michael_kent123 Posted July 17, 2015 Share Posted July 17, 2015 (edited) Does anyone know about Microsoft ActiveSync? Link: https://en.wikipedia.org/wiki/Exchange_ActiveSync Basically, it is the way in which iPhone users setup their Hotmail / Outlook account. You just enter the e-mail and password and ActiveSync checks that the information is correct. You don't need to enter the POP or IMAP or SMTP details. Now, ActiveSync uses port 443 to transmit data. I thought that the username and password could be intercepted and recorded with SSL Strip. This is because the data is transmitted to the Microsoft server using HTTPS which is exactly what SSL Strip compromises when used on websites. Here is how I setup SSL Strip. I know for a fact that this works as I tested it by logging in to e-mail sites on the iPhone. echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000 arpspoof -i wlan1 gateway_ip sslstrip -l 10000 -k I then sent an e-mail from a different device to the iPhone. I used Wireshark which showed that my iPhone's IP transmitted some HTTPS traffic. I assume that it logged into Microsoft servers to access the message. At this point, I am guessing that the username and password was sent to allow me to read the message. Wireshark shows a DNS request to outlook.office365.com and the iPhone's IP contacts an IP in the range 126.96.36.199 - 188.8.131.52 which is owned by Microsoft. This is HTTPS (over TCP) and TLSv1.2 protocols. There is also a transmission to 184.108.40.206 - 220.127.116.11 which is Microsoft using IMAPS. However, when I checked the SSL Strip log, nothing was recorded. Obviously, using ActiveSync is not the same as logging into a HTTPS website. But ActiveSync does use HTTPS so I thought that SSL Strip might work. Clearly I was wrong. Can anyone comment on this? Is there a way to acquire the password from an iPhone when the e-mail account is setup with ActiveSync? As more and more people move from computers to phones, I would have thought this would be an increasingly important attack vector. Edited July 17, 2015 by michael_kent123 Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.