Seen an interesting (dated but valuable) videocast at sslstrip. In this Part II, I would explore the use of sslstrip, Xplico and proxy chaining (SQUID-SQUID) to enhance my earlier attempt.
I am pretty much interested to test out the concept mentioned in the video about TOR susceptibility to this MiTM as well as people perception of ‘secure’ HTTPS websites. I would had fallen for this trick had I not view the video, especially the ‘psyche’ of security when you see ‘lock’ and familiar URL.
It would look like this, got to go back to my drawing board and figure out if practical or not:
Client[1] --> sslstrip(present HTTP to client, HTTPS to server)[2]+Proxy"A"[3]->ICAP(clamav)[4]->Proxy"B"(Win32+Kav w/HTTPS inspection)[5] --> Websites (HTTPS)[6]
The ‘analyzers’ should lie in the following vector:
[1]. Client - will receive all responses in clear HTTP from sslstrip MiTM.
[2]. Sslstrip MiTM - with Xplico between self and Client. Purpose is to carve out the files for further analysis(PE?).
[3]. Proxy"A" - transmit ICAP packets to ICAP service. Also forward to parent Proxy"B".
[4]. ICAP - perform AV scan using clamav. This is FOSS.
[5]. Proxy"B" - win32 proxy(Squid) using XP w/Kav? Purpose is to leverage win32 AV/Malware detection engines for scanning outgoing and incoming HTTPS/HTTP(and IM traffic?) to complement clamav.
[6]. Websites - 'business as usual'.
This is an ongoing work, will update this as I progresses. Comments welcomed.
Reference:
http://www.thoughtcrime.org
http://jez4christ.com/view/decrypting-ssl-protected-web-traffic-for-further-analysis-poc/
http://www.xplico.org/
Very interesting your articles.
Ciao.
Gianluca