2

I'm trying to research and patch a TLS renegotiation exploit which makes a website vulnerable to Man-in-the-Middle attacks. However, I don't understand how the attack occurs exactly and feel like a simple working example would help.

How does an attacker append data to a client's request? Why doesn't the server receive it as two requests? Do both the attacker and victim need to be on the same network for this to occur?

Can someone provide a bare-minimum working example that demonstrates a Man-in-the-Middle exploit? Wget, curl, scripts, whatever.

Thanks for your help.

Socrates
  • 23
  • 3

2 Answers2

2

A Man in the Middle attack is just what it sounds like. A third party sits between the sender and receiver and manipulates the data before passing it on. For example, if Server A is sending a packet to Server B, the MitM client will receive the packet first, and using some clever filtering tools, will modify specific data within the packet, and then pass it on to Server B.

For example, as a prank for April Fools one day, we made rules to look for our co-workers name, "John Doe", or "John" or "Doe" and we replaced it with "Rick Astley", "Rick", and "Astley". We then found the URL for his facebook profile picture and wrote a rule that said when a packet appears with THIS address, replace it with THIS, which was the URL for a picture of Rick Astley. Every time he logged in to Facebook, it would display the Rick Astley picture instead of his and replace his name with Rick Astley's name. The only way we could do this was on our Gateway, beause our Gateway can see everyone's Internet traffic (it won't work on a switched network without some trickery, like ARP poisoning).

At any rate, a real easy tool to use is called Ettercap. Just google for Ettercap tutorials and you can find some easy to do examples.

Safado
  • 4,726
  • 7
  • 35
  • 53
  • I know what a man-in-the-middle attack is at a higher level, as I think most IT professionals and programmers do. It's the lack of working examples or demos to get a better low-level understanding that I find surprising. Thanks for the lead on Ettercap. – Socrates Jun 21 '11 at 20:15
  • +1. Ettercap makes this so easy to do it borders on trivial. –  Jun 21 '11 at 21:24
2

Since you specified TLS renegotiation, I assume you are referring to CVE-2009-3555. Proof of Concept code was published by RedTeam Pentesting and is available from their site: http://www.redteam-pentesting.de/en/publications/tls-renegotiation/-tls-renegotiation-vulnerability-proof-of-concept-code

Additionally, there are youtube videos demonstrating it's use.

micah
  • 974
  • 6
  • 11