Rifts Posted October 7, 2008 Share Posted October 7, 2008 O.K. bare with me. This is kind of an in depth question, and i'm going to try and ask it so it follows the rules here =] I cant go into much detail without breaking any rules but if you think you know what i'm talking about feel free to PM me. Here it goes: After successfully cracking my WEP key I booted up ettercap (not going into anymore detail about that) except I successfully "poisoned" my shitty old laptop. Now when i'm on the "poisoned" laptop and try to log into any site (we will use facebook as an example) a security certification warning comes up. This is obviously suspicious, if i click accept and/or continue, etc. then the username/password is send to me like it should. but having that security certification is a problem. so my question is: is there anyway to "spoof" or do something to trick the computer to think its the real site and not send a security certification. I hope this makes sense. Thanks Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted October 7, 2008 Share Posted October 7, 2008 yes steal the real one Quote Link to comment Share on other sites More sharing options...
Rifts Posted October 7, 2008 Author Share Posted October 7, 2008 yes steal the real one ? Quote Link to comment Share on other sites More sharing options...
SomeoneE1se Posted October 7, 2008 Share Posted October 7, 2008 http://computer.howstuffworks.com/encryption4.htm Quote Link to comment Share on other sites More sharing options...
Rifts Posted October 9, 2008 Author Share Posted October 9, 2008 http://computer.howstuffworks.com/encryption4.htm that didnt really help Quote Link to comment Share on other sites More sharing options...
mubix Posted October 10, 2008 Share Posted October 10, 2008 Ok, SSL Certs in browsers are verified via a 3rd Party. Usually Verisign. The only way to make a cert come up green and valid is to also spoof the verification of the SSL cert. But here inlies the problem. The public keys for those sites are installed in browsers by default and will not accept any false verification site. So, to make this a complete hack, you have to: 1. Replace the public cert that is installed on the targets browser with your fake verification cert 2. Set up a fake verification server 3. Generate your key so that the fake verification server will validate the request. Oh yeah, and not all sites certify through Verisign. Possible, definitely. Worth the effort?, maybe. Difficult and extremely targeted, absolutely. I don't mean to scare you away from this project, it is actually one that taught me a lot when I had the same question. I suggest VMware and a weekend dedicated to the project. Good luck. Quote Link to comment Share on other sites More sharing options...
Rifts Posted October 11, 2008 Author Share Posted October 11, 2008 Ok, SSL Certs in browsers are verified via a 3rd Party. Usually Verisign. The only way to make a cert come up green and valid is to also spoof the verification of the SSL cert. But here inlies the problem. The public keys for those sites are installed in browsers by default and will not accept any false verification site. So, to make this a complete hack, you have to: 1. Replace the public cert that is installed on the targets browser with your fake verification cert 2. Set up a fake verification server 3. Generate your key so that the fake verification server will validate the request. Oh yeah, and not all sites certify through Verisign. Possible, definitely. Worth the effort?, maybe. Difficult and extremely targeted, absolutely. I don't mean to scare you away from this project, it is actually one that taught me a lot when I had the same question. I suggest VMware and a weekend dedicated to the project. Good luck. hummm so would i even start to do this Quote Link to comment Share on other sites More sharing options...
tabath Posted October 13, 2008 Share Posted October 13, 2008 hummm so would i even start to do this If you're here to learn and not just to be given answers of course you would! Quote Link to comment Share on other sites More sharing options...
sqall Posted October 14, 2008 Share Posted October 14, 2008 Ok, SSL Certs in browsers are verified via a 3rd Party. Usually Verisign. The only way to make a cert come up green and valid is to also spoof the verification of the SSL cert. But here inlies the problem. The public keys for those sites are installed in browsers by default and will not accept any false verification site. So, to make this a complete hack, you have to: 1. Replace the public cert that is installed on the targets browser with your fake verification cert 2. Set up a fake verification server 3. Generate your key so that the fake verification server will validate the request. Oh yeah, and not all sites certify through Verisign. Possible, definitely. Worth the effort?, maybe. Difficult and extremely targeted, absolutely. I don't mean to scare you away from this project, it is actually one that taught me a lot when I had the same question. I suggest VMware and a weekend dedicated to the project. Good luck. Does he really have to replace the public cert? Can't he just install a own cert on the browser (when you take a look at the cert list installed in your browser, there are a lot of certs) and then use his own key verificated with the cert? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.