Kareldjag's tip SSL Eye view (MITM check)

Discussion in 'other anti-malware software' started by Windows_Security, Aug 5, 2015.

  1. Download from here https://www.digi77.com/ssl-eye-prism-protection/ and install

    Customize websites to be checked
    Navigate to installation folder, there is text file with the name "SSL List All Types Samples.TXT"

    Open it with Notepad, add your websites (see format examples below)
    Save as "My list of SSLs to be checked.TXT"
    Move to SSL Eye installation folder
    Run with cusomized websites
    Run SSL Eye

    Click on the tab Multiple Websites

    Click on the plus-sign button in the options bar +Load

    Load Websites screen appears, select tab Custom Websites

    Click on button Load from file

    A new screen appears, select tab Custom Websites

    Open file dialog appears, open your customized text file "My list of SSLs to be checked.TXT"

    Your list appears in the tab Custom Websites (see picture 1)

    Click OK button (Load Website screen closes)

    Click on the traingular play button in the options bar > Scan

    SSL certs are checked and compared from several servers, this will take some time

    Results are shown (see picture 2), matching certs are represented with checkmark sign


    Picture 1

    1.png
    Picture 2
    2.png

    WHEN ALL SHOW OKAY CHECKMARKS, NOBODY IS IN BETWEEN YOU AND YOUR SECURE WEBSITE, SO NO MITM (MAN IN THE MIDDLE)

     
    Last edited by a moderator: Aug 5, 2015
  2. Combine it with SmartObjectBlocker to create an isolated browser session, see thread

    To prevent browser changes and a MITB (MAN IN THE BROWSER) intrusion

    Download and install SmartObjectBlocker, lets start with setting the ALLOW rules. You don't need to do this. It is just a precaution in case you mess up with the settings. It also is an opportunity to get used to changing the configuration rules (files). That is why the sequence of setting those configuration files is in a different order. :D see picture below

    4.png

    Click on the ALLOW rules tab, Explorer folder view appears
    5.png


    Open DLL file with NOTEPAD and copy this to this config file Allow Rules - DLL
    [%FILE%: *:\WINDOWS\*]
    [%FILE%: %PROGRAMFILES%*]
    [%FILE%: %PROGRAMFILESX86%*]


    DRIVER db is already set to Windows, so does not need changing

    Open PROCESS with NOTEPAD and copy this to this config file Allow Rules - PROCESS
    [%PROCESS%: *:\WINDOWS\*]
    [%PROCESS%: %PROGRAMFILES%*]
    [%PROCESS%: %PROGRAMFILESX86%*]
     
    Last edited by a moderator: Aug 5, 2015
  3. Now click on Settings button, change the MODE section to this text. In behavioral mode, Closing (Exit) SmartObjectBlocker from the tray icon, will remove all limitations because SmartObjectBlocker is not running anymore.

    [Mode]
    Type = Behavioral
    ProtectionDisabled = n

    Untitled.png

     
    Last edited by a moderator: Aug 5, 2015
  4. Now click on Exclude Rules button.

    In the Exclude rules only Windows signed executables and DLL's are allowed to run from Windows folder and Google signed executables from Chrome folder (DLL and Process sign are different: space versus dot). This will protect Chrome from the rest of the system (no Chrome alterations are allowed to make sure you start your banking session with a clean and hardened Chrome browser).

    Open Exclude file with Note, change text to

    [%FILE%: %WINDOWS%*] [%PUBLISHER%: Microsoft Corporation]
    [%PROCESS%: %WINDOWS%*] [%PUBLISHER%: Microsoft Corporation]
    [%FILE%: %PROGRAMFILES%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc ]
    [%PROCESS%: %PROGRAMFILES%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc.]
    [%FILE%: %PROGRAMFILESX86%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc ]
    [%PROCESS%: %PROGRAMFILESX86%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc.]

     
    Last edited by a moderator: Aug 5, 2015
  5. Now click on Block Rules button

    We are going to block all executables, to protect Chrome from the system and the system from other executables. As an extra we only allow Chrome parent process (broker) to spawn Chrome (no process with another name).

    Open Block Rules - DLL and change text to
    [%FILE%: *]

    Open Block Rules - Driver and change text to
    [%FILE%: *]


    Open Block Rules - Process and change text to
    [%PARENT%: *\chrome.exe]
    [%PROCESS%: *]


    Your done
     
    Last edited by a moderator: Aug 5, 2015
  6. Secure on-line banking

    1. Run SSL Eye
    2. Start SmartObjectBlocker
    3. Open Chrome and do your secure transactions

    3.png

    4. Close Chrome
    5. Close SmartObjectBlocker

    7.png
     
    Last edited by a moderator: Aug 5, 2015
  7. As an extra you can install free Keyscrambler, to PREVENT KEYBOARD SNOOPING BY OTHER PROCESSES

    Run SmartObjectBlocker

    Start Chrome, SmartObjectBlocker will block it, see picture
    Untitled.png

    Copy the full path of KeyscramblerIE.DLL from the LOG
    (in my case that is C:\Program Files\KeyScrambler\KeyScramblerIE.DLL)

    Open Exclude Rules and add the following rule
    [%FILE%: C:\Program Files\KeyScrambler\KeyScramblerIE.DLL]

    Exclude Rules should look like, note I am on x32 so I don't have C:\Program Files (x86)
    Untitled.png

    Save Exclude Rules. UAC may prevent that, save them om desktop and replace old Exclude with Explorer.

    Close Chrome and SmartObjectBlocker, Open SmartObjectBlocker and Chrome, the log window should now stay blank

    regards Kees
     
    Last edited by a moderator: Aug 5, 2015
  8. So your plug-ins and extensions installed in your browser are the only Achilles spot left, for Windows PRO owners this can be achieved through GPO (group policy).

    Here is ADM template to lock download folder, plug-ins and extensions, save the text file in ANSI format with Notepad (name it Chrome_Lock.ADM) For GPO to recognise it needs to have the extension ADM

    Open Group Policy (run gpedit.msc), navigate to ADMINISTRATIVE TEMPLATES, right click and this will appear


    Untitled.png

    Choose ADD/REMOVE template and open attached text text file Chrome_Lock.ADM
     

    Attached Files:

    Last edited by a moderator: Aug 5, 2015
  9. Specify download directory
    Untitled.png

    Specify enabled plug-ins, see picture

    upload_2015-8-5_15-5-42.png


    Specify whitelisted extensions (name is the same as in Chrome store, see picture and highlighted text)
    upload_2015-8-5_15-7-27.png


    The long name starting with bgnkhh.. is the name of the extension in the Chrome store
    Untitled.png

    Now set disabled plugins and blacklisted extensions to value *


    Congratulations, you now have an isolated and locked down Chrome, have fun

    Regards Kees
     
    Last edited by a moderator: Aug 5, 2015
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You are the King, Kees. Thank you for sharing your creativity with security tools. :thumb:
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Does SSL Eye view have any wildcard capability as far as URLs go? My bank site uses over 10 different SSL certificates; one per web page displayed. To cover my bank site would need something that allows URL specification such as "*.bankofamerica.com/*."
     
  12. @itman

    I tried, did not seem to work with wildcards.

    Upside is that you need to configure it once to be sure your bank certs are okay and there is nobody intercepting communication.
     
    Last edited by a moderator: Aug 5, 2015
  13. @WildByDesign

    Thx, but better thank the developers for providing free tools which can be combined to craft a secure banking environment.

    I choose Keyscrambler, because it has an option to start with windows, meaning it is also suited for on demand usage see picture (I don't like Zemena free injecting its DLL through file image execution option).

    Untitled.png
     
    Last edited by a moderator: Aug 5, 2015
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    What the hell, this stuff is way too advanced for me. :D
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Thnx Kees. Nice on-demand Chrome hardening tutorial. Add control over scripts and other in-browser active content and all bases are covered :thumb:
     
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  17. @Minimalist,

    For on-line banking usage uBlock (default), Adblocker and Adguard will do. I think it is unlikely that banks would accept many third party scrips or would not monitor their flagships websites themselves.

    I know of a Dutch bank in the past which had a problem with injected script (and used a single challenge verification). So there is rational in what your saying, but I am reluctant to use script blocking (because it might interfere with you bookings).

    Regards
     
    Last edited by a moderator: Aug 5, 2015
  18. @Rasheed187,

    Just following the instructions should make it work (you don't need to be an engineer to be able to drive a car :D )
     
    Last edited by a moderator: Aug 5, 2015
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    WoW! This stuff is right up my alley. Many thanks over again Kees for taking the effort to apply, test, and share a fantastic combo of this order!
     
  20. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    +1 :confused:
     
  21. guest

    guest Guest

    Oh, just found out this thread, while looking for some SSleye topics, excellent one. Makes me eager to use SoB again lol.
     
  22. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    SUMo reports SSLEye v1.6.0.0 while I only got v1.5.0.43, same as the official webpage offers.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Kees lays it all out on the table (and in plain detail too) :cool:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.