November 2nd, 2011, 12:37 PM
Hack SSL Certificates & CA's 0Day PoC
Ok, here's a little article you may or may not find interesting, lets talk about smashing SSL CA security. You've heard about it in the news of late, another CA provider getting hacked etc, but just how hard or easy is it?
How hard or easy is it to hack a root CA steal their certificate and use it for a Man in the Middle with SSLsniff?!
Well first we need to appreciate what an SSL Certificate is, it's just a re-generated certificate that you've bought from a signing authority who has then issued it back to you.
In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.
With me so far? Good... So lets apply some thinking here... How do we take someone else's Digital Identity Certificate and steal it and then forge a CSR or certification request so we can use it for our evil intent?!
Well I am going to introduce two tools we can download and use in firefox that will perform these actions, the first one is called the Key Manager For Firefox...
Described by its creator as;
KeyManager is a client side PKI tool for key generation, certificate enrollment, CRL signing, identity and authority delegation.
The next tool we are going to need for Firefox is called Cert Viewer Plus.
Described by it's creator as;
Certificate viewer enhancements: PEM format view, file export & trust configuration.
Once we've installed both of these tools, then we're just about ready to hack just about any Certificate Authority on Planet Earth.
So lets pick someone or a target to hack... someone paying for a premium Platinum SSL for example, who wont really mind if we come along and borrow there's for a demonstration.. I know let's borrow (steal) and export an SSL certificate from PAYPAL (I've never liked them!)
Click on View the PEM to see the whole Certificate Contents and Headers;
Certification path for "www.paypal.com"
Subject: OID.184.108.40.206.4.1.3220.127.116.11.3=US,OID.18.104.22.168.4.1.322.214.171.124.2=Delaware,OID.126.96.36.199=Private Organization,serialNumber=3014267,C=US,postalCode=95131-2021,ST=California,L=San Jose,OID.188.8.131.52=2211 N 1st St,O="PayPal, Inc.",OU=PayPal Production,CN=www.paypal.com
Validity: from 23/03/11 00:00:00 UTC to 01/04/13 23:59:59 UTC
Save it as x.509 certificate (PEM) in your My Documents folder... Next fire up the Key Manager.
Click on the Servers Tab and click import and in the browser window drop down the list to All Files and import the PEM you just saved.
Then click Ok and goto Cert Mgmt and click sign Cert as CA. Click CSR Source Cert Button and select the PAYPAL certificate you just loaded.
Click sign and use your own CA which you should have had the brains to setup before hand with a Generic CA profile (oops may have forgot to mention that bit) and your done.
You can now use the exported Cert in the issuer database or where-ever you stuck it to perform Man in the Middle attacks with SSLsniff on PAYPAL!
I may have forgotten to mention a few bits on purpose, like you have to right click view page info and then click the security tab to swipe certificates from site's your viewing with SSL.
There is also a proxy to and from option, but I am sure those of you with the brain can figure out how those bits would be advantageous.
Also if your interested in better security heres some tips;
1> use TCPCRYPT it's been available for quite a while now and addresses this very issue.
2> DO NOT share your SSL certificates with anyone.
Inventor of SSL to Moxie Marlinspike "oh yeah that whole authenticity thing, that was just a hand-wave!"
Last edited by snowshell; November 2nd, 2011 at 08:02 PM.
November 4th, 2011, 09:18 AM
The certificate may be valid the certificate chain is not.
Originally Posted by snowshell
Experience is something you don't get until just after you need it.
November 5th, 2011, 11:55 AM
And this stops you because? Firefox preferences, advanced tab validation, validate a certificate if it specifies on OCSP server.
If you own your own cyber-cafe getting everyone to use your invalid certificate or if they must proxy through you to get to paypal the validation chain is not a problem. It's perfectly valid if your the server handling the request.
The only thing that make's a SSL certificate you've crafted yourself different from one signed by a CA is that your using your own CA for the signing request.
So what stops you from calling yourself, GeoTrust or VeriSign?
An what stops you from authorizing the request via your own OCSP responder?
Of course they may realize later on that they've been had, when they try to access the genuine article elsewhere and get an OCSP Error.
It's a perfectly valid point but one that is mute if your doing a Man-in-the-Middle.
The request has to go through you first before it makes it to the intended target.
Lets have a little topology graph...
Customer(0) ----> Paypal(1) <---->CA_Cert(Request)
What we're attempting to do...
Customer(0) <----> Attacker(1) <----> Paypal(0) <----CA_Cert(Request)
To be perfectly honest all this jumping in the way to decrypt what they're sending to resend it on afterwards and then send the response back to them whilst lulling them into a false sense of security with the words Verified by ..whoever.. is just a long winded proof of concept that it's easier than people think, but in truth you could just install a key-logger in some scenarios and not waste time on the whole idea and that would be done with it.
A man-in-the-middle is kind of an extreme length to goto to obtain some obscure bit of information, I mean do I really give a sh** if someone opens and read's my mail? I can generate my own SSL Certificates and use them for mail signing and then for added extra security I can add PGP to the mix but in truth I do neither because, nearly everyone I know has no idea what PGP is and in truth nothing I ever send by e-Mail is that earth shattering anyway. If it was I would use word of mouth and a thing invented by Alexander Bell called a phone!
Look on the plus side, at least there's maybe now over a handful of people out there that have downloaded these tools and are now expressing an interest in how it would work, so when you've generated your own Generic CA Certificate with RSA @ 2048bit you can go exploring things like the security options in Thunderbird or Outlook Express where you have the option of using your Certificates to enhance your own security on your e-Mail and who knows maybe some of you might like the idea of added security on-top of your PGP/MIME or using them to enforce security on your own Web-Server without having to pay VeriSign or Comodo a small fortune every year to acquire those certificates.. Now @ least your learning how to make them for yourself!
Validity Period Price
1-year £259 excl. VAT
2-year £399 excl. VAT
Save over £115
3-year £525 excl. VAT
Thats VeriSigns price quota on up to 256-bit encryption.
So 4068-bit RSA with a minimum of 512 with an unlimited shelf-life must really make them ecstatic.
Last edited by snowshell; November 5th, 2011 at 01:48 PM.
CEREAL: "Yeah but oh man, wouldn't you just love to get one of those Gibsons, baby? Ooooh!"
November 8th, 2011, 09:03 AM
And this is why I don't use internet cafes. And if I do I make sure I tunnel everything over a SSH tunnel.
Experience is something you don't get until just after you need it.
December 7th, 2011, 02:56 PM
just tested from a Windows XP computer with SP2 installed and Internet Explorer (6). No problems, no complaints about the certificate.
If I were to guess, perhaps some software installation program has made unfortunate changes to the list of root CAs. If not, then perhaps your computer hasn't had certain Windows updates installed.
By Nokia in forum Network Security Discussions
Last Post: October 26th, 2006, 10:22 PM
By Tiger Shark in forum The Security Tutorials Forum
Last Post: May 29th, 2004, 05:55 PM
By Lone1337 in forum AntiOnline's General Chit Chat
Last Post: August 23rd, 2002, 05:16 PM
By zigar in forum AntiOnline's General Chit Chat
Last Post: February 22nd, 2002, 02:24 PM
By NUKEM6 in forum Non-Security Archives
Last Post: February 3rd, 2002, 11:28 PM