Professional Documents
Culture Documents
9.2.2.7 Lab - Certificate Authority Stores PDF
9.2.2.7 Lab - Certificate Authority Stores PDF
Objectives
Part 1: Certificates Trusted by Your Browser
Part 2: Checking for Man-In-Middle
Background / Scenario
As the web evolved, so did the need for security. HTTPS (where the ‘S’ stands for security) along with the
concept of a Certificate Authority was introduced by Netscape back in 1994 and is still used today. In this lab,
you will:
List all the certificates trusted by your browser (completed on your computer)
Use hashes to detect if your Internet connection is being intercepted (completed in the CyberOps VM)
Required Resources
CyberOps Workstation VM
Internet access
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 1 of 9 www.netacad.com
Lab – Certificate Authority Stores
b. Click the three dot icon on the far right of the address bar to display Chrome’s options.
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 2 of 9 www.netacad.com
Lab – Certificate Authority Stores
e. In the Certificates window that opens, select the Trusted Root Certification Authorities tab. A window
opens that shows all certificates and certificate authorities trusted by Chrome.
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 3 of 9 www.netacad.com
Lab – Certificate Authority Stores
a. Open Firefox and click the Menu icon. The Menu icon is located on the far right of the Firefox window,
next to the address bar.
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 4 of 9 www.netacad.com
Lab – Certificate Authority Stores
d. A window opens that shows the certificates and certification authorities trusted by Firefox.
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 5 of 9 www.netacad.com
Lab – Certificate Authority Stores
3. Because the presented certificate is signed by one of the CAs included in the laptop’s CA store
(remember, it was added by IT), the web browser mistakenly believes it is indeed communicating with H.
Notice that, had the extra CA not been added to the CA store, the laptop would not trust the certificate
and immediately realize that someone else was trying to impersonate H.
4. The laptop trusts the connection and establishes a secure channel with the HTTPS proxy, mistakenly
believing it is communicating securely with H.
5. The HTTPS proxy now establishes a second secure connection to H, the web site the user was trying to
access from the beginning.
6. The HTTPS proxy is now the end point of two separate secure connections; one established with the user
and another established with H. Because the HTTPS is the end point of both connections, it can now
decrypt traffic from both connections.
7. The HTTPS proxy can now receive TLS/SSL-encrypted user traffic destined to H, decrypt it, inspect it, re-
encrypt it using TLS/SSL and send it to H. When H responds, the HTTPS proxy reverses the process
before forwarding the traffic to the user.
Notice that process is mostly transparent to the user, who sees the connection as TLS/SSL-encrypted (green
marks on the browser). While the connection is secure (TLS/SSL-encrypted), it has been established to a
spurious web site.
Even though their presence is mostly transparent to the user, TLS proxies can be easily detected with the
help of hashes. Considering the example above, because the HTTPS proxy has no access to the site H
private keys, the certificate it presents to the user is different than the certificate presented by H. Included in
every certificate is a value known as a fingerprint. Essentially a hash calculated and signed by the certificate
issuer, the fingerprint acts as a unique summary of all the contents of the certificate. If as much as one letter
of the certificate is modified, the fingerprint will yield a completely different value when calculated. Because of
this property, fingerprints are used to quickly compare certificates. Returning to the example above, the user
can request H’s certificate and compare the fingerprint included in it with the one provided when the
connection to the web site H was established. If the fingerprints match, the connection is indeed established
to H. If the fingerprints do not match, the connection has been established to some other end point.
Follow the steps below to assess if there’s a HTTPS proxy in your connection.
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 6 of 9 www.netacad.com
Lab – Certificate Authority Stores
Step 2: Gather the certificate fingerprint in use by the CyberOps Workstation VM.
Now that we have the actual fingerprints, it is time to fetch fingerprints from a local host and compare the
values. If the fingerprints do not match, the certificate in use does NOT belong to the HTTPS site being
verified, which means there’s an HTTPS proxy in between the host computer and the HTTPS site being
verified. Matching fingerprints means no HTTPS proxy is in place.
a. Use the three piped commands below to fetch the fingerprint for Cisco.com. The line below uses
OpenSSL to connect to cisco.com on port 443 (HTTPS), request the certificate and store it on a text file
named cisco.pem. The output is also shown for context.
[analyst@secOps ~]$ echo -n | openssl s_client -connect cisco.com:443 | sed
-ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./cisco.pem
depth=2 C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2
verify return:1
depth=1 C = US, O = HydrantID (Avalanche Cloud Corporation), CN = HydrantID SSL ICA G2
verify return:1
depth=0 C = US, ST = CA, L = San Jose, O = "Cisco Systems, Inc.", CN = www.cisco.com
verify return:1
DONE
b. Optionally, use the cat command to list the contents of the fetched certificate and stored in the
cisco.pem text file:
[analyst@secOps ~]$ cat cisco.pem
-----BEGIN CERTIFICATE-----
MIIG1zCCBL+gAwIBAgIUKBO9xTQoMemc9zFHNkdMW+SgFO4wDQYJKoZIhvcNAQEL
BQAwXjELMAkGA1UEBhMCVVMxMDAuBgNVBAoTJ0h5ZHJhbnRJRCAoQXZhbGFuY2hl
IENsb3VkIENvcnBvcmF0aW9uKTEdMBsGA1UEAxMUSHlkcmFudElEIFNTTCBJQ0Eg
RzIwHhcNMTcxMjA3MjIxODU1WhcNMTkxMjA3MjIyODAwWjBjMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExETAPBgNVBAcMCFNhbiBKb3NlMRwwGgYDVQQKDBNDaXNj
byBTeXN0ZW1zLCBJbmMuMRYwFAYDVQQDDA13d3cuY2lzY28uY29tMIIBIjANBgkq
yvo6dWpJdSircYy8HG0nz4+936+2waIVf1BBQXZUjNVuws74Z/eLIpl2c6tANmE0
q1i7fiWgItjDQ8rfjeX0oto6rvp8AXPjPY6X7PT1ulfhkLYnxqXHPETRwr8l5COO
MDEh95cRxATXNAlWAwLcBT7lDmrGron6rW6hDtuUPPG/rjZeZbNww5p/nT3EXX2L
Rh+m0R4j/tuvy/77YRWyp/VZhmSLrvZEYiVjM2MgCXBvqR+aQ9zWJkw+CAm5Z414
Eiv5RLctegYuBUMGTH1al9r5cuzfwEg2mNkxl4I/mtDro2kDAv7bcTm8T1LsZAO/
1bWvudsrTA8jksw+1WGAEd9bHi3ZpJPYedlL
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 7 of 9 www.netacad.com
Lab – Certificate Authority Stores
-----END CERTIFICATE-----
[analyst@secOps ~]$
c. Now that the certificate is saved in the cisco.pem text file, use the command below to extract and display
its fingerprint:
[analyst@secOps ~]$ openssl x509 -noout -in cisco.pem -fingerprint -sha1
SHA1 Fingerprint=64:19:CA:40:E2:1B:3F:92:29:21:A9:CE:60:7D:C9:0C:39:B5:71:3E
[analyst@secOps ~]$
Note: Your fingerprint value may be different for two reasons. First, you may be using a different
operating system than the CyberOps Workstation VM. Second, certificates are regularly refreshed
changing the fingerprint value.
What hash algorithm was used by OpenSSL to calculate the fingerprint?
____________________________________________________________________________________
Why was that specific algorithm chosen? Does it matter?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 8 of 9 www.netacad.com
Lab – Certificate Authority Stores
Reflection
What would be necessary for the HTTPS proxy to work?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Page 9 of 9 www.netacad.com