Jump to content

Help with security certifications?


Rifts

Recommended Posts

O.K. bare with me. This is kind of an in depth question, and i'm going to try and ask it so it follows the rules here =]

I cant go into much detail without breaking any rules but if you think you know what i'm talking about feel free to PM me.

Here it goes:

After successfully cracking my WEP key I booted up ettercap (not going into anymore detail about that) except I successfully "poisoned" my shitty old laptop. Now when i'm on the "poisoned" laptop and try to log into any site (we will use facebook as an example) a security certification warning comes up. This is obviously suspicious, if i click accept and/or continue, etc. then the username/password is send to me like it should. but having that security certification is a problem.

so my question is: is there anyway to "spoof" or do something to trick the computer to think its the real site and not send a security certification.

I hope this makes sense.

Thanks

Link to comment
Share on other sites

Ok, SSL Certs in browsers are verified via a 3rd Party. Usually Verisign. The only way to make a cert come up green and valid is to also spoof the verification of the SSL cert. But here inlies the problem. The public keys for those sites are installed in browsers by default and will not accept any false verification site. So, to make this a complete hack, you have to:

1. Replace the public cert that is installed on the targets browser with your fake verification cert

2. Set up a fake verification server

3. Generate your key so that the fake verification server will validate the request.

Oh yeah, and not all sites certify through Verisign. Possible, definitely. Worth the effort?, maybe. Difficult and extremely targeted, absolutely.

I don't mean to scare you away from this project, it is actually one that taught me a lot when I had the same question. I suggest VMware and a weekend dedicated to the project.

Good luck.

Link to comment
Share on other sites

Ok, SSL Certs in browsers are verified via a 3rd Party. Usually Verisign. The only way to make a cert come up green and valid is to also spoof the verification of the SSL cert. But here inlies the problem. The public keys for those sites are installed in browsers by default and will not accept any false verification site. So, to make this a complete hack, you have to:

1. Replace the public cert that is installed on the targets browser with your fake verification cert

2. Set up a fake verification server

3. Generate your key so that the fake verification server will validate the request.

Oh yeah, and not all sites certify through Verisign. Possible, definitely. Worth the effort?, maybe. Difficult and extremely targeted, absolutely.

I don't mean to scare you away from this project, it is actually one that taught me a lot when I had the same question. I suggest VMware and a weekend dedicated to the project.

Good luck.

hummm so would i even start to do this

Link to comment
Share on other sites

Ok, SSL Certs in browsers are verified via a 3rd Party. Usually Verisign. The only way to make a cert come up green and valid is to also spoof the verification of the SSL cert. But here inlies the problem. The public keys for those sites are installed in browsers by default and will not accept any false verification site. So, to make this a complete hack, you have to:

1. Replace the public cert that is installed on the targets browser with your fake verification cert

2. Set up a fake verification server

3. Generate your key so that the fake verification server will validate the request.

Oh yeah, and not all sites certify through Verisign. Possible, definitely. Worth the effort?, maybe. Difficult and extremely targeted, absolutely.

I don't mean to scare you away from this project, it is actually one that taught me a lot when I had the same question. I suggest VMware and a weekend dedicated to the project.

Good luck.

Does he really have to replace the public cert? Can't he just install a own cert on the browser (when you take a look at the cert list installed in your browser, there are a lot of certs) and then use his own key verificated with the cert?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...