Tuesday, April 05, 2011

Network Forensic Analysis of SSL MITM Attacks

SSL is not a panacea. If someone performs a man-in-the-middle (MITM) attack on HTTPS traffic (i.e. HTTP over SSL), he would be able to see all encrypted content in clear text format.

There are some legitimate reasons to eavesdrop the HTTPS traffic, such as your employer or your government.

If you suspect your network traffic is been monitor, how would you go about doing forensic analysis of captured network traffic from a suspected MITM attack?

Here's the summary of the articles that shows you how:

  • Extract the X.509 certificates (with *.cer) from the captured SSL traffic with NetworkMiner.
  • Inspect the extracted files.
  • Verify the IP and DNS
  • Look for any self-signed cert, revoked cert and non-trusted CA signing cert.
  • Verify MD5 fingerprint of an SSL cert with OpenSSL

$ openssl x509 -inform DER -in mail.google.com.cer -noout -fingerprint -md5
MD5 Fingerprint=52:12:A2:B1:27:E3:BB:CC:E5:F5:AA:BD:A1:A1:E6:F8

More references: