TArchive for 12. December 2005

 
 

Decoding and decrypting SSL-sessions as Eve

Many aspects of encryption is interesting, and one of them is the issue of detecting attacks hidden in encrypted sessions. One of the main advantages of running IDSs and IPSs in demilitarized zones is to detect and respond to intrusion attempts on the public available servers. We've all seen the vast number of (mostly automated) intrusion attempts in our apache logfiles. An IDS/IPS is commonly connected by a network tap to a switch in the DMZ, and can thus detetct these attempts too… if the attacking session doesn't connect to the server under HTTPS and performs their attempts. This is an interesting challange - How do we monitor and respond to attacks on our public servers if they are in encrypted sessions?

SSLDump is an interesting application, which utilises LibPCAP to sniff the network in promisc mode, and is able to decode SSL traffic on the fly - AND - most interestingly, decrypt the application layer data if supplied with the X.509 private key of one of the parties - A technique often refered to as "key escrow".

We supply ssldump with the private key of our apache webbserver, listens on interface eth0, and tell ssldump to decrypt the traffic. We connect our webbbrowser to the server under https, and fetch the unexisting webbpage secure.html. This session should not be viewable to our sniffer, as it's under HTTPS. Let's see how SSLDump manages this:

neewt@twosome:~$ sudo ssldump -d -k ./snakeoil-rsa.key -i eth0

After information of handshake messages and their containts, the following application layer data is presented, in decrypted form (The full output of the command is available as a plain text file).

11 10 0.2063 (0.1715) C>S application_data
---------------------------------------------------------------
GET /secure.html HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.4; Linux) KHTML/3.4.3 (like Gecko) (Kubuntu package 4:3.4.3-0ubuntu1)
Accept: text/html, image/jpeg, image/png, text/*, image/*, */*
Accept-Encoding: x-gzip, x-deflate, gzip, deflate
Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5
Accept-Language: en
Host: 192.168.0.10

---------------------------------------------------------------
1 11 0.2072 (0.0009) S>C application_data
---------------------------------------------------------------
HTTP/1.1 404 Not Found
Date: Mon, 12 Dec 2005 16:09:22 GMT
Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-15 mod_ssl/2.8.22 OpenSSL/0.9.7d
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

113
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /secure.html was not found on this server.<P>
<HR>
<ADDRESS>Apache/1.3.33 Server at 192.168.0.10 Port 443</ADDRESS>
</BODY></HTML>

SSLDump managed to decrypt the session on the fly. The interesting part of this, is that if SSLDump is somewhat modular, much of the code could be used in a pre-processor for Snort, to give it functionallity to decode and alert on malicious traffic inside SSL-sessions. I believe I've heard about plans of such a pre-processor. I know SourceFire co-operates with a vendor selling SSL-accelerators with decryption-capabilities which gives them the same functionallity in their appliances - This is probably why we haven't seen support for it in Snort yet :)

December 12th, 2005 | encryption, Intrusion Detection, Security | 0 Comments