What is a Man in the Middle Attack?
This is an attack where an advanced persistent threats (attackers) insert themselves in between a communication channel to steal data. They eavesdrop on communication between trusted parties or impersonate either of the parties, making it seem like a normal exchange of information.
Today, we’ll try to show a quick and easy way to detect this type of attack when surfing the internet.
Digital Certificates and Certificate Fingerprints
In one of our cybertricks series, we talked about digital certificates. Now, we’ll extended a little further. Browsers use these certificates to verify the integrity and worthiness of connnections.
We can see from the screeshoot that the connection is unsecure and we could be vulnerable to some attacks. That’s the browser using the certificate available to ensure security. Below is a screenshot of the certificate details.
Included in every digital certificate is a value known as a fingerprint. A certificate fingerprint is a hash calculated against the certificate. It is very important because it allows for a quick way to verify if any information inside the certificate has been tampered with.
Checking for Man in the Middle Attacks
Since we’ve gotten a hung of what certificates and fingerprints are, let’s dive into the fun part. We will use certificate fingerprints to known if we have an attacker sniffing through our connection to a site.
The following steps will be used to check for this type of attack:
Use openssl to grab the certificate of our test site to our local machine.
Identify the hashing algorithm used.
Extract the certificate fingerprint from the certificate on our local machine.
Visually compare the fingerprint on our local machine with the one displayed by the browser.
Step 1:
We use the command openssl s_client -connect <test_site>:443 -servername <test_site> </dev/null /sed -me ‘/-BEGIN CERTIFICATE-/, /-END CERTIFICATE-/p’> cert.pem
openssl: The openssl command is used to retrieve the SSL/TLS certificate from a website.
openssl s_client: Invokes the OpenSSL command-line tool's
s_clientsubcommand, which is used for testing SSL/TLS connections.-connect <test_site>:443: Specifies the host and port to connect to. 443 is the standard port for HTTPS. Replace
<test_site>with the actual domain name (e.g., google.com).-servername <test_site>: Specifies the hostname for Server Name Indication (SNI), required for virtual hosting.
</dev/null: Prevents
openssl s_clientfrom waiting for input after establishing a connection.| sed -ne ‘/-BEGIN CERTIFICATE-/, /-END CERTIFICATE-/p’: Pipes the output of
openssl s_clientto thesedcommand.sedis a stream editor.-ne: Suppresses automatic output and enables pattern matching.
'/BEGIN CERTIFICATE/,/END CERTIFICATE/p': Extracts the certificate data between
BEGIN CERTIFICATEandEND CERTIFICATE.\>cert.pem: Redirects the extracted certificate content to a file named
cert.pem.
We will use example.com as our test site.
As we can see, we now have the certicate on our local machine.
Step 2:
Using the command openssl x509 -in cert.pem -text -noout | grep "Signature Algorithm", we can identify the hashing algorithm used by the fingerprint to help us extract it.
We note that the SHA256withRSAencryption is used.
Step 3:
The command openssl x509 -in cert.pem -noout -fingerprint -<hashing_algorithm> extracts the fingerprint to the terminal.
We see that the fingerprint is this EF:BA:26:D8:C1:CE:37:79:AC:77:63:0A:90:F8:21:63:A3:D6:89:2E:D6:AF:EE:40:86:72:CF:19:EB:A7:A3:62
Step 4:
Now, let’s compare it to the one on the browser.
We see that the fingerprint on the browser is this efba26d8c1ce3779ac77630a90f82163a3d6892ed6afee408672cf19eba7a362
Comparing it closely to the terminal fingerprint, we see that they are the same. This implies that there is no attacker eavesdropping through our connection and as such no man-in-the-middle attack.
If the fingerprints do not match, there is a strong indication that your connection is being intercepted and you are a victim of the attack.
This method is a very easy way of checking for MitM attacks and can also be combined with browser warnings and certificate pinning.
Thank you for your time. Until we meet again, feliz piratería.