Exploiting the Superfish certificate

As discussed in my previous blogpost, it took about 3 hours to reverse engineer the Lenovo/Superfish certificate and crack the password. In this blog post, I described how I used that certificate in order to pwn victims using a rogue WiFi hotspot. This took me also about three hours.

The hardware

You need a computer to be the WiFi access-point. Notebook computers are good choices, but for giggles I chose the "Raspberry Pi 2", a tiny computer that fits in the palm of your hand which costs roughly $35. You need two network connections, one to the Internet, and one to your victims. I chose Ethernet to the Internet, and WiFi to the victims.

The setup is shown above. You see the little Raspberry Pi 2 computer, with a power connection at the upper left, an Ethernet at the lower-left, and the WiFi to the right. I chose an "Alfa AWUS050NH" WiFi adapter, but a lot of different ones will work (not all, but most). You can probably find a good one at Newegg or Amazon for $10. Choose those with external antennas, though, for better signal strength. You can't really see it in this picture, but at the top of the circuit board is a micro-SD card acting as the disk drive. You'll need to buy at least a 4-gigabyte card, which costs $4, though consider getting an 8-gig or even 16-gig card since they don't cost much more.

The operating system

It's theoretically possible to do this on Windows or Mac, but the best software for this sort of thing comes on Linux.

Normally, I'd use Kali Linux because it already has all the hacking tools compiled for it. However, since the Raspberry Pi 2 is still new, Kali doesn't have a version for that hardware ready yet. Update: Apparently @essobi has a working RP2 Kali image.

Therefore, I used the most popular Raspberry Pi 2 distro of Linux known as "Raspbian", which I downloaded from the website: http://www.raspberrypi.org/downloads/

It comes as a "disk image" that you need to write to the micro-SD card. Because it's an image, you don't simply write as a file to the disk, but overwrite all contents of the disk with this image. To do that, you need a special program. There are instructions on the download site that describe how to do this. Since I'm a Windows user, I used the "Win32 Disk Imager" program to do this.

It goes without saying, you'll need something that can write micro-SD cards. I used the SD card reader built into my Dell monitor. I purposefully chose a micro-SD card that came with a full-size SD card holder so that it would fit into my monitor. My laptop also has a full-sized SD writer I could've used.

(These Kingston chips are the ones I'm using, but they are kinda crappy. They sometimes connect as 'read-only'; I don't know why).

Once the image was written, I removed the micro-SD card from my Windows machine and stuck it into the Pi, then plugged in the power to boot it up.

After powering on for the first time, it wants you to hook it up to a TV a and configure things. The default account is "pi" with a password of "pi". I created my own account called "rob" and added it to "sudoers" file. Just make sure when you set it up that SSH daemon is available. I use the Putty SSH client from my Windows desktop to talk remotely to the Pi.

The software

In this example, you need two things. First, you need the WiFi access-point software. Second, you need the MitM software.

For the WiFi software, I used the well-known hostapd project, and followed the exact instructions here http://elinux.org/RPI-Wireless-Hotspot for turning the Pi into a hot-spot. Well, nearly exactly, I have slightly different version of Pi and a different WiFi card, but otherwise it's all the same. The configuration is all straight forward with no surprises. You setup hostapd to do the WiFi, then udhcpd to assign addresses, then use the Linux built-in netfilter to do the NAT.

For the MitM sofware, I chose sslsplit (https://github.com/droe/sslsplit). There are other tools like sslstrip and mitmproxy that I could've used, but the advantage of this tool is that it makes using the CA certificate really easy.

I needed to download and compile it separately. I also needed to "apt-get install libssl-dev libevent-dev" for it to compile. Other Linux distributions, like Kali, already come with sslsplit as a precompiled package.

After I did "make install" on sslsplit, I followed the directions here, with some variations:

http://blog.philippheckel.com/2013/08/04/use-sslsplit-to-transparently-sniff-tls-ssl-connections/

The first difference is that instead of generating a CA key like it describes, I use the Superfish CA. You can download that in the file test.pem from my pemcrack tool. I then ran the command to decrypt it as follows (using "komodia" as the password):

openssl rsa -in test.pem -out ca.key

Also, copied test.pem into the file ca.cer, then removed the PRIVATE KEY section to create the CA certificate.

I then created the directory /var/log/sslsplit where the logfiles will be generated.

I then ran the command:

sslsplit -D -l connections.log -S /var/log/sslsplit -k ca.key -c ca.cer ssl 0.0.0.0 8443

Once this was running, I ran the netfilter command to redirect all SSL traffic:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

And that's it! All normal traffic goes through like a normal WiFi access point, but SSL traffic on port 443 get's MitMed with the Superfish CA!

Running the exploit

I have a little victim laptop that I infected with the Superfish adware. I used it to browse to the BofA website. As you can see in the home page screen, there is a lock indicating the session is "secure".

You can see the sign in form to the left. I typed "barry123457" and clicked the "Sign In". Because of SSL, as promised by the lock icons, what I just submitted to the website should be encrypted. But because of the Superfish CA problem, Lenovo customers can be exploited so that such private information can be viewed.

Back on my Raspberry Pi 2, I navigated to the log direct. The encrypted sessions will be placed as individual files with their time stamp, IP addresses, and port numbers.

These files contain the raw traffic, which is HTTP. The HTTP headers themselves are text, but the payload is usually binary. To make things easier, I just strip out the binary using strings(1).

strings 20150221T022602Z-[192.168.42.51]:50867-[171.161.198.200]:443.log >barry.txt

This was the session where I attempted to log into the BofA website using the AccountID of "barry123457". While this transaction went over SSL, you can see clearly that sslsplit was able to intercept it. AS you can see, in the middle of the post information is the string "barry123457".

Conclusion

Thus, this example proves that this exploit is practical, not merely theoretical as claimed by the Lenovo CTO. Exploiting this was a straightforward application of commonly available tools. The only thing out of the ordinary was sslsplit, but that's a tool commonly used by corporations for security purposes, and not some special "hacking" purpose.