SSL sniffing

Some sensitive environments (government, military, etc.) often have some sort of transparent SSL sniffer that substitutes its own certificates. Proxy server acts as a certificate authority, however, not a very trustworthy one: instead of issuing certificates to actual persons or organizations, proxy dynamically generates certificates to whatever hostname is needed for a connection. If, for instance, a client wants to connect to https://hpe.lanamark.one, proxy generates a certificate for “hpe.lanamark.com” and signs it with its own CA. Provided that the client trusts this CA, both of the above mentioned conditions are true (trusted CA, same CN) — meaning that the client believes that the proxy server is in fact “hpe.lanamark.com”. This mechanism is called transparent HTTPS proxying.

Usually, there are a few conditions that must be met:

  • Proxy server as standard gateway (HTTP and HTTPS): For both HTTP and HTTPS proxying, the proxy server must of course be able to intercept the IP packets — meaning that it must be somewhere along the way of the packet path. The easiest way to achieve this is to change the default gateway in the client device to the Proxy server address.
  • Trusted Proxy CA (HTTPS only): For the HTTPS proxying to work, the client must know (and trust) the proxy CA, i.e. the CA key file must be added to the trust store of the client.

Problem

Lanamark Explorer or Lanamark Snap reports successful data collection and snapshots upload but the data is not available on Lanamark Portal.

Solution

Share the output of these 2 commands from the Lanamark Snap or Lanamark Explorer server:

nslookup hpe.lanamark.one > %HOMEPATH%\Desktop\ports.txt
netstat -nba >> %HOMEPATH%\Desktop\ports.txt

Note that first command needs administrative permissions for successful execution and the output is redirected to the user's Desktop in a .txt file

Wireshark can also be used to track the network packets and find SSL sniffing.
The procedure steps would vary depending which phase this issue appears on (e.g. installation, data upload, etc.) but the guideline is the same. The idea is to juxtapose packets that are sent back and forth from Lanamark Snap server to Lanamark Portal with the packets sent from Lanamark Snap server to Lanamark endpoint. If below is accomplished successfully SSL sniffing can be observed.  

  1. Make sure Lanamark Snap is not running and Lanamark Snap 2017 R1  service is not running.
  2. Download and install Wireshark: https://www.wireshark.org/download.html
  3. Wireshark displays "Capture" window and prompts to choose the network Interface. In the majority of cases, you want to capture Ethernet interface which shows any network activity.
  4. Run in the command line ipconfig /all 
  5. Find the Ethernet adapter for the same interface that is used in Wireshark, e.g. "Ethernet adapter Ethernet1" and note the IPv4 Address (e.g. 172.16.1.115).
  6. Run in the command line nslookup hpe.lanamark.one and note the Address of the non-authoritative answer (e.g. 52.233.45.3).
  7. Start network capturing by applying this display filter ip.addr == 172.16.1.115 && ip.addr == 52.233.45.3  and double-clicking on Ethernet interface.

7. Open https://hpe.lanamark.one/login in any web browser. Note that you don't need to log in.

8. Locate the toolbar button with the help text Stop the running live capture. This should be the fourth toolbar button from the left. Click the Stop Capture toolbar button.
9. Save captured packets simply by using the File → Save As… menu item.
10. Name it "hpe portal" and use default .pcapng type.
11. Click File - Close to close the current session


When the first network capture is collected, move to capturing application data (or "snapshots").

  1. Make sure the web browser is closed (no active connections to hpe.lanamark.one)
  2. Use the same network filter in Wireshark (it was ip.addr == 172.16.1.115 && ip.addr == 52.233.45.3).
  3. Make sure no packets are being captured (at this point no interactions with Lanamark Portal are made)
  4. Start  Lanamark Snap 2017 R1  service, open Lanamark Snap console and click on Collect in the endpoint menu.
  5. Usually snapshots are being uploaded to the portal every 3 hours, so you can either wait 3 hours or notify Lanamark Support that you're waiting for the snapshot to be uploaded to the portal (we can poll the data from collector to the portal forcibly).
  6. When the first packets are captured, stop capturing and save file as snapshots.pcapng.

Depending on the output it might appear that there is a transparent SSL sniffer that substitutes its own certificates. Both Snap and Explorer detect this (by checking the certificate hash) and refuse to proceed. Take for instance this screenshot of the Wireshark capture of the browser-portal exchange. The certificate serial number is different from what you can see in your own browser, and the issuer of the "lanamark certificate" is different.

Did this answer your question?