I’ve been using some entertainment software, but the membership fee is so expensive that I can’t afford it. So I figured out a way to get around the membership test. In fact is for this software to do a registration machine.
preparation
According to the packet capture and view the source code, the preliminary determination of the authentication mechanism of the software, the detailed process is not discussed, only say the conclusion: authentication part by a separate server responsible for device registration through HTTPS, key authentication and other operations.
The specific protocol for authentication has been identified by code inversion.
Make plan
Once you understand the authentication mechanism of the software, you can make a plan. Two options:
- Man-in-the-middle attack, establish a man-in-the-middle server, tamper with the authentication session
- DNS hijacking, forged authentication website, brainless return authentication succeeded.
Since the authentication part of the software is a separate server, scheme 2 is much simpler.
Began to implement
Fake service
Write a Web service that implements all the authentication interfaces and returns no success.
Then run nginx on that machine, configure to listen on the authentication server domain name and forward to the bogus Web service.
Hijack the DNS
Directly use the DNS tool on the router or directly change the hosts file to point the authentication server domain name to the IP address of the bogus service.
Forging domain name Certificate
This is only half the story. The rest is the important part.
Although we already had the fake authentication service and could hijack the request to the fake service, the transaction could not be completed because we did not have the certificate and did not know the secret code for the handover. There is no way to get an HTTPS certificate for someone else’s domain name. So we need to be smart about it.
First we generate our own root certificate, and then use that root certificate to issue the domain name certificate that needs to be forged. Install our root certificate trust to the device that needs to crack, and then configure the forged domain name certificate to the server, so that a whole authentication system is initiated by us, naturally can pass unimpeded.
Thus, the whole hijacking plan was accomplished.
reflection
Getting around the authentication system so easily is, frankly, a little chilling.
Although the Web is more secure and authentication is more complex, you can still fall into traps if you are not careful. Coupled with the irresponsibility of some developers, the Internet is even more dangerous.
About developers
First, developers should pay attention to certificates. In this software, for example, I tried to configure a wrong certificate, but the software interface only showed a certificate error. After confirming the certificate, the user would ignore the certificate and be directly hijacked. HTTPS is just a decoration.
Even worse, some apps simply ignore the certificate error and don’t prompt it at all. This is not only irresponsible to the user but also to yourself.
360 Security Browser, which is known for its security, ignores HTTPS certificate errors.
About the user
As users, in order to protect themselves in the information age, we should pay attention to the following points:
- Do not connect to the network without knowing the details
- Wi-fi requires a password
- Do not install obscure certificates
- Don’t use apps that don’t care about security
- Do not give permissions to application administrators