MITM Gmail SMTP STARTTLS Traffic in LAB machines

During auditing we may face with the challenge of MITM Gmail SMTP STARTTLS traffic to retrieve the email content/credentials. Most of the .Net programs does NOT allow connecting to a Secure server using a self-signed certificates. I used starttls-mitm (https://github.com/ipopov/starttls-mitm) tool to intercept the traffic. Initially tried sslsplit but it does not support STARTTLS.

Did the initial setup, like creating key/certificates and installing the certificate in target machine.
    test@test:~/googlelog$ sudo sysctl -w net.ipv4.ip_forward=1
    test@test:~/googlelog$ sudo iptables -t nat -F
    test@test:~/googlelog$ sudo iptables -t nat -A PREROUTING -p tcp –dport 587 -j REDIRECT –to-ports 8443

After that launched the mitm tool using the following command
    test@test:~/googlelog$ python mitm_listener.py smtp.gmail.com ca.key  ca.crt

If you run a .Net program with SSL validation enabled then you will get this error.
Unhandled Exception: System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at System.Net.TlsStream.CallProcessAuthentication(Object state)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
   at System.Net.Mail.SmtpConnection.Flush()
   at System.Net.Mail.ReadLinesCommand.Send(SmtpConnection conn)
   at System.Net.Mail.EHelloCommand.Send(SmtpConnection conn, String domain)
   at System.Net.Mail.SmtpConnection.GetConnection(String host, Int32 port)
   at System.Net.Mail.SmtpTransport.GetConnection(String host, Int32 port)
   at System.Net.Mail.SmtpClient.GetConnection()
   at System.Net.Mail.SmtpClient.Send(MailMessage message)
   at gmailsend.Module1.Main()

On the intermediate proxy side, you will get this error.

Traceback (most recent call last):
  File “mitm_listener.py”, line 65, in child
    do_relay(clientsock, targetsock, certfile, keyfile)
  File “mitm_listener.py”, line 51, in do_relay
    raise e
ssl.SSLError: [Errno 8] _ssl.c:1312: EOF occurred in violation of protocol

Looking at the error message in the server/proxy side is not giving any useful info.
We should fix the .Net configuration in the test machine where the program is running.

By Default, .Net does not accept self-signed certificate as a validate certificate.

We need to fix this by changing the configuration in the machine.config file.
You need to change following files to fix this issue for both 32bit and 64bit application.
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config

(NOTE: I don’t recommend you to do this change in a production machine.)

You need to add a configuration section like this(in RED).

    </system.web>
    <system.net>
        <settings>
            <servicePointManager
                checkCertificateName = “false”
                checkCertificateRevocationList = “false”
            />
        </settings>
    </system.net>

    <system.serviceModel>
Once you saved this change, your .Net programs will connect to Secure remote server using self-signed certificate.

Advertisements
This entry was posted in .Net, Google, Malware Analyzer, Tools, Windows and tagged , , , . Bookmark the permalink.

One Response to MITM Gmail SMTP STARTTLS Traffic in LAB machines

  1. Pingback: MITM Gmail SMTP STARTTLS Traffic in LAB machine...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s