Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

SSL certificate impersonation… for shits and giggles!

Cultural Note: Shits and giggles == englishize(for the lulz) –> Urban Dictionary Ref.

How often as penetration testers do we see SSL protected services using self signed certificates… If you’re anything like the average penetration tester, it’s probably daily. We’ve all been through the song and dance of documenting it, saying it’s bad and that it might have security consequences. I’m sure we’ve all heard every excuse under the sun as well when it comes to why it can’t be fixed. Costs too much, no internal PKI, takes too much time, and some of my favourites… “It’s just a test system”, “nobody except us uses this and we know what cert it has” and the all time classic, “it’s only internal”!

I’m not sure about you, but I don’t have the fingerprints for all the self signed certs I’ve seen in my head… and the over use of them has conditioned many of us to just click YES when prompted. Although this has become a little harder in recent times with new browsers making you click-through more than one menu, it’s still easier than getting up, walking over to an admin and saying “whats up here”. Certs, even self signed ones, expire and are replaced… which leads us to the inevitable result that users, and to some lesser extent administrators, will click-through almost anything as long as the Common Name and Issuer data looks remotely correct.

As part of my SAP Management Console research I began looking at the possibility to automatically create a self signed certificate that impersonates the certificate on a remote system as closely as possible. Not just the same CN, but everything from CN through to Issuer, Extensions… everything. With that in mind I flexed my awesome Ruby skills (note: I have no Ruby skills that I’m aware of) and created a simple Metasploit module that connects to a remote target, reads the SSL certificate and, using all the relevant data from the remote cert, creates a local self signed certificate and private key. Obviously there are some differences as I can’t match the signature (if I could that would be a big problem right ;), but to the general user, things look almost identical.

Putting your “normal user” or even “overworked sysadmin” hat on for a moment, take a look at the below side-by-side comparison.

         Original Certificate       |    Impersonated Certificate

I’m not sure about you, but I know a few people who’d just click that away without a second thought. Even more people if self signed certs are a standard in your company.

Creating an Impersonated SSL certificate the hard way

Go to the site you want to create the impersonation certificate for, export the publicly accessible information, recreate by hand using OpenSSL… good luck with all the fine details… can you set all the options you want??? Scratch your head…. profit (later)

Creating an impersonated SSL certificate the Metasploit way

msf > use auxiliary/gather/impersonate_ssl
msf  auxiliary(impersonate_ssl) > set RHOST www.metasploit.com
RHOST => www.metasploit.com
msf  auxiliary(impersonate_ssl) > run
[*] Connecting to www.metasploit.com:443
[*] Copying certificate /O=metasploit.com/OU=Domain Control Validated/CN=metasploit.com from www.metasploit.com:443
[*] Beginning export of certificate files
[+] Created required files from remote server www.metasploit.com:443
[+] Files stored in ~/.msf3/loot (.key|.crt|.pem)
[*] Auxiliary module execution completed

That’s it… you now have all the files you need (key|crt|pem) in ~/.msf4/loot ready to be used in any other Metasploit module (using ‘set SSLCert’), Apache or whatever your heart desires. Go on, go wild!

Note: The module tries it’s best to match the original certificate 100%, which includes using the same key length and hashing algorithm (MD5, SHA-1, etc…). It also tries to match the serial of the cert as closely as possible (some difference is required to stop certain browsers from displaying an error when it sees a certificate with the same issuer/serial combination using a different signature –> example). You’ll notice in the above screenshots that the serial on both certificates is 00… this threw an error on my Firefox when accessing the real site, followed by the site with the impersonated SSL… hence the fixed version 😉

Even amongst the companies that have an internal CA this kind of impersonation is going to get past most people… for those special cautious people (i.e the security people) I’ve built-in an EXPIRATION option where you can set a date (or specify a shortcut such as ‘now’ or ‘yesterday’) when the impersonated SSL certificate you create will expire. This will also set the logical start date of the certificate to a year before expiration to look logical to people checking the details closely. Using this feature you can add an extra level of depth to social engineering attempts… How many times have you seen internal (or even external) SSL certs expire before people remember to renew them? People that are looking for deception and trickery need something, anything, to prove to them that it isn’t an attack… so lets give it to them. I give you the “Oops our cert expired yesterday” attack 

I don’t claim this to be new, and I’m sure there are thousands of smart enlightened testers out there right now doing this kind of thing on a daily basis… It’s not perfect, but face it, if it was I wouldn’t be blogging about it! I’d be sitting on a beach somewhere with a Mojito and a check from ZDI in my pocket 😉 Still I hope this module will help the layman demonstrate that self signed certs, even within your companies internal network, are an easy target with a little thought, an explainable scenario and a little Ruby!

The impersonate_ssl.rb script isn’t currently in the Metasploit repository, but can be downloaded from my Google Code SVN

Note: The above Metasploit output is based on my interpretation of where impersonate_ssl.rb will be placed (auxiliary/gather)… if it makes it into the Metasploit trunk, it may be located elsewhere –> Metasploit feature #5398

7 responses to “SSL certificate impersonation… for shits and giggles!

  1. Greg September 4, 2011 at 15:27

    Very nice! Will come in handy to prove a point or two.
    fyi: I just tried this and got the following:

    [*] Connecting to http://www.google.com:443
    [*] Copying certificate /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com from http://www.google.com:443
    [-] Auxiliary failed: NoMethodError undefined method `[]’ for nil:NilClass
    [-] Call stack:
    [-] (eval):56:in `run’
    [*] Auxiliary module execution completed

  2. ChrisJohnRiley September 4, 2011 at 16:52

    Interesting, just ran it against the same target here and no problems.

    I’m uploading a new version that has a couple of error catches on the keylength and hashtype just incase… you can grab it at the SVN –> http://chrisjohnriley-metasploit-modules.googlecode.com/svn/trunk/modules/auxiliary/gather/

  3. Greg September 4, 2011 at 17:03

    Perfect. New version works like a champ!
    -Thanks

  4. ChrisJohnRiley September 4, 2011 at 17:19

    Interesting…. can you turn on VERBOSE and tell me if the hashtype (sha1|md5|etc…) and keylength (prob 1024) match between the original and new cert?

    The code that was triggering the error was because it couldn’t find the keylength / hashtype

    Also, what google region are you in so I can troubleshoot better? Google.co.uk etc….

  5. Greg September 4, 2011 at 18:02

    I am in Austin Tx. Simply went to http://www.google.com and I also tried http://www.metasploit.com with same results. The new version worked for both sites.

    Here is the complete output (I know it’s a lot but figured you’ll want it eventually)
    This is with the new working version… (I had already removed the old version)
    ~~~~~~~~
    msf > use auxiliary/gather/impersonate_ssl
    msf auxiliary(impersonate_ssl) > set verbose true
    verbose => true
    msf auxiliary(impersonate_ssl) > set rhost http://www.google.com
    rhost => http://www.google.com
    msf auxiliary(impersonate_ssl) > run

    [*] Connecting to http://www.google.com:443
    [*] Copying certificate /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com from http://www.google.com:443
    [*] Original Certifcate Details

    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    2f:df:bc:f6:ae:91:52:6d:0f:9a:a3:df:40:34:3e:9a
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC CA
    Validity
    Not Before: Dec 18 00:00:00 2009 GMT
    Not After : Dec 18 23:59:59 2011 GMT
    Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (1024 bit)
    Modulus:
    00:e8:f9:86:0f:90:fa:86:d7:df:bd:72:26:b6:d7:
    44:02:83:78:73:d9:02:28:ef:88:45:39:fb:10:e8:
    7c:ae:a9:38:d5:75:c6:38:eb:0a:15:07:9b:83:e8:
    cd:82:d5:e3:f7:15:68:45:a1:0b:19:85:bc:e2:ef:
    84:e7:dd:f2:d7:b8:98:c2:a1:bb:b5:c1:51:df:d4:
    83:02:a7:3d:06:42:5b:e1:22:c3:de:6b:85:5f:1c:
    d6:da:4e:8b:d3:9b:ee:b9:67:22:2a:1d:11:ef:79:
    a4:b3:37:8a:f4:fe:18:fd:bc:f9:46:23:50:97:f3:
    ac:fc:24:46:2b:5c:3b:b7:45
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Basic Constraints: critical
    CA:FALSE
    X509v3 CRL Distribution Points:

    Full Name:
    URI:http://crl.thawte.com/ThawteSGCCA.crl

    X509v3 Extended Key Usage:
    TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
    Authority Information Access:
    OCSP – URI:http://ocsp.thawte.com
    CA Issuers – URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt

    Signature Algorithm: sha1WithRSAEncryption
    9f:43:cf:5b:c4:50:29:b1:bf:e2:b0:9a:ff:6a:21:1d:2d:12:
    c3:2c:4e:5a:f9:12:e2:ce:b9:82:52:2d:e7:1d:7e:1a:76:96:
    90:79:d1:24:52:38:79:bb:63:8d:80:97:7c:23:20:0f:91:4d:
    16:b9:ea:ee:f4:6d:89:ca:c6:bd:cc:24:68:d6:43:5b:ce:2a:
    58:bf:3c:18:e0:e0:3c:62:cf:96:02:2d:28:47:50:34:e1:27:
    ba:cf:99:d1:50:ff:29:25:c0:36:36:15:33:52:70:be:31:8f:
    9f:e8:7f:e7:11:0c:8d:bf:84:a0:42:1a:80:89:b0:31:58:41:
    07:5f

    [*] Duplicate Certificate Details

    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    2f:df:bc:f6:ae:91:52:6d:0f:9a:a3:df:40:34:3e:d0
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC CA
    Validity
    Not Before: Dec 18 00:00:00 2009 GMT
    Not After : Dec 18 23:59:59 2011 GMT
    Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (1024 bit)
    Modulus:
    00:e2:3d:43:c8:15:8b:19:81:2a:ae:35:4f:07:39:
    df:3c:22:9a:d4:03:69:81:17:6f:a8:d5:1a:57:21:
    8f:72:8f:4a:ff:4f:9d:8c:6b:75:58:cb:5e:6a:0c:
    1d:5c:ee:67:34:5d:d8:90:21:ba:4a:a2:80:c1:82:
    b2:21:ad:40:c1:96:c4:bb:21:5c:a7:f5:c5:da:b2:
    69:a8:ad:91:62:5c:66:37:3b:a9:ce:4c:4d:11:74:
    4b:99:6a:66:31:60:2a:66:0b:bc:3c:d2:ab:ee:74:
    75:44:ba:7c:a3:b5:09:47:7e:21:3b:e0:8e:97:db:
    11:e6:08:8c:02:a6:57:3d:23
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    X509v3 Subject Key Identifier:
    62:0A:D7:70:5E:E5:31:99:E2:F2:20:2A:51:3E:3B:30:8C:11:ED:FC
    X509v3 Extended Key Usage: critical
    TLS Web Server Authentication
    X509v3 Key Usage:
    Digital Signature, Key Encipherment, Data Encipherment
    X509v3 Authority Key Identifier: critical
    keyid:62:0A:D7:70:5E:E5:31:99:E2:F2:20:2A:51:3E:3B:30:8C:11:ED:FC
    DirName:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
    serial:2F:DF:BC:F6:AE:91:52:6D:0F:9A:A3:DF:40:34:3E:D0

    Signature Algorithm: sha1WithRSAEncryption
    cf:50:d5:f5:f0:ce:41:16:c2:2b:6d:a9:b2:c5:a6:99:3d:45:
    97:0f:89:64:99:62:38:4a:d4:c9:e9:b1:4b:67:0f:0a:3a:75:
    41:3c:da:a8:8c:0e:cb:65:f8:23:b4:44:81:44:58:e1:68:e5:
    38:6a:c9:64:8b:a2:0f:fd:85:45:41:13:bf:03:b4:b3:11:84:
    26:9c:98:6d:2f:03:d8:8a:c0:cb:e8:88:d9:19:8d:38:cf:28:
    4b:79:7b:0e:4a:69:b9:20:e5:7f:2d:43:88:d4:7a:8a:d0:70:
    65:41:c4:a6:98:69:5a:8d:14:9f:f1:e5:01:69:b6:7e:92:a9:
    5b:7d

    [*] Beginning export of certificate files
    [+] Created required files from remote server http://www.google.com:443
    [+] Files stored in ~/.msf3/loot (.key|.crt|.pem)
    [*] Auxiliary module execution completed

%d bloggers like this: