4

So, lately I've been really into penetration testing and learning the nitty-gritty of tech. I'm dong courses on computer architecture, cryptography, surveillance law, and computer networks. I never realized how much I love this stuff.

So, I have an unused computer at home that I set up to play with. Right now I'm trying to sniff passwords over the network with SSLsplit and arp-spoofing. Of course, with HSTS, this becomes a little harder.

Apparently, if you can manipulate the NTP server on a target, you could then pass the max-age set by HSTS, thereby making the client connect without SSL again before HSTS sets a new one.

My question is, how do I does this? I've seen tools like delorean, but for whatever reason no matter what I type in, delorean always just displays it's help screen...

Tl;Dr How can you perform an attack on the NTP server of a computer during a man in the middle attack to move the time forward on the machine.

Michaelslec
  • 159
  • 3
  • Might help: https://stackoverflow.com/questions/249318/is-it-relatively-easy-to-hack-network-time-protocolntp – ρss Jun 07 '15 at 13:29

1 Answers1

3

I am certainly no expert on NTP, so I can't give you a full answer, but:

delorean expects you to specify an interface via its IP address, as opposed to the name that is displayed in ifconfig. This was what kept me busy for a couple of hours when I tried the tool ;) Maybe you are having the same issue?

zinfandel
  • 1,233
  • 8
  • 10
  • Actually yes! But now I'm confused on how to use the tool in general... Do I perform a man-in-the-middle, then run delorean listening to the port I have the traffic coming through? – Michaelslec Jun 07 '15 at 23:15
  • So, I tried my own ip and now the delorean banner is showing, but I don't know where to go from there. It's just stuck showing the banner and nothing else happens. I have arpspoof running, ip forwards from port 80 to 8080, and I have tried listening to both ports 80 and 8080 with the delorean tool. Am I missing something? – Michaelslec Jun 08 '15 at 07:32
  • delorean needs to listen on the NTP port, not an HTTP port. After all, it does not modify the HSTS headers that are sent to the victim, it tries to change the victim's system time so these headers look like they have already expired. The default NTP port is 123, which is also the default that is coded into delorean. I suggest you first run a packet sniffer like tshark or tcpdump, filter with an expression like "udp port 123" and check whether you are actually seeing NTP messages from your victim with the setup you have. – zinfandel Jun 08 '15 at 11:44