpackage spoofthe ip-addressoftheGateway
routertobeat theMacaddressofthehackersmachine This isdone inordertoattain
all themessagesfrom the target machine to therouter
Openanew terminal anduse thecommand
sudoarpspoof i interface t target ip-addressgateway ip-address
After running this command
the hacker machine will keep sending ARPreplies to the target
machine telling the Gateway IP is at thehackersMAC addressThe target machinebelieves this
andupdates its ARPcacheandwill thensend itsInternet traffic to thehackersmachine insteadof
theGateway
Comment [v1]:Hadingnotperfect orgram
notproper
Comment [v2]:Formationnotperfect
8/6/2019 Project Report Commented
3/21
2. IPFowarding-This isdone inordertoput thehackersmachine inforwardingmodeortomakeit act asarouter.Thereceivedpacketsareforwarded to thegatewayforfurtherrouting
and the
target machinedoesnot noticeanydifference.
Openanew terminal anduse thecommand.
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
Onexecuting thiscommandthehackersmachinestartsforwarding theIPpackets to thegateway.
3. DNSspoof-This ispart of thedsniffsoftwarepackageforUbuntu .ThiscommandstartsaDNSserveron thehackersmachine.Thehackersmachinespoofs theDNSaddressof therequested
websiteby itsown ip-addressandprovides itsowncertificateforverification.
Openanew terminal anduse thecommand.
sudo dnsspoof i interface
8/6/2019 Project Report Commented
4/21
4. Webmitm-This isalsopart ofthednsiffsoftwarepackageforUbuntu.Webman-in-the-middleisasoftwarewhichgenerates imitatedcertificates.Thesoftwareproduces X.509certificates.The
certificateproduced isself-certifiedand is inresponse to thequeryof the targetmachine.Some
Webbrowsersdonot accept self-certifiedcertificateswhich is theonlyway the target machine
can tell thewebsite isbeing impersonated.
Openanew terminal anduse thecommand
sudo webmitm.
Nowall thepacketsfrom the target machine to thegateway
routerpass through thehackers
machineandareforwarded to thegateway. Thesummaryofoperations thusfaris:
Thehackersmachinesends ARP replies to the target machinewhichupdatesits ARPcacheand
sendsall itsInternetpackets to thehackersmachine.Thehackersmachinereceives therequests to
connect to a website and it replies with its own ip-address and the self-generated certificate.The
originalpacketsareforwarded to thehttpswebsiteas thehackermachine isset toforwardingmode.
Target MachineHackersMachineGatewayWebsite
In order to keep track of all of the communicationand decrypt the datawehave to record all the
packets for further analysis. This canbe done usingpacket sniffing softwareWireshark and SSL
dumpsoftwares.
5. Network sniffing-In order to sniff
capture the databeing sent we use wireshark which is anetworksniffingsoftware. Inanew terminal weopenwiresharkby thecommand.
sudo wireshark
8/6/2019 Project Report Commented
5/21
A GUI pops up from whichwe have to select the required interface for monitoring. Wireshark then
starts capturing data.
8/6/2019 Project Report Commented
6/21
6. On the targets machine,which is a windows machine, now open Internet explorer. In thatbrowser, go to gmail.com. We will see a security warning that the certificate is not genuine, but
as most of the users are unaware of what it is, press con nue o he webs e.
7. When we reach the Gmai website login, login the website using the following detailsUsername
projecthttps
Password siueece595
Then presss Sign in
Comment [v3]: Not proper grammar
8/6/2019 Project Report Commented
7/21
This will send the username and password to Gmail. The man-in-the-middle attack is not
perfect, so the login process will not complete and Internet Explorer will just hang. However, it
goes far enough to send the entered username and password to the hacker.
8. After Wireshark has captured a sufficient amount of data ( the username and password) , i.e.,after a considerable amount of time, it is halted by pressing the stop button and the dump file is
saved in the root directory using the filename feb18.
9. Decryption We use ssldump software in order to decrypt the SSL/TLS encrypted messages.The input for this command would be the saved wireshark dump file, the webmitm certificate
and for the output we have to specify the output filename.
In a new terminal type the command
sudo ssldump r
lename k key
led > ou
!pu
!
le-name
8/6/2019 Project Report Commented
8/21
where the filenamehere is thewiresharksaved file and the keyfile is the certificatewhichwill beusedby ssldump to decrypt themessages. Thed option is to decrypt application
datawhichcontains theusernameandpasswordandotherdetails.
Afterexecutionof thiscommand"
thehackersdecrypts thehttpsmessagesandwrites them
to an output file. In order to obtain the required details likepassword#
username" we can
searchforthemusing thepatternmatchinggrepcommand
Theusageofthecommand
cat outputfi$e | grep Passwd/Emai
$
The grep commanddisplays the lines containing the required expression to the standard
output.
METHODII
1. Arpspoofing Using thearpspoofcommandfrom thedsniffpackage % spoofthe ip-addressoftheGateway
&
routertobeat theMacaddressofthehackersmachine.This isdone inorderto
attainall themessagesfrom the targetmachine to therouter.
Openanew terminal anduse thecommand.
sudo arpspoof i interface t target ip-address gateway ip-address
8/6/2019 Project Report Commented
9/21
2. IPFowarding-This isdone inordertoput thehackersmachine in forwardingmode.ThismakesourUbuntumachine intoarouter.Therecievedpacketsareforwarded to thegateway
forfurtherrouting ' and the target machinedoesnot findanydifference.
Openanew terminal anduse thecommand
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
Onexecuting thiscommand thehackersmachinestartsforwarding theIPpackets.
3. Port Rerouting-Thiscommandsetsup the iptables in Ubuntu toredirect http trafficfromport80 toadesiredport, in thiscase8080whichwillbe listened tobysslstrip.
Onanew terminal type thecommand
iptab(es -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
8/6/2019 Project Report Commented
10/21
Weareforwarding thepacketsfromport80 toport 8080as thesslstripsoftware isgoing to
listenfortrafficonport8080.
4. SSLstrip-SSLstrip is thesoftwarewhichstrips thessl part of thecommunicationbetweenthe target machineandhackermachineandconverts into just normal HTTP.Not manyusers
takenoticeoftheabsenceofhttps in the linkaddressand thepadlockin theirbrowsers.
Inanew terminal, enterassuperuserandenter into the root folderand thenenter into the
sslstrip-0.7folderusing thecommand
cdsslstrip-0.7
thenenterthecommand
sudo python ./ss )strip.py a ) 8080where a is to listenforall trafficand
-l specifies theport numberto listenon, in thiscaseport 8080
8/6/2019 Project Report Commented
11/21
This command executes apythonscript writtenby Moxie Marlinspikewhich establishes a
http connectionbetween the target machine andthe hacker machine and at the other side
establishes a https connectionbetween the hacker machine and the web server. The
webserverwill stillbe thinking it is indirect connectionwith the target machine.
Thecapturedandencrypteddata isstored in thesslstrip.logfile in thesslstrip-0.7folder.
5. On the targets machine, openInternet explorer. In that browser, go to gmail.com.If weobserve the link in the addressbar we will see that the connection is no longer a HTTPS
connection.Most oftheusersdonot realize it andfall inthe trap.They just continueentering
theirusernamesandpasswords.
6. Whenwereach theGma0 lwebsite login, login thewebsiteusing thefollowingdetailsUsername:projecthttps
Password:siueece595
ThenpresssSign in
Comment [v4]:Notpropergrammar
8/6/2019 Project Report Commented
12/21
Hereweareable to login into theaccountbut in thehttpversion, which isvisuallyalmost the
same.Wecanobserve thehttp linkin theredcircle.
8/6/2019 Project Report Commented
13/21
7. Grep.-Inordertoobtain therequireddetails likepassword1 usernamewecansearchforthemusing thepatternmatchinggrepcommand
Theusageofthecommand
cat ss2strip.
2og | grep Passwd/Emai
2
The grep command displays the lines containing the requiredexpression to the standard
output.
8/6/2019 Project Report Commented
14/21
HTTPS Attack Protection scheme.
In order to safeguard confindential data which is being transmitted on the web we implemented four
simple defender techniques. The first technique uses Static ARP Tables ,the second technique uses a
freely available software for windows called DecaffienatID which is similar to Arpwatch for linux
systems. The third and fourth techniques scan for active NIC cards in promiscuous mode.
Using Static ARP
We can observe, in both the methods we used to hack the HTTPS communication, we used
arpspoofing.It is done to trick both the target machine and the Gateway. MITM attack is one of the
major threats in any network which have to be avoided. This can be avoided by using static arp
tables. As most of the modern networks are switched networks it is enough to configure the switch.
But if it is not a switched network it has to be set on each machine on the network.
To statically set the ARP table on a windows machine.
1. Run the command prompt as an administrator.2. Type ne 3sh c 4 n 3 er5 ace 4pv4 6 3. The prompt will change to netsh interface ipv4.4. Then type add neighbors Local Area Connection IP-Address MAC address
In our case ip address 7 146.163.133.254 MAC Address 7 00-a0-c9-08-83-e1
Which can be verified using the command arpa in another command prompt shell.
8/6/2019 Project Report Commented
15/21
Once the ARP entries on the target machines are set to static they dont update their caches. So any
attempt to arp spoof these machines will fail.
Using DecaffeinatID
DecaffeinatedID is a simple software which keeps track of changes. It keeps monitoring the ARP
cache and if it finds any changes in ARPto-IP mapping it notifies a message . This software can be
set up at the target machines side where it notifies if there is any change in the ARP table.
The message obtained when the MAC address of the router/Gateway is changed this message pops
on to the screen.
This helps prevent spoofing and it will inform the administrator of which machine is trying to spoof.
8/6/2019 Project Report Commented
16/21
The disadvantage of this is it sometimes is unreliable and in the situation where, a NIC card goes
faulty and is replaced but it still uses the same IP address it gives a warning.
For this software to work, install it and run it asan administrator. It keeps the logs of the events in a
text file.
Using ICMP (Echo) request.
Decrypting HTTPS is accomplished by running ARP Spoof and capturing the data. Most of the data
capturing softwares put the NIC card into promiscuous mode. Promiscuous mode is a special
reception mode where the network card ignores the destination M AC address and sends all packets
received to the kernel for processing.In this technique we try to detect the NIC cards which are in
active promiscuous mode by fooling the NIC card to respond to a packet which is not destined for
that particular NICs MAC address.The technique would be to send a packet to every IP address;
while specially crafting the MAC address so that it's value is certainly non-existent on the network.
We did this with the help of Packet Builder which is a packet editing software.
1. Open the Colasoft Packet Builder software.2. Press the Add button, for which a Add packet window pops up.3. In the Select Template menu select IP packet, then press OK.4. In the Decode Editor Window you will get a IP packet module.5. In the Destination Address field enter 01 8 01 8 01 8 01 8 01 8 01 as the MAC address.6. In the Source Address field enter your Interface MAC address. In our case it is
008 23 8 5A:B4:F0:04.
7. In the Protocol field of Internet Protocol section enter 1 which corresponds to a ICMPpacket.
8. In Source IP field enter your IP, in our case it is 146.163.133.31.9. In Destination IP field enter the Hackers IP, in our case it is146.163.133.30.10.In the Type field of the ICMP section enter 8. It makes the packet a ICMP Echo packet
(ping).
8/6/2019 Project Report Commented
17/21
11.Press the Adapter Button and select the suitable interface on which the packet has to be sent.12.Then turn on Wireshark and start the capturing mode on the same interface.13.Then select the ICMP packet from the Packet list and Press Send repeatedly.
If the capturing software is not turned on the hackers machine we will not get any response
to the ping messages as shown in the following figure.
8/6/2019 Project Report Commented
18/21
14.Now turn on the Packet sniffing software on the Hackers Machine and repeat step 13.The Hackers machine now responds to the ping packets as its NIC card has been set to
promiscuous mode.
We can observe that, even though the packe is not addressed to the Hacker machines MAC id which
is 00:1b:21:6e:18:c7, the NIC card forwards it to the operating system. The O perating system
responds to the ping packet as it contains the correct IP address. For a general scan of the network,
this would need to be done for each possible IP in the network to detect machines running sniffing
softwares.
Using ARP Request.
In this technique also we try to detect the NIC cards which are in active promiscuous mode by
fooling the NIC card to respond to a packet which is not destined for that particular NICs M AC
address. Generally all the ARP requests are broadcasted with a destination address of FF-FF-FF-FF-
FF-FF so that all the machines on the networklisten to it and send it to the operating system ,but
only the machine with the matching IP address responds to it. In order to detect the machine in
promiscuous mode we will generate an ARP request packet with a destination MAC address not
being FF:FF:FF:FF:FF:FF but some random address which is certainly non-existent on the network.
If the machine is in promiscuous mode it ignores the destination address and further processes it.
We implemented this technique using Colasoft Packet Builder.
1. Open the Colasoft Packet Builder software.2. Press the Add button, for which a Add packet window pops up.
8/6/2019 Project Report Commented
19/21
3. In the Select Template menu select ARP packet, then press OK.4. In the Decode Editor Window you will get a ARP packet module.5. In the Destination Address field enter 01:01:01:01:01:01 as the MAC address.6. In the Source Address field enter your Interface MAC address. In our case it is
00:23:5A:B4:F0:04.
7. In Source IP field ofARP section enter your IP, in our case it is 14 6.163.133.31.8. In Destination IP field enter the Hackers IP, in our case it is 146.163.133.30.9. And the Type field in the ARP should be 1 forARP request.
10.Press the Adapter Button and select the suitable interface on which the packet has to be sent.11.Then turn on Wireshark on the target machine and start capturing packets on the same
interface.
12.Then select the ARP packet from the Packet list and press Send repeatedly.If the capturing software is not turned on the hackers machine we will not get any response
to the ping messages as shown in the following figure.
8/6/2019 Project Report Commented
20/21
13.Now turn on the Packet sniffing software on the Hackers Machine and repeat step 12.The Hackers machine now responds to the ping packets as its NIC card has been set to
promiscuous mode. Observe the packets captured on wireshark. We can see that now we get
ARP replies stating that 146.163.133.30 is on machine 00:1B:21:6E:18:C7.
8/6/2019 Project Report Commented
21/21