A Case of SSL MITM attack - Protecting The Trust Relationship

[patris1]

کد:

http://www.carbonwind.net/ISA/ACaseofMITM/ACaseofMITMpart1.htm

Part 1: TLS In Action

Carbonwind.net and the author do not condone or approve the illegal use of this tutorial in any way. Protecting data while is traversing insecure networks is a must these days.
The road warriors need access to their emails, documents, information, data from anywhere.
But what is the definition of this "anywhere" ?
Let's create a real world scenario.
Suppose that we are miles away from our HQ in a hotel room or in an Internet Café or something similar and we need to read our emails.
OWA(Outlook Web Access) seems a great choice. It is protected using SSL/TLS.
At a first glance we have two options: use our corporate laptop or a local PC(say, a computer from an Internet café).
The difference: the first one is a managed private computer and the other one is a shared public PC.
So let's see what's happening. Our user JohnVPN, for some reasons, chooses to use a shared public PC from, say an Internet café where he went to kill his time and play a couple of onlines games, socialize?
Our attacker is just waiting for people like John. He is preparing a SSL MITM attack in order to steal John's credentials. He did manage to compromise the Internet café network, which can be done very easy. After all, the owner did his job, installed a firewall, some AV/Spyware on his PCs, but he cannot cope with a skillful attacker. The attacker now directs traffic from computers to the local gateway through, say, a local PC where he has installed his malicious software. He can do that very simple using ARP Spoofing. In Figure1 we have the network diagram which describes the traffic paths.

Figure1: Network Diagram
So now all the traffic from JohnVPN to the gateway passes through the attacker PC. No big deal we might say since the OWA traffic is encrypted. There is no big deal if only the attacker resumes to passive eavesdropping. If he decides to mount a SSL MITM attack then JohnVPN will soon have problems.
Why the attack might succeed and so why we must avoid using public, shared PCs to read our emails ?
Let’s first analyze a normal OWA connection from a managed private PC.
For this test, for protecting the Exchange 2003 Server I have used ISA 2006 Firewall. On ISA, OWA is published using SSL bridging, FBA on ISA(ISA is a domain member, so ISA validates credentials using Windows(Active directory)) and if authentication succeeds it will use basic authentication delegation for forwarding the basic credentials to the Exchange Server. In this way no packets will reach the Exchange Server if authentication on ISA fails.
The default ISA HTML forms will be used.
My private CA, named DCMain, is an Enterprise CA(Windows 2003) and sits on my DC. Nothing special since I’m in my test lab. You might like to read:
Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure
Our JohnVPN Our JohnVPN user is away from his office and using his laptop he wants to read his emails from his hotel room. Since this laptop is a managed device, he should be protected against worms, keyloggers and he is confident that he is using, say, Genuine Windows. Also proper antivirus, spyware and firewalls are configured on his notebook. Already a trust relationship was build.
The company for which John works is using a private CA for issuing certificates. The OWA web server certificate is from this CA. Obviuosly JohnVPN’s laptop has installed on it the CA certificate and he is confident that no one has altered his Trusted Root CAs where the private CA certificate is installed or edited hisIE7 settings.
Let's see what's happening.

Figure2: A normal OWA login screen with no errors in IE7
Let's analyze the web server certificate:

Figure3: Viewing the web server certificate

Figure4: The web server certificate
Since we went to https://owa.carbonwind.net/exchange the common name on the certificate must be owa.carbonwind.net otherwise IE will give us some warnings.

Figure5: The web server's certificate details

Figure6: The web server's public key

Figure7: The web server's enhanced key usage
The key of the server can be used for signing and Key Encipherment (a0) (not for Data Encipherment (f0)).
The web server certificate is configured with one or more purposes in EKU extensions that correlate to the certificate use. In our case, the certificate used for the authentication of the web server must be configured with the Server Authentication purpose. The CA certificate is in the Trusted Root Certifications Authorities Store:
The web server certificate is configured with one or more purposes in EKU extensions that correlate to the certificate use. In our case, the certificate used for the authentication of the web server must be configured with the Server Authentication purpose.
The CA certificate is in the Trusted Root Certifications Authorities Store:

Figure9: CA Cert from Trusted Root Certifications Authorities Store
The Certification Path from the web server certificate:

Figure10: The Certification Path from the web server certificate

RFC2246(TLSv1.0) and RFC4346(TLSv1.1) states that:
“If the server is authenticated, its certificate message must provide a valid certificate chain leading to an acceptable certificate authority“.

So at this point JohnVPN can say that the remote server is really our Exchange server(actually is the ISA server) and he can proceed with his login.

Figure11: JohnVPN has logged on

As we have seen there are some details:
- During the SSL/TLS session the browser will “request” from the web server its certificate in order to authenticate it
- The common name on the certificate must match the name of the server from our URL: if we connect by https://owa.carbonwind.net then the CN on the certificate must be owa.carbonwind.net
- The web server’s certificate must be signed by a trusted CA: the CA certificate must be in the Trusted Root CAs Store, otherwise the client cannot really tell if the web server is who is pretending to be, since it cannot verify who has signed its certificate. This one is the most critical detail. Other details like the CN, OU,O…as we will see later can be forged. If you log on from a managed, private computer then it is very unlikely that you actually have a forged CA certificate on your computer
- The public key of the web server from its certificate. It cannot be forged because it must have a corresponding private key. This is how public encryption works: I give you my public key and then you send me “something” encrypted with my public key. This “something” can only be decrypted with my private key. The CA signes my certificate with its own private key, in this way enabling you to verify that the public key that I have sent you is really my public key. Since you have on your computer the CA certificate(which was obtain from a trusted place), thus the CA public key, you can verify my certificate authenticity and so trust my public key. Also, if I sign something with my private key and send it to you, you can check by using my public key if I really sent you that something. If you have a good memory, maybe you can remember my public key letter by letter and add an extra layer of verification. Very unlikely though.
- The “Certification Path” leads you to the CA as you can see from Figure10.
- The certificate must not be expired or revoked
This was what actually what an end user sees. But what’s happening on the wire?
A quick search through RFC2246(TLSv1.0) and RFC4346(TLSv1.1) for directions :
“ TLS supports three authentication modes: authentication of both
parties, server authentication with an unauthenticated client, and
total anonymity. Whenever the server is authenticated, the channel is
secure against man-in-the-middle attacks, but completely anonymous
sessions are inherently vulnerable to such attacks. Anonymous
servers cannot authenticate clients. If the server is authenticated,
its certificate message must provide a valid certificate chain
leading to an acceptable certificate authority. Similarly,
authenticated clients must supply an acceptable certificate to the
server. Each party is responsible for verifying that the other's
certificate is valid and has not expired or been revoked.”
-----------------------------------------------------------------------------------------------
The TLS Handshake Protocol involves the following steps:
- Exchange hello messages to agree on algorithms, exchange random
values, and check for session resumption.
- Exchange the necessary cryptographic parameters to allow the
client and server to agree on a premaster secret.
- Exchange certificates and cryptographic information to allow the
client and server to authenticate themselves.
- Generate a master secret from the premaster secret and exchanged
random values.
- Provide security parameters to the record layer.
- Allow the client and server to verify that their peer has
calculated the same security parameters and that the handshake
occurred without tampering by an attacker.”
-----------------------------------------------------------------------------------------------
“ Client Server
ClientHello -------->
ServerHello
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
ApplicationData <-------> Application Data
Fig. 1 - Message flow for a full handshake
* Indicates optional or situation-dependent messages that are not
always sent. “

Now let’s visualize all these with Wireshark:
The Client Hello message:

Figure12: The Client Hello message

The proposed client Cipher Suites(a list of cryptographic parameters that the client supports):


Figure13: The proposed client list of Cipher Suites

The “Server Hello” message which includes:


Figure14: the Server Hello message
- the Certificate which contains the server certificate, thus the server will be authenticated by the client
- the selected Cipher Suite. But what does TLS_RSA_WITH_RC4_128_MD5 means?
It means that we are using RSA key exchange and authentication(from RFC2246(TLSv1.0) , we are using TLS 1.0):
“With RSA, key exchange and server authentication are combined. The public key may be either contained in the server's certificate or may be a temporary RSA key sent in a server key exchange message.
After verifying the server's certificate, the client encrypts a pre_master_secret with the server's public key. By successfully decoding the pre_master_secret and producing a correct finished message, the server demonstrates that it knows the private key corresponding to the server certificate.
pre_master_secret - This random value is generated by the client and it is used to generate the master secret
master secret - Secure secret data used for generating encryption keys, MAC secrets, and IVs.
Message Authentication Code (MAC) - A Message Authentication Code is a one-way hash computed from a message and some secret data. It is difficult to forge without knowing the secret data. Its purpose is to detect if the message has been altered.
MD5 - Message-Digest algorithm 5 is a secure hashing function that converts an arbitrarily long data stream into a digest of fixed size (16 bytes)
SHA - The Secure Hash Algorithm is defined in FIPS PUB 180-1. It produces a 20-byte output. Note that all references to SHA actually use the modified SHA-1 algorithm.
RSA - A very widely used public-key algorithm that can be used for either encryption or digital signing.
- RC4 as the symetric encryption algorithm to protect data(confidentiality).
- TLS uses MD5 as the hash function. The connection is reliable. Message transport includes a message integrity check using a keyed MAC. Secure hash functions (e.g., SHA, MD5, etc.) are used for MAC computations.For example we can create a hash of the data and keyed this hash with a key known only by the two peers(this is a shared secret). In this way we can assure data integrity(proof that the data was not modified in transit) and data authentication(proof that the data was sent by the legitimate source) per packet. This is called HMAC(Hashed Message Authentication Code).”

As we can see from Figure14 the Server Hello does not contain the Server Key Exchange field because the server certificate has a public key that can be used for encryption. Also there is no Certificate request meaning that the client will not provide any certificates to the sever thus it will not be authenticated by the server. So we can resume that we are using RSA for key exchange and authentication, RC4 for protecting the data confidentiality, MD5 for data integrity and only the server is authenticated.
The Server Hello Done message is sent by the server to indicate the end of the Server Hello and associated messages. After sending this message the server will wait for a client response.
And here it comes the client answer:

Figure15: Client response following the Server Hello message

The client response contains a “Client Key Exchange”. Because RSA is being used for key agreement and authentication, the client generates a 48-byte premaster secret, encrypts it using the public key from the server's certificate and sends the result in an encrypted premaster secret message.
No Certificate or Certificate Verify messages since the client does not send any certificate(the client certificate must has signing capabilities for the Certificate Verify message).
The Change Cipher Spec message is sent by the client to notify the server that subsequent records will be protected under the newly negotiated CipherSpec and keys before the verifying Finished message is sent.
The client then immediately sends the Finished message under the protection of the new algorithms, keys, and secrets. In our Figure15 it is the Encrypted Handshake Message.
Now the server receive the “Finished” message from the client, it valides it and sends its own Change Cipher Spec and its Finished(the Encrypted Handshake Message) message protected with the newly negotiated CipherSpec and keys.

Figure16: The server response following the client Change Cipher Spec Finished messages

If the client receives and validates the server Finished message, application data traffic might start to flow.


Figure17: Application data protected by TLS

In our case the application protocol is HTTP.
Now let’s proceed and log on our JohnVPN user from a public computer while the web server certificate was issued by our private CA. JohnVPN doing so, from the Internet café, from where he thought he can combine pleasure with business, has no idea if the computer contains keyloggers, worms, viruses, an original OS or even if the antivirus installed on it is the “real deal”. There is no trust relationship, au contraire, there is one based on suspicions.

Figure18: Big IE error

Wow!
IE blocked us the access to the OWA site.
So let’s click to continue and then view the certificate.

Figure19: The certificate cannot be verified up to a trusted CA


Figure20: The certificate details


Figure21: The certification path

Everything appears to be OK except the Certification Path. We can see that the CA is missing. The RFC2246(TLSv1.0) states about the server Certificate message:
“This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate which specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.”
So our server(ISA) did not send to JohnVPN the CA certificate since there is no real need for it. He must have on his computer this CA in order to prove that the certificate is valid.
Looking more carefully at our certificate we can see an Authority Information Access field.

Figure22: The certification path Authority Information Access field

Since we are on a public computer and our CA is private, this computer has no clue about our CA.
So it’s trying to download the CA’s certificate as we can see from Figure23.


Figure23: Trying to download the CA certificate

But we did not publish this information on our ISA, so its request will be denied(obviously a DNS entry must exist for dcmain.carbonwind.net).
Now let’s go and publish the CA certificate(I have used another web server where I manually put the CA certificate and the CRL) with ISA and let’s try one more time.
The same errors will come up in IE. However as you can see from Figure24 the CA certificate was downloaded.


Figure24: Downloading the CA certificate

Now let’s look again at the “Certification Path”:


Figure25: The new “Certification Path”

And now as we can see the correct certificate chains appears. But there is a red X on the CA certificate(the CA is not trusted). Let’s click on “View Certificate”:


Figure26: The CA certificate

If we proceed and install this certificate in our Trusted Root CA store then IE will not give us any errors just like when JohnVPN logged from its private laptop.
So as you can see when JohnVPN logs on from a public computer the trust relationship is broken. Note that this trust relationship is only one-way, we authenticate the server but the server does not authenticate us because we do not present it any client certificate. Also we cannot really tell if the server certificate is real when JohnVPN used the public PC unless we remember the public key of the server, unlikely though.

---

موضوعات مشابه:

• the trust relationship between this workstation and primary domain failed
• چگونه نوع trust relationship را مشخص کنیم؟
• پیغام "The trust relationship between this workstation and the primary domain failed."
• MITM برای Gmail
• Protecting the Administrator Account

---

[patris1]

کد:

http://www.carbonwind.net/ISA/ACaseofMITM/ACaseofMITMpart2.htm

Part 2: The SSL MITM Attacks

Carbonwind.net and the author do not condone or approve the illegal use of this tutorial in any way. For the first MITM test we are going to use Burp Proxy. We will configure IE to use it as an Web Proxy:


Figure27: Preparing IE for Burp Proxy

We are going to start Burp Proxy and make sure that interceptation is on:


Figure28: Burp Proxy Interceptation is on

And JohnVPN goes ahead for a poor MITM attack:


Figure29: IE error with Burp Proxy MITM

As you can see from Figure29 now IE warns us that the CN from the certificate does not match owa.carbonwind.net(our destination) and that it does not trust the CA.
Click continue and “forward” on Burp Proxy:


Figure30: Click “forward”

A look at the certificate shows that the web server name is incorrect(the CA is not trusted either and it is not the one we expected to be, DCMain):


Figure31: Burp Proxy Certificate

As we can see from Figure31 this certificate looks like a self-sign certificate(like a root certificate).


Figure32: Burp Proxy Certificate details

From Figure32 we can also see that the other fields are different and the public key has only 1024 bits.
JohnVPN expected anyway the IE error(since he remembers something from the instructions that the IT Security department of his company gave to all of its employees) and did not bother to check the certificate(although IE warned him about the CN mismatch, too much for JohnVPN).

Figure33: JohnVPN logs in

Next we see in Burp Proxy the username “JohnVPN” and the password “pa55w0RD”.

Figure34: JohnVPN’s credentials exposed

And click “forward” so that JohnVPN to be taken to his email account.
Now let’s go and install Burp Proxy’s CA certificate into the “Trusted CA store”(just click “Install Certificate” from the “General” tab when viewing the certificate in IE and follow the wizard).


Figure35: Now Burp Proxy’s CA certificate is trusted

And JohnVPN will log one more time:


Figure36: New IE error

Right now IE is complaining about the fact that the CN from the certificate did not match our request address. JohnVPN will not read it. An error like any others…
In Figure37 is the IE setting that checks the CN.


Figure37: IE Setting


Figure38: The certificate is fine except…


Figure39: …Except the CN(and of course the other detail fields do not match)

JohnVPN continues and submit his credentials.


Figure40: Again JohnVPN’s credentials were exposed

If the attacker disables that security check from IE and installs Burp Proxy’s CA certificate in the “Trusted Root CA Store” then no errors will show up in IE:


Figure41: No IE errors

If actually JohnVPN’s company was using a commercial certificate he would not expect any errors and since there are no errors he will not notice anything(of course if he did not check the certificate).
So by now we have exemplified a poor SSL MITM. Even it is a poor one it can actually succeed if the attacker disables the browser’s security checks and make sure he/she includes its CA certificate in the “Trustes Root CAs”. A careless user will not even look at the certificate and since IE it does not give him/her any errors he/she will not have a clue about the MITM attack.
Let’s move forward and perform a more advanced SSL MITM.
For this we are going to use Cain&Abel.
Let’s assume once again that JohnVPN is using a public PC and the server certificate is from a private CA. For some reasons, knowing the risks, he will do so. He is aware about the IE errors about the certficate but he is confident that he can spot a fake one.
For our test the DG is 192.168.22.3, the attacker sits on 192.168.22.4 and JohnVPN is at 192.168.22.2.
Cain&Abel is very easy to configure. First scan for MAC addresses:


Figure42: Cain&Abel Scanning for MAC addresses


Figure43: Cain&Abel Preparing the ARP Spoofing

We want to redirect to our PC 192.168.22.4 all the trafic from 192.168.22.2 to 192.168.22.3.


Figure44: Cain&Abel the ARP Spoofing was started

I did not touch its configuration:


Figure45: Cain&Abel Filters and Ports


Figure46: Cain&Abel HTTP Fields

Now JohnVPN proceeds.
The IE error, as expected the certificate was not issue by a trusted CA:


Figure47: Cain&Abel IE error

Looking at Cain&Abel we can see that it has create a custom fake certificate and has successfully intercepted the traffic:


Figure48: Cain&Abel fake certificate

JohnVPN continues and takes a look at the certificate:


Figure49: Cain&Abel IE certificate

It looks very good, even the CA name is OK.


Figure50: Cain&Abel IE certificate details

Looking at the details the public key has a different length 1024 and the Signature algorithm is md5RSA and not sha1RSA. But if we can also forge the length. It is very unlikely that JohnVPN actually knows it by letter. And JohnVPN must must be well trained to check all those fields. The CN is good, the CA name also, as well as OU, O, L, S, C, the validation dates, the serial number.


Figure51: Cain&Abel IE certification path

The CA certificate is missing but JohnVPN might expect that as we have seen in the previously example.
JohnVPN is fooled and continues with his login.
So now we are moving into Cain&Abels’s “Sniffer/Passwords” section and there we can see JohnVPN’s credentials:


Figure52: Cain&Abel IE exposed credentials

As you can see it is easy to forge the certificate fields on the fly. Only the web server public key cannot be forged. But since it is quite long we cannot remember it.
So the attack might succeed if John VPN logs on from a public PC while the server certificate was issued by a private CA. He expects the error and the certificate he receives is well crafted.
Now let’s use Fiddler2 to perform a SSL MITM. We first must enable it to “Decrypt HTTPS traffic”


Figure53: Tell Fiddler to decrypt HTTPS

When we start Fiddler, it sets our browser to use its proxy, Fiddler listen on TCP port 8888. There is an option “Allow remote clients to connect” which enables other computer to use Fiddler as their Web proxy(just set their proxy with the IP address of the machine where Fiddler runs and TCP port 8888).


Figure54: IE settings after Fiddler starts

IE will give us the same error about not trusting the CA(we can see that the name of the CA is suggestive). However Fiddler forges on the fly the CN and so we won’t see the error about it in IE.


Figure55: Fiddler Certificate


Figure56: Fiddler Certificate Details


Figure57: Fiddler Certificate Certification Path

Fiddler sent us the CA certificate along with the web server certificate so we can follow the Certification path.
If we go and install the Fiddler CA in our “Trusted CA Store” then no IE error will appear anymore.


Figure58: Fiddler no IE errors

And Fiddler2 shows JohnVPN's credentials:

Figure59: Fiddler shows credentials(Text View)

Figure60: Fiddler shows credentials(Raw View)

Figure61: Fiddler shows credentials(WebForms)
Obviously the attacker can came up with the right CA name, maybe with the right public key length and other fields like OU, O…
The CN was forged, the attacker’s CA can be made trusted.
If the attacker actually expected JohnVPN then he would knew the CA name(+ all the details) and then JohnVPN would have no chance, he will be owned. Unless he remembers the server’s public key. As you can see the certificate can be forged and it is quite impossible to detect a fake one if the attack is properly done(all the fields are correct except the public key one, the CA is trusted). Since JohnVPN logged from a public share PC, the attacker’s job is made very easy. He/she can have direct access to the network and so he/she can own it. We are referring only to SSL MITM attacks and not to keyloggers or other tools that the attacker might use. Remember the RFC2246(TLSv1.0) words:
“Because certificate validation requires that root keys be distributed independently”
If I present you my certificate along with the CA certificate that has signed it then you cannot tell if the certificate is not a fake if you do not “know” the CA. The CA must be a “person” not interested by me or you. It’s like when you and I sign a piece of paper in front of an witness. If this witness is an disinterested, honest person then he/she becomes the link that would certify that you and I actually signed that piece of paper. If this witness has hidden interests then the link is broken.
There are other tools that can perform SSL MITM attacks(some of the ones used here were developed for debugging). A skilfull atacker will probably have his own tools which for designed specifically for maliciuos activities.
As you can see it is quite easy to proper create a SSL MITM attack on a public shared PC.
If you want a real world, this time a good example, think at ClearTunnel, an ISA Server add-on which enables ISA to perform outbound SSL inspection. It achieves this by doing a MITM attack. But in this case it is a trusted MITM(its documentation specifies that you must use it only if you are compliant with the privacy laws in your country or locality regarding the interception of encrypted traffic even if you are on your own internal network). By preparing certificates on the fly, the CN will match your connection’s request and the CA obviuosly will be trusted. So no IE errors.
Now with all these on our mind you might thought, well I’m skilled enough not to be MITM-ed when I’m reading my emails from a public shared PC. Besides, I have bought a commercial certificate, so I’m not using any private CA(although you have seen that this does not help).
Well, I’m sorry to spoil your party but you are wrong. There are hardware keystroke loggers(if you can spot software ones) which can even built in your keyboard like Security Keyboard(which is addressed to). Imagine that an atacker crafts his/her own keyboard and then place it in the right place. You “are owned” no matter what.
Actually there are tutorials showing you how to make your own are hardware keystroke loggers. See it yourself:
Hardware Keylogger - KeeLog
Maybe you can try to use a virtual keyboard(even an online one). But in the end, the risk is too high, it’s like someone has thrown you into the jungle. You cannot know “what’s” next.
When you are accessing sensitive data from a public, shared PC you are breaking the relationship of trust. “Clientless access” from virtually anywhere is beautiful but how can you tell who’s who?
When you are using your private, managed, laptop you have original software running on it along with proper antivirus, spyware and firewall programs. No one has forged your “Trusted Root CA Store” or installed malicious programs. Having your own PKI with your own CAs is very secure once you have properly deployed it. And you have a great flexibility regarding the certificates.
All the above attacks were performed when only the one-way trust relationship exists. Only the the server was authenticated.

[patris1]

کد:

http://www.carbonwind.net/ISA/ACaseofMITM/ACaseofMITMpart3.htm

Part 3: The Two-Way Trust Relationship

Carbonwind.net and the author do not condone or approve the illegal use of this tutorial in any way. For any real authentication method we must forced mutual authentication: we will have the "magic" two-way trust relationship. We authenticate the server and the server authenticates us.
Coming back to the OWA discussion it is very simple to force this kind of relationship with ISA. Just go to your OWA publishing rule, the “Listener” tab and on the “Listener” properties go to the “Authentication” tab and click “Advanced”:


Figure62: ISA OWA Publishing Rule/Listener Properties/Authentication

Put a checkmark in the “Require SSL client certificate” checkbox. This means that now the “TLS authentication mode” is set to: “authentication of both parties”. It does not mean that you provide a user certificate to ISA and automatically you are logged on to your OWA account(it's not user authentication).
By now, you must first present a valid certificate to ISA(after ISA has presented you a vaild one), then enter your credentials in the ISA OWA FBA page and if these credentials are good, eventually traffic will reach the Exchange server.
The “SSL client certificate timeout” specifies that the client certificate will be presented after 300 seconds. If it is located on a smart card, you retrieve the smart card and you let the session open, then ISA will end up the session because you will not present the certificate. If you store the certificate in your “Local User store” then you will not notice the ISA time out request.


Figure63: Listener Properties/Authentication/Advanced/Authentication Preferences

Make sure you accept only certificates which were issued by your private corporate CA:


Figure64: Accept only certificates which were issued by your private corporate CA

You can even further and restrict the Client certificates, for example, accept only certificates whose “Enhanced Key Usage field” contains the following “Smart Card Logon object ID: 1.3.6.1.4.1.311.20.2.2”(see ISA’s help for details) which identifies a smart card logon certificate. Be aware that your client certificate must also contain the “Client Authentication ID1.3.6.1.5.5.7.3.2” because your certificate must have signing capabilities for the TLS client authentication. Also there are other restriction options.


Figure65: Client Certificate Restriction

Our user has the below certificate, see Figure66:


Figure66: JohnVPN’s user certificate

He wants to log on to the OWA site. After he types the address of the OWA site he is prompted for his certificate.


Figure67: IE prompts JohnVPN for hist certificate

Since his certificate does not contain the “Smart Card Logon object ID: 1.3.6.1.4.1.311.20.2.2” ISA denies his request.


Figure68: ISA blocks JohnVPN due to certificate restrictions

If JohnVPN has a proper certificate then he will make it:


Figure69: JohnVPN’s proper certificate


Figure70: JohnVPN reaches the OWA screen

So what’s happening on the wire ?

Let’s take a look with Wireshark:


Figure71: Wireshark Trace, “Server Hello”

Now when the server sends its certificate to the client it will request a client certificate, the “Certificate Request” message.
In this “Certificate Request” the server will specify the types that client must provide. As seen in Figure72 the client has two options:


Figure72: Client certificates types

What do “RSA Sign” and “DSS Sign“ mean?
They mean that the server is expected the “Certificate Verify” from the client, message which is sent to explicitely verify the certificate.
RFC2246(TLSv1.0) states that about “Certificate Verify”:
“This message is used to provide explicit verification of a client certificate. This message is only sent following a client certificate that has signing capability.
When RSA is used for key exchange, clients are authenticated using the certificate verify message. The client signs a value derived from the master_secret and all preceding handshake messages. These handshake messages include the server certificate, which binds the signature to the server, and ServerHello.random, which binds the signature to the current handshake process.”
So the client must use his/her private key to sign a message for the server(that’s why he needs signing capabilities on his certificate).With the public key from the client certificate received(which must be from a trusted CA), the server can be sure that the client is the one who is pretending to be.
Also there is a “Distinguished Names” list which includes some certificate authorities.


Figure73: “Distinguished Names”

And here it comes the client answer:


Figure74: Client Answer


Figure75: Client Answer: “Certificate” and “Certificate Verify” included

So JohnVPN will not have any chances to reach the OWA screen(no packets actually will reach the Exchange server before JohnVPN enters his user name and password and ISA validates them).
In this way we have set a high security trust relationship between the client and server and vice-versa.
We have seen the certificate restriction working, let’s take a look at the CA restriction. Remember that ISA accepts client certificates only from DCMain?
I have another CA, TESTSTDCA, a standalone one(Windows 2003) which is trusted by ISA, but ISA is not accepting connections from it:


Figure76: The TESTSTDCA

And the valid client certificate which contains both the “Client Authentication” and “Smart Card Logon” IDs:


Figure77: The client valid certificate issued by TESTSTDCA

And ISA is rejecting our connection:


Figure78: ISA does not accept a certificate issued by TESTSTDCA

So our two-way trust relationship is working like a charm.
Let’s see what’s happening when someone tries to mount a MITM attack against JohnVPN.
JohnVPN, a person with common sense, follows his company’s IT Security department directives. And he uses only his corporate laptop to access company resources.
Let’s assume that the attacker has crafted a client certificate “for” JohnVPN which will be presented to ISA. For this we will use the makecert.exe utility. This one is shiped with Fiddler, that’s why I am in the Fiddler2 directory.
First let’s issue a self-signed certificate which will play the role of the CA(root) certificate(for all purposes) for “DCMain”:


Figure79: Crafting a "CA" certificate

It will be installed in “My Current User Store”:
Here it is:


Figure80: The “DCMain” CA certificate

Is not trusted because I did not installed it in the “Trusted Root CAs Store”. We could forge other options, like the validity period, mark the private key exportable and so on but we are not interested in doing so right now.
After that we will issue another certificate which will be signed by “DCMain” and place it in “My Current User Store”:


Figure81: Crafting the “John VPN” certificate signed by “DCMain”


Figure82: The “John VPN” certificate signed by “DCMain”


Figure83: The “John VPN” certificate signed by “DCMain”, the “Certification Path”

We are going to use one more time Fiddler to perform the attack so we need to place the client certificate where Fiddler can access it(just export the certificate without the private key, Fiddler will know how to use it as long your certificate remains, say, in the “Current User Store”):


Figure84: Fiddler’s client certificate

When JohnVPN tries to login and is being MITM-ed he will receive an IE error which informs him that hist certificate was not signed by a CA which is trusted by ISA. The first error receive by him will be about the server certificate which is not trusted. If the Fiddler CA would be trusted he will not see it but since he is on his managed private PC is not the case.


Figure85: IE error if Fiddler CA is not trusted

Let’s continue and:


Figure86: IE ISA error reply message


Figure87: ISA blocks the MITM attack

Figure88: The “client” answer

As you can see, Fiddler sent the reply with the required fields, this time with no luck.
OK. Want to see what’s happening when the client has only the certificate without the private key?
Let’s use on more time Fiddler2. This time we export the good client certificate like before without the private key. And we delete the good one from our store.
Obviuosly that IE error complaining about the CA not being trusted and then if we continue:


Figure89: IE error needing a client certificate


Figure90: ISA error

The “client” answer:


Figure91: The “client” answer

As you can see the “client” sent only the “Certificate” message which is empty because it does not have the type of certificate ISA requested(it has, but it has “lost” its private key). Obviouly no “Certificate Verification” message(he cannot sign anything).
So by now since our JohnVPN uses his managed private laptop to access emails(his certificate can be stored on a proper smart card) it is very hard for an attacker to make JohnVPN to trust his CA and quite impossible to do that with ISA, remember ISA only accepts certificates issued by our private CA which is supposed to be very well protected. And ISA 2006 as currently writing this article 28.08.2007(and counting) has zero advisories listed (no further comments needed):
Microsoft ISA Server 2006 - Advisories by Product - Secunia Advisories - Vulnerability Information - Secunia.com
Another thing you would like to do is to control the Cryptographic Algorithm and Protocols used by ISA: say you would want RSA with 3DES and SHA-1.
You can refer to this article from Microsoft site:
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll
As you have seen I use only IE7. IE7 will check for certificate address mismatch(CN on the certificate), if the certificate was issued by a trusted CA, if the certificate is not expired or revoked. You can take a look at some of this options accessing “Internet Option” and the “Advanced” tab.
I did not use other browsers like Firefox or Opera since it would require more pictures(printscreens). Maybe I will add Part4 and Part5 to explain the error messages the two browser will give. Keep in mind that Firefox and Opera have their own CA trusted lists, but I guess you know very well this fact if you are using them frequently.
If you have an ISA lab set like in our article ISA VMware Simple Lab and you would like to test the above described issues yourself it is very simple to do that: if 192.168.22.3 is holding the VMs in order to have a simple traffic flow we can modify ISA’s External Interface network settings from “Bridged” to “NAT”.


Figure92: ISA External Interface settings

Make sure the “Services” are running:


Figure93: VMware services running

On ISA Wan NIC manually add two IP addresses(from VMnet8 range):
- say 192.168.146.31(my VMnet8 range 192.168.146.0/24) for publishing your CA certificate and CRL(optional, if you want to). The DG will be 192.168.146.2(probably your VMnet8 NIC from your PC uses 192.168.146.1, but you can disable it if you want)

Figure94: VMnet8 adapter


Figure95: ISA’s External interface IP settings 1
- and 192.168.146.30 for publishing OWA

Figure96: ISA’s External interface IP settings 2

I have used multiple IP addresses since they are from a private range. And I can have a clear simple picture like so.
Next configure port forwarding from “Virtual Network Editor”(see our VMware Server Networking Options for more details)


Figure97: “Virtual Network Editor” NAT tab

And add the following port forwarding mappings:


Figure98: Port Forwarding

Now my LAN computers will access owa.cabonwind.net and dcmain.carbonwind.net by IP address 192.168.22.3. For that I have created some entries in my “Hosts” file:


Figure99: The “Hosts” file

And you have a simple traffic flow: JohnVPN at 192.168.22.2 connects to the OWA site through the “gateway” 192.168.22.3. The attacker using ARP Spoofing directs traffic from 192.168.22.2 to 192.168.22.3 through his PC 192.168.22.4.