Kareldjag's tip SSL Eye view (MITM check)

Discussion in 'other anti-malware software' started by Windows_Security, Aug 5, 2015.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Download from here https://www.digi77.com/ssl-eye-prism-protection/ and install

    Customize websites to be checked
    Navigate to installation folder, there is text file with the name "SSL List All Types Samples.TXT"

    Open it with Notepad, add your websites (see format examples below)
    Save as "My list of SSLs to be checked.TXT"
    Move to SSL Eye installation folder
    Run with cusomized websites
    Run SSL Eye

    Click on the tab Multiple Websites

    Click on the plus-sign button in the options bar +Load

    Load Websites screen appears, select tab Custom Websites

    Click on button Load from file

    A new screen appears, select tab Custom Websites

    Open file dialog appears, open your customized text file "My list of SSLs to be checked.TXT"

    Your list appears in the tab Custom Websites (see picture 1)

    Click OK button (Load Website screen closes)

    Click on the traingular play button in the options bar > Scan

    SSL certs are checked and compared from several servers, this will take some time

    Results are shown (see picture 2), matching certs are represented with checkmark sign


    Picture 1

    1.png
    Picture 2
    2.png

    WHEN ALL SHOW OKAY CHECKMARKS, NOBODY IS IN BETWEEN YOU AND YOUR SECURE WEBSITE, SO NO MITM (MAN IN THE MIDDLE)

     
    Last edited: Aug 5, 2015
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Combine it with SmartObjectBlocker to create an isolated browser session, see thread

    To prevent browser changes and a MITB (MAN IN THE BROWSER) intrusion

    Download and install SmartObjectBlocker, lets start with setting the ALLOW rules. You don't need to do this. It is just a precaution in case you mess up with the settings. It also is an opportunity to get used to changing the configuration rules (files). That is why the sequence of setting those configuration files is in a different order. :D see picture below

    4.png

    Click on the ALLOW rules tab, Explorer folder view appears
    5.png


    Open DLL file with NOTEPAD and copy this to this config file Allow Rules - DLL
    [%FILE%: *:\WINDOWS\*]
    [%FILE%: %PROGRAMFILES%*]
    [%FILE%: %PROGRAMFILESX86%*]


    DRIVER db is already set to Windows, so does not need changing

    Open PROCESS with NOTEPAD and copy this to this config file Allow Rules - PROCESS
    [%PROCESS%: *:\WINDOWS\*]
    [%PROCESS%: %PROGRAMFILES%*]
    [%PROCESS%: %PROGRAMFILESX86%*]
     
    Last edited: Aug 5, 2015
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Now click on Settings button, change the MODE section to this text. In behavioral mode, Closing (Exit) SmartObjectBlocker from the tray icon, will remove all limitations because SmartObjectBlocker is not running anymore.

    [Mode]
    Type = Behavioral
    ProtectionDisabled = n

    Untitled.png

     
    Last edited: Aug 5, 2015
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Now click on Exclude Rules button.

    In the Exclude rules only Windows signed executables and DLL's are allowed to run from Windows folder and Google signed executables from Chrome folder (DLL and Process sign are different: space versus dot). This will protect Chrome from the rest of the system (no Chrome alterations are allowed to make sure you start your banking session with a clean and hardened Chrome browser).

    Open Exclude file with Note, change text to

    [%FILE%: %WINDOWS%*] [%PUBLISHER%: Microsoft Corporation]
    [%PROCESS%: %WINDOWS%*] [%PUBLISHER%: Microsoft Corporation]
    [%FILE%: %PROGRAMFILES%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc ]
    [%PROCESS%: %PROGRAMFILES%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc.]
    [%FILE%: %PROGRAMFILESX86%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc ]
    [%PROCESS%: %PROGRAMFILESX86%\Google\Chrome\Application\*] [%PUBLISHER%: Google Inc.]

     
    Last edited: Aug 5, 2015
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Now click on Block Rules button

    We are going to block all executables, to protect Chrome from the system and the system from other executables. As an extra we only allow Chrome parent process (broker) to spawn Chrome (no process with another name).

    Open Block Rules - DLL and change text to
    [%FILE%: *]

    Open Block Rules - Driver and change text to
    [%FILE%: *]


    Open Block Rules - Process and change text to
    [%PARENT%: *\chrome.exe]
    [%PROCESS%: *]


    Your done
     
    Last edited: Aug 5, 2015
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Secure on-line banking

    1. Run SSL Eye
    2. Start SmartObjectBlocker
    3. Open Chrome and do your secure transactions

    3.png

    4. Close Chrome
    5. Close SmartObjectBlocker

    7.png
     
    Last edited: Aug 5, 2015
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    As an extra you can install free Keyscrambler, to PREVENT KEYBOARD SNOOPING BY OTHER PROCESSES

    Run SmartObjectBlocker

    Start Chrome, SmartObjectBlocker will block it, see picture
    Untitled.png

    Copy the full path of KeyscramblerIE.DLL from the LOG
    (in my case that is C:\Program Files\KeyScrambler\KeyScramblerIE.DLL)

    Open Exclude Rules and add the following rule
    [%FILE%: C:\Program Files\KeyScrambler\KeyScramblerIE.DLL]

    Exclude Rules should look like, note I am on x32 so I don't have C:\Program Files (x86)
    Untitled.png

    Save Exclude Rules. UAC may prevent that, save them om desktop and replace old Exclude with Explorer.

    Close Chrome and SmartObjectBlocker, Open SmartObjectBlocker and Chrome, the log window should now stay blank

    regards Kees
     
    Last edited: Aug 5, 2015
  8. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    So your plug-ins and extensions installed in your browser are the only Achilles spot left, for Windows PRO owners this can be achieved through GPO (group policy).

    Here is ADM template to lock download folder, plug-ins and extensions, save the text file in ANSI format with Notepad (name it Chrome_Lock.ADM) For GPO to recognise it needs to have the extension ADM

    Open Group Policy (run gpedit.msc), navigate to ADMINISTRATIVE TEMPLATES, right click and this will appear


    Untitled.png

    Choose ADD/REMOVE template and open attached text text file Chrome_Lock.ADM
     

    Attached Files:

    Last edited: Aug 5, 2015
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    Specify download directory
    Untitled.png

    Specify enabled plug-ins, see picture

    upload_2015-8-5_15-5-42.png


    Specify whitelisted extensions (name is the same as in Chrome store, see picture and highlighted text)
    upload_2015-8-5_15-7-27.png


    The long name starting with bgnkhh.. is the name of the extension in the Chrome store
    Untitled.png

    Now set disabled plugins and blacklisted extensions to value *


    Congratulations, you now have an isolated and locked down Chrome, have fun

    Regards Kees
     
    Last edited: Aug 5, 2015
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,622
    Location:
    Toronto, Canada
    You are the King, Kees. Thank you for sharing your creativity with security tools. :thumb:
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Does SSL Eye view have any wildcard capability as far as URLs go? My bank site uses over 10 different SSL certificates; one per web page displayed. To cover my bank site would need something that allows URL specification such as "*.bankofamerica.com/*."
     
  12. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    @itman

    I tried, did not seem to work with wildcards.

    Upside is that you need to configure it once to be sure your bank certs are okay and there is nobody intercepting communication.
     
    Last edited: Aug 5, 2015
  13. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    @WildByDesign

    Thx, but better thank the developers for providing free tools which can be combined to craft a secure banking environment.

    I choose Keyscrambler, because it has an option to start with windows, meaning it is also suited for on demand usage see picture (I don't like Zemena free injecting its DLL through file image execution option).

    Untitled.png
     
    Last edited: Aug 5, 2015
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,010
    Location:
    The Netherlands
    What the hell, this stuff is way too advanced for me. :D
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,050
    Thnx Kees. Nice on-demand Chrome hardening tutorial. Add control over scripts and other in-browser active content and all bases are covered :thumb:
     
  16. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,764
    Location:
    Mexico
  17. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    @Minimalist,

    For on-line banking usage uBlock (default), Adblocker and Adguard will do. I think it is unlikely that banks would accept many third party scrips or would not monitor their flagships websites themselves.

    I know of a Dutch bank in the past which had a problem with injected script (and used a single challenge verification). So there is rational in what your saying, but I am reluctant to use script blocking (because it might interfere with you bookings).

    Regards
     
    Last edited: Aug 5, 2015
  18. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,061
    Location:
    Netherlands
    @Rasheed187,

    Just following the instructions should make it work (you don't need to be an engineer to be able to drive a car :D )
     
    Last edited: Aug 5, 2015
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    WoW! This stuff is right up my alley. Many thanks over again Kees for taking the effort to apply, test, and share a fantastic combo of this order!
     
  20. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,133
    Location:
    USA
    +1 :confused: