Results 1 to 5 of 5

Threaded View

  1. #1
    Junior Member snowshell's Avatar
    Join Date
    Oct 2011

    Post Hack SSL Certificates & CA's 0Day PoC

    Ok, here's a little article you may or may not find interesting, lets talk about smashing SSL CA security. You've heard about it in the news of late, another CA provider getting hacked etc, but just how hard or easy is it?

    How hard or easy is it to hack a root CA steal their certificate and use it for a Man in the Middle with SSLsniff?!

    Well first we need to appreciate what an SSL Certificate is, it's just a re-generated certificate that you've bought from a signing authority who has then issued it back to you.

    In public key infrastructure (PKI) systems, a certificate signing request (also CSR or certification request) is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.

    With me so far? Good... So lets apply some thinking here... How do we take someone else's Digital Identity Certificate and steal it and then forge a CSR or certification request so we can use it for our evil intent?!

    Well I am going to introduce two tools we can download and use in firefox that will perform these actions, the first one is called the Key Manager For Firefox...

    Described by its creator as;
    KeyManager is a client side PKI tool for key generation, certificate enrollment, CRL signing, identity and authority delegation.


    The next tool we are going to need for Firefox is called Cert Viewer Plus.


    Described by it's creator as;
    Certificate viewer enhancements: PEM format view, file export & trust configuration.

    Once we've installed both of these tools, then we're just about ready to hack just about any Certificate Authority on Planet Earth.

    So lets pick someone or a target to hack... someone paying for a premium Platinum SSL for example, who wont really mind if we come along and borrow there's for a demonstration.. I know let's borrow (steal) and export an SSL certificate from PAYPAL (I've never liked them!)

    Click on View the PEM to see the whole Certificate Contents and Headers;
    Certification path for "www.paypal.com"
    Subject: OID.,OID.,OID. Organization,serialNumber=3014267,C=US,postalCode=95131-2021,ST=California,L=San Jose,OID. N 1st St,O="PayPal, Inc.",OU=PayPal Production,CN=www.paypal.com
    Issuer: C=US,O="VeriSign, Inc.",OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL CA
    Validity: from 23/03/11 00:00:00 UTC to 01/04/13 23:59:59 UTC

    Well I've never agreed with VeriSigns Terms of Use either so we'll have to get rid of those... Next we click on Export to export the certificate to a file.

    Save it as x.509 certificate (PEM) in your My Documents folder... Next fire up the Key Manager.

    Click on the Servers Tab and click import and in the browser window drop down the list to All Files and import the PEM you just saved.

    Then click Ok and goto Cert Mgmt and click sign Cert as CA. Click CSR Source Cert Button and select the PAYPAL certificate you just loaded.

    Click sign and use your own CA which you should have had the brains to setup before hand with a Generic CA profile (oops may have forgot to mention that bit) and your done.

    You can now use the exported Cert in the issuer database or where-ever you stuck it to perform Man in the Middle attacks with SSLsniff on PAYPAL!



    I may have forgotten to mention a few bits on purpose, like you have to right click view page info and then click the security tab to swipe certificates from site's your viewing with SSL.

    There is also a proxy to and from option, but I am sure those of you with the brain can figure out how those bits would be advantageous.

    Also if your interested in better security heres some tips;
    1> use TCPCRYPT it's been available for quite a while now and addresses this very issue.
    2> DO NOT share your SSL certificates with anyone.

    Inventor of SSL to Moxie Marlinspike "oh yeah that whole authenticity thing, that was just a hand-wave!"
    Last edited by snowshell; November 2nd, 2011 at 07:02 PM. Reason: Caveat

Similar Threads

  1. Certificates
    By Nokia in forum Network Security Discussions
    Replies: 1
    Last Post: October 26th, 2006, 09:22 PM
  2. TTL and traceroute: The forgotten hack.
    By Tiger Shark in forum The Security Tutorials Forum
    Replies: 19
    Last Post: May 29th, 2004, 04:55 PM
  3. A Professional Hack
    By Lone1337 in forum AntiOnline's General Chit Chat
    Replies: 7
    Last Post: August 23rd, 2002, 04:16 PM
  4. hehe...for those who hate AO newbies...
    By zigar in forum AntiOnline's General Chit Chat
    Replies: 10
    Last Post: February 22nd, 2002, 01:24 PM
  5. how to hack cisco a router... wow
    By NUKEM6 in forum Non-Security Archives
    Replies: 1
    Last Post: February 3rd, 2002, 10:28 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.