{"id":4762,"date":"2017-12-01T16:29:04","date_gmt":"2017-12-01T16:29:04","guid":{"rendered":"https:\/\/musilda.cz\/?p=4762"},"modified":"2017-12-01T16:29:04","modified_gmt":"2017-12-01T16:29:04","slug":"utok-jako-akcniho-filmu-man-in-the-middle","status":"publish","type":"post","link":"https:\/\/affinite.io\/cs\/utok-jako-akcniho-filmu-man-in-the-middle\/","title":{"rendered":"\u00datok jako z ak\u010dn\u00edho filmu – Man in the middle."},"content":{"rendered":"

Pro jednoduchost to vezmu z minulosti k sou\u010dasnosti. P\u0159edstavte si, \u017ee sed\u00edte v internetov\u00e9 kav\u00e1rn\u011b v roce 2000. A cht\u011bli byste v\u011bd\u011bt co d\u011blaj\u00ed na sv\u00fdch po\u010d\u00edta\u010d\u00edch ostatn\u00ed host\u00e9. Bylo to vlastn\u011b docela jednoduch\u00e9. Pou\u017eili jste metodu \u00fatoku zvanou ARP spoofing. V\u00e1\u0161 po\u010d\u00edta\u010d, za p\u0159edpokladu, \u017ee byl dost v\u00fdkonn\u00fd a m\u011bl dostate\u010dn\u011b rychl\u00fd p\u0159\u00edstup k s\u00edti, nahl\u00e1sil ostatn\u00edm po\u010d\u00edta\u010d\u016f „hej j\u00e1 jsem router, p\u0159ipojte se ke m\u011b, d\u00e1m v\u00e1m IP a p\u0159ipoj\u00edm v\u00e1s k s\u00edti“. A jeliko\u017e po\u010d\u00edta\u010dov\u00e9 s\u00edt\u011b jsou zalo\u017een\u00e9 na d\u016fv\u011b\u0159e, tak se po\u010d\u00edta\u010de p\u0159ipojili a vy jste mohli sledovat jak\u00e9 informace si vym\u011b\u0148uj\u00ed se servery ke kter\u00fdm jsou skrz v\u00e1s p\u0159ipojen\u00e9. Tehdy to byla sranda, drtiv\u00e1 v\u011bt\u0161ina informac\u00ed se pos\u00edlala v plaintextu (bez \u0161ifrov\u00e1n\u00ed – snadno \u010diteln\u00e1) a takov\u00fd \u00fatok byl velmi nen\u00e1ro\u010dn\u00fd.<\/p>\n

\"\"<\/a>P\u016fvodn\u00ed n\u00e1vrh \u0159e\u0161en\u00ed<\/h3>\n

Jasn\u011b, tak budeme data \u0161ifrovat. M\u016fj po\u010d\u00edta\u010d po\u0161le serveru http request, server po\u0161le ve\u0159ejn\u00fd kl\u00ed\u010d a u\u017e si \u0161ifrujeme v\u0161echna data. Jen\u017ee to m\u00e1 samoz\u0159ejm\u011b h\u00e1\u010dek. Z\u00e1kladn\u00ed princip \u00fatoku se vlastn\u011b moc nezm\u011bnil, jenom se malinko zkomplikoval. Te\u010f u\u017e nesta\u010d\u00ed jenom \u010d\u00edst data, kter\u00e1 p\u0159es v\u00e1s te\u010dou. Proto\u017ee ned\u00e1vaj\u00ed \u017e\u00e1dn\u00fd smysl, kdy\u017e jsou za\u0161ifrovan\u00e1. Co s t\u00edm? Jednoduch\u00e9, prost\u011b p\u0159ijmete po\u017eadavek od po\u010d\u00edta\u010de, odpov\u00edte mu vlastn\u00edm kl\u00ed\u010dem a stejn\u00fd po\u017eadavek po\u0161lete serveru a ten v\u00e1m odpov\u00ed sv\u00fdm. A pak u\u017e je to jasn\u00e9. Po\u010d\u00edta\u010d po\u0161le data, vy si roz\u0161ifrujete sv\u00fdm kl\u00ed\u010dem, p\u0159e\u010dtete, za\u0161ifrujete pro server jeho kl\u00ed\u010dem a ode\u0161lete d\u00e1l. Tak\u017ee nejv\u00edc se cel\u00fd proces zkomplikoval v tom, \u017ee mus\u00edte m\u00edt o n\u011bco m\u00e1lo v\u00fdkonn\u011bj\u0161\u00ed po\u010d\u00edta\u010d ze kter\u00e9ho \u00fato\u010d\u00edte a rychlej\u0161\u00ed s\u00ed\u0165ovou kartu. Pro hackera pravd\u011bpodobn\u011b dost nepatrn\u00e1 p\u0159ek\u00e1\u017eka. Tak\u017ee a\u017e p\u0159\u00ed\u0161t\u011b automaticky odkliknete varovnou obrazovku s hl\u00e1\u0161kou „va\u0161e p\u0159ipojen\u00ed nemus\u00ed b\u00fdt bezpe\u010dn\u00e9“, zamyslete se co pos\u00edl\u00e1te za data a jestli v\u00e1s n\u011bkdo nem\u016f\u017ee \u0161m\u00edrovat.<\/p>\n

\"\"<\/a>Tyhle „zastaral\u00e9“ zp\u016fsoby pou\u017eit\u00ed man in the middle \u00fatoku jdou samoz\u0159ejm\u011b \u0161k\u00e1lovat nad r\u00e1mec na\u0161\u00ed smy\u0161len\u00e9 kav\u00e1rny. A to dv\u011bma zp\u016fsoby. Bu\u010fto m\u016f\u017eete kompomitovat n\u011bjak\u00fd velk\u00fd router u poskytovatele internetu, v datacentru nebo tak (ale to je dost nepravd\u011bpodobn\u00e9, administr\u00e1to\u0159i jsou obvykle dost paranoidn\u00ed na to aby si n\u011bco takov\u00e9ho nechali l\u00edbit). Druhou variantou je v\u00fd\u0161e zm\u00edn\u011bn\u00fd zp\u016fsob komunikace kdy jdou data p\u0159es \u00fato\u010dn\u00edka, tentokr\u00e1t ale s podvr\u017een\u00fdm certifik\u00e1tem A to je p\u0159esn\u011b to co se stalo Lenovu.<\/p>\n

Z re\u00e1ln\u00e9ho sv\u011bta<\/h2>\n

Lenovo Superfish<\/h3>\n

U\u017e je to p\u00e1r let, ale po\u0159\u00e1d je to d\u011bsiv\u00e9. V\u00fdrobce po\u010d\u00edta\u010d\u016f Lenovo nainstaloval do sv\u00fdch za\u0159\u00edzen\u00ed software, kter\u00fd podepisoval certifik\u00e1ty na po\u010dk\u00e1n\u00ed. Pro \u00fato\u010dn\u00edky tak bylo mo\u017en\u00e9 tv\u00e1\u0159it se t\u0159eba jako google, seznam nebo t\u0159eba va\u0161e banka. Tak\u017ee m\u00edsto toho abyste komunikovali s bankou, efektivn\u011b jste komunikovali jen s \u00fato\u010dn\u00edkem a ten m\u011bl p\u0159\u00edstup ke v\u0161em dat\u016fm kter\u00e9 jste st\u00e1hli a poslali. Moc chytr\u00e9. Tento \u00fatok byl ozna\u010den\u00fd k\u00f3dov\u00fdm n\u00e1zvem Superfish kdybyste si cht\u011bli dohledat v\u00edce informac\u00ed. T\u0159eba jestli v\u00e1\u0161 po\u010d\u00edta\u010d nen\u00ed zasa\u017een\u00fd. Proto\u017ee se ve\u0161ker\u00fd \u00fatok odehr\u00e1v\u00e1 mimo n\u011bj, t\u011b\u017eko na n\u011bj p\u0159ijde jak\u00fdkoli ochrann\u00fd software, kter\u00fd m\u00e1te (dob\u0159e, tenhle p\u0159\u00edpad je pon\u011bkud star\u00fd a antiviry u\u017e o tom nejsp\u00ed\u0161 v\u00ed, ale v\u011b\u0159\u00edte stoprocentn\u011b v\u00fdrobci va\u0161eho po\u010d\u00edta\u010de a opera\u010dn\u00edho syst\u00e9mu?). A kdokoli m\u016f\u017ee zmanipulovat jakoukoli str\u00e1nku na kterou jdete. A to jenom proto, \u017ee si v kav\u00e1rn\u011b v\u0161imne, \u017ee na va\u0161em notebooku je naps\u00e1no Lenovo. A pro\u010d to Lenovo vlastn\u011b ud\u011blalo? Proto\u017ee v\u00e1m cht\u011bli podstr\u010dit vlastn\u00ed reklamy.<\/strong><\/p>\n

Teorie v pozad\u00ed<\/h3>\n

Teoreticky je tak\u00e9 mo\u017en\u00e9 to cel\u00e9 obej\u00edt. V\u00fdrobci opera\u010dn\u00edch syst\u00e9m\u016f, webov\u00fdch prohl\u00ed\u017ee\u010d\u016f a obecn\u011b softwaru k n\u011bmu p\u0159ikl\u00e1daj\u00ed i seznam d\u016fv\u011bryhodn\u00fdch certifika\u010dn\u00edch autorit. A \u00fato\u010dn\u00edkovi t\u00edm p\u00e1dem sta\u010d\u00ed dostat se do takov\u00e9ho seznamu a m\u016f\u017ee si generovat certifik\u00e1ty s\u00e1m. V kombinaci s podvr\u017een\u00fdmi DNS servery to je opravdu smrteln\u00e1 kombinace. Takov\u00fd \u00fato\u010dn\u00edk v\u00e1s rovnou p\u0159esm\u011bruje sv\u00fdm DNS serverem k sob\u011b > zpracuje v\u00e1\u0161 dotaz > po\u0161le v\u00e1m sv\u016fj d\u016fv\u011bryhodn\u00fd certifik\u00e1t > va\u0161\u00ed zpr\u00e1vu za\u0161ifruje re\u00e1ln\u00fdm certifik\u00e1tem a po\u0161le serveru a pak u\u017e komunikace prob\u00edha stejn\u011b jak jsem popsal v\u00fd\u0161e.<\/p>\n

DigiNotar<\/h3>\n

Pro zaj\u00edmavost, do\u0161lo u\u017e i ke kompromitaci\u00a0 Nizozemsk\u00e9 certifika\u010dn\u00ed autority DigiNotar. N\u011bjak\u00fdm zp\u016fsobem se poda\u0159ilo vygenerovat certifik\u00e1t pro Google a ten se n\u011bjak dostal do \u00cdr\u00e1nu. A d\u00edky tomu se poda\u0159ilo prov\u00e9st man in the middle \u00fatok na obrovsk\u00e9 spoust\u011b u\u017eivatel\u016f. A v\u0161ichni vid\u011bli zelen\u00fd z\u00e1mek s n\u00e1pisem Google a netu\u0161ili, \u017ee se cokoliv d\u011bje. Samoz\u0159ejm\u011b se na to p\u0159i\u0161lo, n\u011bkdo nep\u0159im\u011b\u0159en\u011b paranoidn\u00ed si rozkliknul detaily toho zelen\u00e9ho prou\u017eku a p\u0159i\u0161lo mu divn\u00e9, \u017ee by Googlu podepisovala certifik\u00e1t n\u011bjak\u00e1 firma v Nizozemsku. Napsal to kamsi na f\u00f3rum a cel\u00e9 to prasklo. Jen\u017ee naprost\u00e1 v\u011bt\u0161ina u\u017eivatel\u016f si toho nev\u0161imla. Prost\u011b se p\u0159ihl\u00e1sila do gmailu, v\u0161echno bylo fajn, ale jejich maily si \u010detl n\u011bkdo dal\u0161\u00ed (krom\u011b p\u0159\u00edjemce a googlu samoz\u0159ejm\u011b). Toho \u00fatoku si kupodivu nev\u0161iml ani google, kter\u00fd z\u0159ejm\u011b m\u011bl pozorovat podivn\u00fd n\u00e1r\u016fst provozu z jednoho m\u00edsta. Firma z pochopiteln\u00fdch d\u016fvod\u016f zbankrotovala, pro\u010d by ostatn\u011b n\u011bkdo cht\u011bl certifik\u00e1t od firmy kter\u00e9 nikdo nev\u011b\u0159\u00ed.<\/p>\n

Trocha konspirac\u00ed navrch<\/h3>\n

Obecn\u011b se tak n\u011bjak tu\u0161\u00ed, \u017ee vl\u00e1dy dok\u00e1\u017eou ud\u011blat tot\u00e9\u017e. Jenom\u017ee jsou to vl\u00e1dy, tak\u017ee leg\u00e1ln\u011b. Bu\u010fto m\u016f\u017eou na\u0159\u00eddit certifika\u010dn\u00ed autorit\u011b aby jim vygenerovala a podepsala vlastn\u00ed certifik\u00e1t a nebo je\u0161t\u011b jednodu\u0161eji m\u016f\u017eou od \u0159e\u010den\u00e9 autority dostat (ukr\u00e1st?) priv\u00e1tn\u00ed kl\u00ed\u010de, kter\u00e9 pou\u017e\u00edvaj\u00ed k zamyk\u00e1n\u00ed certifik\u00e1t\u016f a pak si vesele generovat certifik\u00e1ty podle libosti. Pravd\u011bpodobn\u011b to je tak, \u017ee to je mo\u017en\u00e9, ale pou\u017e\u00edv\u00e1 se to jenom pokud nen\u00ed jin\u00e1 mo\u017enost. Proto\u017ee v okam\u017eiku kdy by se to provalilo tak by nechali zbankrotovat velkou spole\u010dnost\/i a odkryli vlastn\u00ed karty.<\/p>\n","protected":false},"excerpt":{"rendered":"

Relativn\u011b b\u011b\u017en\u00fd typ po\u010d\u00edta\u010dov\u00e9ho \u00fatoku s bohatou histori\u00ed, kter\u00fd velmi jednodu\u0161e umo\u017enil prvn\u00ed hacker\u016fm \u0161m\u00edrovat co d\u011bl\u00e1te na internetu.<\/p>\n","protected":false},"author":1,"featured_media":4904,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-4762","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost-wordpressu"],"_links":{"self":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/4762"}],"collection":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/comments?post=4762"}],"version-history":[{"count":0,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/posts\/4762\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media\/4904"}],"wp:attachment":[{"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/media?parent=4762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/categories?post=4762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/affinite.io\/cs\/wp-json\/wp\/v2\/tags?post=4762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}