[Owasp-leaders] Cert Stealer Released

Abbas Naderi abbas.naderi at owasp.org
Thu Dec 26 20:26:40 UTC 2013


Well this is changing the signer, e.g google is signed by a Level one and you’re using a Level 3.
This is an old trick though, many countries already used this to sniff on their people. The simplest way to stop it is to store fingerprints and check them later.             
I’ve been meaning to create such plugin for Chrome, but have had limited time to put on it.
-A
On Dec 26, 2013, at 3:18 PM, Gregory Disney <gregory.disney at owasp.org> wrote:

> With this tool it generates a ca-$keyring.crt and $keyring.cer, I use these to compare the results. I find that the identity remains the same only thing that changes is the Verified by part of a certificate, so the initial certificate never changes. Eh I'm working on a ruby gem that does the same.
> On 12/26/13, 11:49 AM, Tim wrote:
>> I have a private MitM tool I wrote that does the same thing all in
>> Python, albeit imperfectly.  It just generates new certificates on the
>> fly after ripping the public details off of the server side.  I showed
>> this code to the guys who build Mallory[1] a while back and they copied
>> the idea (but not the code) into their tool.  I imagine Burp probably
>> does something similar in some of it's certificate generation options,
>> though I haven't checked it if copies more than just the Subject.
>> 
>> tim
>> 
>> 1.https://intrepidusgroup.com/insight/mallory/
>> 
>> 
>> On Thu, Dec 26, 2013 at 02:40:48PM -0500, Abbas Naderi wrote:
>>> >Maybe the PEM you’re using is not a cert, but a private key. They are both encoded into PEM files. If you have the private key, then you don’t need to exploit it! You already have it.
>>> >
>>> >And BTW whats the practical use of this, I mean have you used it anywhere? How can it be used to exploit something.
>>> >-A
>>> >On Dec 26, 2013, at 2:38 PM, Gregory Disney<gregory.disney at owasp.org>  wrote:
>>> >
>>>> > >openssl s_client -showcerts -connect $host:$port > $keyring.pem;
>>>> > >openssl x509 -in $keyring.pem  -pubkey > $keyring.cer;
>>>> > >keytool -keystore $ks --importcert --alias $keyring.pem -file $keyring.pem -storepass $passwd -noprompt;
>>>> > >keytool -genkey -alias $keyring.key -keyalg RSA -keystore $ks -storepass $passwd -noprompt
>>>> > >keytool -v -importkeystore -srckeyst
> 
> <Screen Shot 2013-12-26 at 12.14.49 PM.png>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4893 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20131226/fbb3b531/attachment.bin>


More information about the OWASP-Leaders mailing list