Abstract

In the present day,almost all organizations, businesses and many individuals have websites. With the advent of E-commerce, most of the businesses have shifted their service transactions online. This involves secure transmission of confidential information over the internet. In general HTTPS Hyper ( Text Transfer Protocol Secure ) which is a combination of HTTP and SSL/TLS is used for carrying out such secured transactions and communications. But in reality, the web-services and HTTPS are vulnerable in some way. This project aims to provide some details of the complex HTTPS protocol and its vulnerabilities using the MITM (Man in The middle ) attack and means to protect it. In the project we make use of freely available tools like Wireshark, dsniff, ssldump, DecaffeinatID, Packet Builder, SSLstrip on different operating systems like Windows and Ubuntu. The scope for further improvement could be to develop more secure protocols and better security measurements.

1.Introduction
Since the widespread reach of the internet many businesses and organizations have thought of reaching( extending their services) to their clients using Internet as an important medium. In the present day it is easy to configure and manage a website. The clients access the websites using easy to use web browsers like Internet Explorer, Google Chrome, and Firefox. But the mechanism and the underlying software implementation are very complex. HTTPS which is a client/server application is the protocol which has been used to provide secure communication for many years now. HTTPS refers to the combination of the application layer HTTP and transport layer SSL/TLS to implement secure communication between the web-browser and web-server. SSL was first implemented by Netscape for their Netscape navigator web browser in 1994. Since there were many security flaws in the second version SSL 3.0 was developed. ater the Internet L Engineer Task Force (IETF) standardized the TLS protocol (which is very much similar to SSL protocol) to be used as the transport layer protocol with HTTP for secure communication.

Implementat on of Hack ng HTTPS

As Gma uses HTTPS and inorder to test the vu nerabilities of HTTPS we created a Gmail id The email-id have the following details which are used for testingpurpose Username: pro ecthttps Password :siueece595 In order to decrypt the HTTPS messagesusing the Man -in-the- middle-attack we have to follow the following steps METHOD I 1 Arpspoofing Using the arpspoof command from the dsniff package spoof the ip-address of the ackers machine This is done inorder to attain Gateway router to be at the Mac address of the h all the messages from the target machine to the router Open a new terminal and use the command sudo arpspoof i interface t target ip-address gateway ip-address

Comment [v1]: Hading not perfect or grammar not proper

Comment [v2]: Formation not perfect

After running this command the hacker machine will keep sending ARP replies to the target machine telling the Gateway IP is at the hackers M address The target machine believes this AC and updates its ARP cache and will then send its nternet traffic to the hackers machine instead of I the Gateway

2. IP Fowarding- This is done in order to put the hackers machine in forwarding mode or to make it act as a router .The received packets are forwarded to the gateway for further routing and the target machine does not notice any difference. Open a new terminal and use the command . sudo echo 1 > /proc/sys/net/ipv4/ip_forward


On executing this command the hackers machine starts forwarding the IP packets to the gateway.


3. DNSspoof- This is part of the dsniff software package for UbuntuThis command starts a DNS . server on the hackers machine. The hackers machine spoofs the DNS add ress of the requested website by its own ip-address and provides its own certificatefor verification. Open a new terminal and use the command . sudo dnsspoof i interface

4. Webmitm - This is also part of the dnsiff software package for Ubuntu.Web man-in-the-middle is a software which generates imitated certificates. The software produces X.509 certificates The . certificate produced is self certified and is in response to the query of the target machine. Some Web browsers do not accept selfcertified certificates which is the only way the target machine can tell the website is being impersonated. Open a new terminal and use the command sudo webmitm.


Now all the packets from the target machin to the gateway router pass through the hackers e machine and are forwarded to the gateway. The summaryof operations thus far is: The hackers machine sends ARP replie to the target machine which updates its ARP cache and s sends all its Internet packe to the hackers machine. The hackers machine receives the requests to ts connect to a website and it replies with its own ip -address and the self -generated certificate. The original packets are forwarded to the https website as the hacker machine is setot forwarding mode. Target Machine Hackers Machine Gateway Website

In order to keep track of all of the communi cation and decrypt the data we have to record all the packets for further analysis. This can be done using packet sniffing software Wireshark and SSL dump softwares. 5. Network sniffing -In order to sniff capture the data being sent we use wireshark which is a network sniffing software. In a new terminal we open wireshark by the command . sudo wireshark


A GUI pops up from whichwe have to select the required interface for monitoring. Wireshark then starts capturing data.

6. On the targets machine,which is a windows machine, now open Internet explorer. In that browser, go to gmail.com. We will see a security warning that the certificate is not genuine, but as most of the users are unaware of what it is, press con nue o h e webs e.
   

Comme nt [v3]: Not proper grammar

7. When we reach the Gmai website login, login the website using the following details Username projecthttps Password siueece595 Then presss Sign in
 

This will send the username and password to Gmail. The man-in-the-middle attack is not perfect, so the login process will not complete and Internet Explorer will just hang. However, it goes far enough to send the entered username and password to the hacker. 8. After Wireshark has captured a sufficient amount of data ( the username and password) , i.e., after a considerable amount of time, it is halted by pressing the stop button and the dump file is saved in the root directory using the filename feb18.

9. Decryption We use ssldump software in order to decrypt the SSL/TLS encrypted messages. The input for this command would be the saved wireshark dump file, the webmitm certificate and for the output we have to specify the output filename. In a new terminal type the command sudo ssldump r lename k key le d > ou pu le-name
!  !  

where the filename here is the wireshark saved file and the keyfile is the certificate which will be used by ssldump to decrypt the messages. The d option is to decrypt application data which contains the username and password and other details. After execution of this command the hackers decrypts the https messages and writes them to an output file. In order to ob tain the required details like password username we can search for them using the pattern matchinggrep command The usage of the command cat outputfi e | grep Passwd/Emai
" # $ " $

The grep command displays the lines containing the req uired expression to the s tandard output.

METHOD II 1. Arpspoofing Using the arpspoof command from the dsniff package spoof the ip -address of the Gateway router to be at the Mac address of the hackers machine. This is done in order to attain all the messages from the targetmachine to the router. Open a new terminal and use the command. sudo arpspoof i interface t target ip-address gateway ip-address
% &

2. IP Fowarding- This is done in order to put the hacker s machine in forwarding mode. This makes our Ubuntu machine into a router .The recieved packets are forwarded to the gateway for further routing and the target machine does not find any difference. Open a new terminal and use the command sudo echo 1 > /proc/sys/net/ipv4/ip_forwar d
'

On executing this command the hackers machine starts forwarding the IP packets. 3. Port Rerouting- This command sets up the iptables in Ubuntu to redirect http traffic from port 80 to a desired port, in this case 8080 which will be listened to by sslstrip. On a new terminal type the command iptab es -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
(

We are forwarding the packets from port 80 to port 8080 as the sslstrip software is going to listen for traffic on port 8080. 4. SSLstrip- SSL strip is the software which strips the ssl part of the communication between the target machine and hacker machine and converts into just normal HTTP. Not many users take notice of the absence of https in the link address and the padlock inheir browsers. t In a new terminal, enter as super user and enter into the root folder and then enter into the sslstrip-0.7 folder using the command cd sslstrip-0.7

then enter the command sudo python ./ss s trip.py a 8080 where a is to listen for all traffic and -l specifies the port number to listen on, in this case port 8080
) )

This command executes a python script written by Moxie Marlinspike which establishes a http connection between the target machine andthe hacker machine and at the other si de establishes a https connection between the hacker machine and the web server. The webserver will still be thinking it is in direct connection with the target machine. The captured and encrypted data is stored in the sslsrip.log file in the sslstrip t -0.7 folder. 5. On the targets machine, open Internet explorer. In that browser, go to gmail.com. If we observe the link in the address bar we will see that the connection is no longer a HTTPS connection. Most of the users do not realize it and fall inthe trap. They just continue entering their usernames and passwords. 6. When we reach the Gma l website login, login the website using the following details Username : projecthttps Password : siueece595 Then presss Sign in
0

Comment [v4]: Not proper grammar

Here we are able to login into the account but in the http version, which is visually almost the same. We can observe the http link in the red circle .

7. Grep. - In order to obtain the required details like password username we can search for them using the pattern matchinggrep command The usage of the command cat ss s trip. og | grep Passwd/Emai
2 2 2

The grep command displays the lines containing the requiredexpression to the standard output.

HTTPS Attack Protection scheme.

In order to safeguard confindential data which is being transmitted on the web we implemented four simple defender techniques. The first technique uses Static ARP Tables ,the second technique uses a freely available software for windows called DecaffienatID which is similar to Arpwatch for linux systems. The third and fourth techniques scan for active NIC cards in promiscuous mode. Using Static ARP We can observe, in both the methods we used to hack the HTTPS communication, we used arpspoofing.It is done to trick both the target machine and the Gateway. MITM attack is one of the major threats in any network which have to be avoided. This can be avoided by using static arp tables. As most of the modern networks are switched networks it is enough to configure the switch. But if it is not a switched network it has to be set on each machine on the network. To statically set the ARP table on a windows machine.
5

In our case ip address 146.163.133.254 MAC Address 00-a0-c9-08-83-e1

7 7

Which can be verified using the command arpa in another command prompt shell.

3 4

1. 2. 3. 4.

Run the command prompt as an administrator. Type ne sh c n er ace p v4 The prompt will change to netsh interface ipv4. Then type add neighbors Local Area Connection IP-Address MAC address

Once the ARP entries on the target machines are set to static they dont update their caches. So any attempt to arp spoof these machines will fail.

Using DecaffeinatID

DecaffeinatedID is a simple software which keeps track of changes. It keeps monitoring the ARP cache and if it finds any changes in ARP to-IP mapping it notifies a message . This software can be set up at the target machines side where it notifies if there is any change in the ARP table. The message obtained when the MAC address of the router/Gateway is changed this message pops on to the screen.

This helps prevent spoofing and it will inform the administrator of which machine is trying to spoof.

The disadvantage of this is it sometimes is u nreliable and in the situation where, a NIC card goes faulty and is replaced but it still uses the same IP address it gives a warning. For this software to work, install it and run it as an administrator. It keeps the logs of the events in a text file. Using ICMP (Echo) request. Decrypting HTTPS is accomplished by running ARP Spoof and capturing the data. Most of the data capturing softwares put the NIC card into promiscuous mode. Promiscuous mode is a special reception mode where the network card ignores the destination MAC address and sends all packets received to the kernel for processing.In this technique we try to detect the NIC car which are in ds active promiscuous mode by fooling the NIC card to respond to a packet which is not destined for that particular NICs MAC address. The technique would be to send a packet to every IP address; while specially crafting the MAC address so that it's value is certainly non-existent on the network. We did this with the help of Packet Builder which is a packet editing software. 1. 2. 3. 4. 5. 6. Open the Colasoft Packet Builder software. Press the Add button, for which a Add packet window pops up. In the Select Template menu select IP packet, then press OK. In the Decode Editor Window you will get a IP packet module. In the Destination Address field enter 01 01 01 01 01 01 as the MAC address. In the Source Address field enter your Interface MAC address. In our case it is 00 23 5 A:B4:F0:04. 7. In the Protocol field of Internet Protocol section enter 1 which corresponds to a ICMP packet. 8. In Source IP field enter your IP, in our case it is 146.163.133.31. 9. In Destination IP field enter the Hackers IP, in our case it is 146.163.133.30. 10. In the Type field of the ICMP section enter 8. It makes the packet a ICMP Echo packet (ping).
8 8 8 8 8 8 8

11. Press the Adapter Button and select the suitable interface on which the packet has to be sent. 12. Then turn on Wireshark and start the capturing mode on the same interface. 13. Then select the ICMP packet from the Packet list and Press Send repeatedly. If the capturing software is not turned on the hackers machine we will not get any response to the ping messages as shown in the following figure.

14. Now turn on the Packet sniffing software on the Hackers Machine and repeat step 13. The Hackers machine now responds to the ping packets as its NIC card has been set to promiscuous mode.

We can observe that, even though the packe is not addressed to the Hacker machines MAC id which is 00:1b:21:6e:18:c7, the NIC card forwards it to the operating system. The Operating system responds to the ping packet as it contains the correct IP address. For a general scan of the network, this would need to be done for each possible IP in the network to detect machines running sniffing softwares. Using ARP Request. In this technique also we try to detect the NIC cards which are in active promiscuous mode by fooling the NIC card to respond to a packet which is not destined for that particular NICs MAC address. Generally all the ARP requests are broadcasted with a destination address of FF -FF-FF-FFFF-FF so that all the machines on the network listen to it and send it to the operating system ,but only the machine with the matching IP address responds to it. In order to detect the machine in promiscuous mode we will generate an ARP request packet with a destination MAC address not being FF:FF:FF:FF:FF:FF but some random address which is certainly non-existent on the network. If the machine is in promiscuous mode it ignores the destination address and further processes it. We implemented this technique using Colasoft Packet Builder. 1. Open the Colasoft Packet Builder software. 2. Press the Add button, for which a Add packet window pops up.

3. 4. 5. 6.

In the Select Template menu select ARP packet, then press OK. In the Decode Editor Window you will get a ARP packet module. In the Destination Address field enter 01:01:01:01:01:01 as the MAC address. In the Source Address field enter your Interface MAC address. In our case it is 00:23:5A:B4:F0:04. 7. In Source IP field of ARP section enter your IP, in our case it is 146.163.133.31. 8. In Destination IP field enter the Hackers IP, in our case it is 146.163.133.30. 9. And the Type field in the ARP should be 1 for ARP request.

10. Press the Adapter Button and select the suitable interface on which the packet has to be sent. 11. Then turn on Wireshark on the target machine and start capturing packets on the same interface. 12. Then select the ARP packet from the Packet list and press Send repeatedly. If the capturing software is not turned on the hackers machine we will not get any response to the ping messages as shown in the following figure.

13. Now turn on the Packet sniffing software on the Hackers Machine and repeat step 12. The Hackers machine now responds to the ping packets as its NIC card has been set to promiscuous mode. Observe the packets captured on wireshark. We can see that now we get ARP replies stating that 146.163.133.30 is on machine 00:1B: 1:6E:18:C7. 2