I know that SSL certificates prevent DNS spoofing, but I was wondering why it is not possible after ARP cache poisoning to set up iptables rules and redirect the origin destination to fake page?
- Will the fake page have the same domain name as a spoofed domain?schroeder– schroeder ♦2015-09-05 15:48:37 +00:00Commented Sep 5, 2015 at 15:48
- No because I know the stored certificate in the victim side checks the domain. I use subdomain for demonstration purpose but still I can't set up right rule to redirect origin domain to the fake ip. I use one way arp poisoning even without forwarding but still don't work.user3551034– user35510342015-09-05 19:22:12 +00:00Commented Sep 5, 2015 at 19:22
- So, you have a demo that you are setting up. That's an important detail. Could you add these details to your question so that we understand your context?schroeder– schroeder ♦2015-09-05 19:51:51 +00:00Commented Sep 5, 2015 at 19:51
- First of all thank you very much about trying to help me. I want to do, when victim try to visit certified web redirect it the phishing page with iptables. When I setup "iptables -A INPUT -j DROP" to block traffic still is accessible certified webs. I don't understand why. I am interested : who can I block all traffic when I am in the middle or Who can I redirect victim to the phishing page. If there are any trick how can I defense it in depth without prevent arp poisoning and finally sorry I'm not fluent in English, I hope you could understand the context what I asking you.user3551034– user35510342015-09-06 03:49:44 +00:00Commented Sep 6, 2015 at 3:49
- this is script i wrote check this out and make changes to the iptables if you can drive.google.com/open?id=0BzaFCMEBzBAvUzE3NGZXTnlMWDQuser3551034– user35510342015-09-06 03:52:15 +00:00Commented Sep 6, 2015 at 3:52
| Show 1 more comment
1 Answer
SSL does not prevent DNS spoofing itself but it prevents that it can be successfully used.
If the certificate of the site does not match the name given the URL the certificate validation will fail. It does not matter how an attacker redirected the client to the other server, that is no matter if DNS spoofing, changes of the routing or ARP cache poising were used the certificate validation will fail because the server is unable to present the expected certificate.
To mount a successful attack against SSL you must be able to use a certificate acceptable by the victim, i.e. matching the hostname from the URL and also be signed by a trusted CA (and even more restrictions if certificate/pubkey pinning is involved).
- Fist of all thank you very much to the answer. I was wondering when victim try to visit certified web there is any trick to redirect to the phishing page when I am in the middle. I check many scenarios for example: injecting hosts file , DNS spoofing , setup DNS server to the attacker machine, firewalls to block traffic and redirect to the phishing ip. Are there another way that can I test. forgot to delete passed certificate in the victim's browser or certificate manipulations. I am interested in the MitM way.user3551034– user35510342015-09-06 03:12:50 +00:00Commented Sep 6, 2015 at 3:12
- @user3551034: You have an end-to-end connection and encryption and the encryption is also resistant against tampering. All you could do as a man in the middle is to interrupt the connection but you can not manipulate it in a way that the parties would not notice and thus would close the connection. Of course this depends on proper use of TLS, i.e. certificate validation, secure protocol versions and ciphers etc. In practice not all of this is given and a user might get tricked into accept a bad certificate or an application fails to verify the certificate properly.Steffen Ullrich– Steffen Ullrich2015-09-06 03:54:32 +00:00Commented Sep 6, 2015 at 3:54
- @user3551034: See also The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software to read about insecure validation of certificates.Steffen Ullrich– Steffen Ullrich2015-09-06 03:54:56 +00:00Commented Sep 6, 2015 at 3:54