April 14, 2015

This week we been working with a client who told us that all their outbound connections are SSL encrypted and this what online banking sites use, so they are not at risk to a Man in the Middle attack. We have asked on whether we can have a go at a local LAN machine and see if we are able to proof him different. The customer happily agreed and within minutes a lot of the confidential SSL traffic was broken open and sniffed out.

How was this possible?

Some people surely heard of Blue Coat which has solutions for large scale SSL break opens to inspect encrypted traffic. Now, customers don’t need to buy expensive Blue Coat solutions to accomplish this. There is a very smart open source tool out there called HyperFox.

Basically HyperFox acts as an SSL proxy and proxies the client SSL connection. Without going into too much technical speech here, any machine on the LAN can very often simply ARP spoof other client’s traffic to become the gateway and providing a bogus SSL termination for clients.

In 15 minutes we had the POC ready at this client and were able to read all SSL encrypted traffic. Those readers with a technical background may now say: But the certificate is not trusted, so errors must pop up? Indeed. But 8 of 10 users simply click next and accept and yes. For those companies desiring a solution not giving users SSL errors can simply install HyperFox certificates on the endpoints and there you go. Chrome browsers etc. see the HyperFox as trusted.

The whole exercise took less than 30 minutes from start to finish and any malicious employee could have done this. Worse, the POC also works on Wireless and is even easier to accomplish once an attacked gains access to the PSK on the Wireless.

This little example highlights once again that interception and eavesdropping of allegedly secure communication such as SSL is possible with a bit of ARP spoofing and an open source tool. It doesn’t need hundreds of thousands of dollars worth of equipment to become an intelligence service in your own company 🙂

https://hyperfox.org/capturing-https-traffic

Share