Jump to content

Trouble using SSLsplit to sniff Xbox 360 traffic


Recommended Posts

Posted

I'm attempting to sniff my Xbox 360's traffic and see the cleartext data sent over HTTPS+SSL.

My xbox 360's local IP address is: 192.168.0.22.

My attacker Arch Linux box's address is: 192.168.0.18.

I have installed dsniff and SSLsplit on attacker box and am performing an ARP cache poisoning attack using the following commands simultaneous in two terminal windows:

arpspoof -i enp0s25 -t 192.168.0.1 192.168.0.22

arpspoof -i enp0s25 -t 192.168.0.22 192.168.0.1

I created a fake certificate using the following commands:

openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
I am running sslsplit like this:
sslsplit -D -l connections.log -j /var/log/sslsplit/ -S logdir/ -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080
When I login to XBL on the 360, I see non-SSL traffic over port 80 in the logs, but the SSL traffic over port 443 has log files with nothing in them (size=0KB).
My guess is there is a problem with my certificate, it's not able to verify that it has been signed by a Root CA. Do you know of a way to fix this issue?
If that's not the issue, what is and how can I fix it?
Thanks for your help.
Posted

I forgot to post the debug output from sslsplit:

Generated RSA key for leaf certs.
SSLsplit 0.4.9 (built 2015-03-10)
Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch>
http://www.roe.ch/SSLsplit
Build info: V:FILE
Features: -DHAVE_NETFILTER
NAT engines: netfilter* tproxy
netfilter:  IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST
compiled against OpenSSL 1.0.2 22 Jan 2015 (1000200f)
rtlinked against OpenSSL 1.0.2 22 Jan 2015 (1000200f)
TLS Server Name Indication (SNI) supported
OpenSSL is thread-safe with THREADID
Using SSL_MODE_RELEASE_BUFFERS
SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC
OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG
compiled against libevent 2.0.22-stable
rtlinked against libevent 2.0.22-stable
2 CPU cores detected
proxyspecs:
- [0.0.0.0]:8080 tcp plain netfilter
- [0.0.0.0]:8443 ssl plain netfilter
Loaded CA: '/C=US/ST=UT/O=Internet Widgits Pty Ltd/CN=Someone'
Using libevent backend 'epoll'
Event base supports: edge yes, O(1) yes, anyfd no
Inserted events:
  0x12054b0 [fd 7] Read Persist
  0x1208740 [fd 8] Read Persist
  0x12088f0 [fd 9] Read Persist
  0x12052e8 [fd 6] Read Persist
  0x1208980 [fd 3] Signal Persist
  0x1208bc0 [fd 1] Signal Persist
  0x1208cf0 [fd 2] Signal Persist
  0x1208e20 [fd 13] Signal Persist
Initialized 4 connection handling threads
Started 4 connection handling threads
Starting main event loop.
Connecting to [199.117.103.168]:80
tcp [192.168.0.22]:19970 [199.117.103.168]:80
SNI peek: [n/a] [complete]
Connecting to [134.170.178.197]:443
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4
ssl [192.168.0.22]:5808 [134.170.178.197]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
Garbage collecting caches started.
Garbage collecting caches done.
SNI peek: [n/a] [complete]
Connecting to [134.170.178.64]:443
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4
ssl [192.168.0.22]:48310 [134.170.178.64]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
SNI peek: [n/a] [complete]
Connecting to [65.55.42.33]:443
SNI peek: [n/a] [complete]
Connecting to [65.55.42.33]:443
SNI peek: [n/a] [complete]
Connecting to [157.56.70.154]:443
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c
ssl [192.168.0.22]:32910 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
SNI peek: [n/a] [complete]
Attempt reuse dst SSL session
Connecting to [134.170.178.197]:443
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c
ssl [192.168.0.22]:29356 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c
ssl [192.168.0.22]:28325 [157.56.70.154]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4
ssl [192.168.0.22]:25598 [134.170.178.197]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
SNI peek: [n/a] [complete]
Connecting to [172.230.192.227]:443
SNI peek: [n/a] [complete]
Attempt reuse dst SSL session
Connecting to [65.55.42.33]:443
===> Original server certificate:
Subject DN: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Xbox/CN=*.xbox.com
Common Names: *.xbox.com/*.xbox.com
Fingerprint: fa:36:ff:8e:70:87:3d:52:3b:65:23:43:65:63:36:5e:4f:24:a6:eb
Certificate cache: MISS
===> Forged server certificate:
Subject DN: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Xbox/CN=*.xbox.com
Common Names: *.xbox.com/*.xbox.com
Fingerprint: 44:4c:08:75:ea:66:05:74:ff:37:de:d0:15:2e:bb:c2:26:e3:12:76
ssl [192.168.0.22]:10291 [172.230.192.227]:443 sni:- crt:*.xbox.com/*.xbox.com origcrt:*.xbox.com/*.xbox.com
===> Original server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb
Certificate cache: HIT
===> Forged server certificate:
Subject DN: /CN=*.xboxlive.com
Common Names: *.xboxlive.com
Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c
ssl [192.168.0.22]:57485 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
Unclean SSL shutdown.
SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket]
SSL_free() in state 00000003 = 0003 = SSLOK  (SSL negotiation finished successfully) [connect socket]
Garbage collecting caches started.
Garbage collecting caches done.
^CReceived signal 2
Main event loop stopped.
Posted

My guess would be, set up an https webserver that uses that generated cert. Browse to that site from the X-Box. It should complain about the unverified cert and ask you what to do about it. With any luck, there will be an option there to trust the cert which would add it to the xbox's truststore. From that point on you stand a chance that it'll accept the machine as one from the xboxlive.com domain. But don't be surprised when it still doesn't work. I wouldn't be at all amazed if the xbox has a preset list of certs for its game servers which are kept separately from the regular certs.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...