A bit of bit much less hackish technique to intercept and modify non-HTTP protocols by Burp and others with SSL and TLS interception assist. This device is for researchers and applicative penetration testers that carry out thick purchasers safety assesments.
An improved model of the improbable mitm_relay challenge.
The Story
As a part of our work within the analysis division of CyberArk Labs, we would have liked a technique to examine SSL and TLS communication over TCP and have the choice to change the content material of packets on the fly. There are various methods to take action (for instance, the recognized Burp Suite extension NoPE), however none of them labored for us in some circumstances. In the long run we stumbled upon mitm_relay.
mitm_relay is a fast and simple technique to carry out MITM of any TCP-based protocol by present HTTP interception software program like Burp Suite’s proxy. It’s notably helpful for thick purchasers safety assessments. However it didn’t utterly work for us, so we would have liked to customise it. After lots of customizations, each new change required lots of work, and we ended up rewriting every thing in a extra modular manner.
We hope that others will discover this script useful, and we hope that including performance might be simple.
How does it work
For a begin, listeners’ addresses and ports have to be configured. For every listener, there additionally must be a goal configured (handle and port). Each information acquired from the listener might be wrapped right into a physique of an HTTP POST request with the URL containing “CLIENT_REQUEST”. Each information acquired from the goal might be wrapped right into a physique of an HTTP POST request with the URL containing “SERVER_RESPONSE”. These requests are despatched to an area HTTP interception server.
There may be the choice to configure an HTTP proxy and use a device like burp suite as an HTTP interception device and consider the messages there. This fashion, it’s simple to change the messages through the use of Burp’s “Match and Substitute”, extensions and even manually (Keep in mind, the timeout mechanism of the intercepted protocol could be very quick).
One other technique to modify the messages is through the use of a python script that the HTTP interception server will run when it receives messages.
The physique of the messages despatched to the HTTP interception server might be printed to the shell. The messages might be printed after the modifications if the modification script is given. After all of the modifications, the interception server may even echo again as an HTTP response physique.
To decrypt the SSL/TLS communication, mitm_intercept have to be offered a certificates and a key that the shopper will settle for when beginning a handshake with the listener. If the goal server requires a particular certificates for a handshake, there may be an possibility to present a certificates and a key.
A small chart to indicate the standard site visitors move:
Variations from mitm_relay
mitm_intercept is appropriate with newer variations of python 3 (python 3.9) and can also be appropriate with home windows (socket.MSG_DONTWAIT doesn’t exist in home windows, for instance). We stored the choice of utilizing “STARTTLS,” and we referred to as it “Blended” mode. Utilizing the SSL key log file is up to date (the built-in possibility to make use of it’s new from python 3.8), and we added the choice to alter the sni header. Now, managing incoming and outgoing communication is completed by socketserver, and all the info is shipped to a subclass of ThreadingHTTPServer that deal with the info illustration and modif ication. This fashion, it’s doable to see the modifications utilized by the modification script within the response (handy for utilizing Burp). Additionally, we will now change the obtainable ciphers that the script makes use of utilizing the OpenSSL cipher record format
Stipulations
- Python 3.9
- requests:
$ python -m pip set up requests
Utilization
utilization: mitm_intercept.py [-h] [-m] -l [u|t:]<interface>:<port> [[u|t:]<interface>:<port> ...] -t
[u|t:]<addr>:<port> [[u|t:]<addr>:<port> ...] [-lc <cert_path>]
[-lk <key_path>] [-tc <cert_path>] [-tk <key_path>] [-w <interface>:<port>]
[-p <addr>:<port>] [-s <script_path>] [--sni <server_name>]
[-tv <defualt|tls12|tls11|ssl3|tls1|ssl2>] [-ci <ciphers>]mitm_intercept model 1.6
choices:
-h, --help present this assist message and exit
-m, --mix-connection Carry out TCP relay with out SSL handshake. If one of many relay sides begins an
SSL handshake, wrap the reference to SSL, and intercept the
communication. A listener certificates and personal ke y have to be offered.
-l [u|t:]<interface>:<port> [[u|t:]<interface>:<port> ...], --listen [u|t:]<interface>:<port> [[u|t:]<interface>:<port> ...]
Creates SSLInterceptServer listener that listens on the desired interface
and port. Can create a number of listeners with an area between the parameters.
Including "u:" earlier than the handle will make the listener hear in UDP
protocol. TCP protocol is the default however including "t:" for cleanliness is
doable. The variety of listeners should match the variety of targets. The i-th
listener will relay to the i-th goal.
-t [u|t:]<addr>:<port> [[u|t:]<addr>:<port> ...], --target [u|t:]<addr>:<port> [[u|t:]<addr>:<port> ...]
Directs every SSLInterceptServer listener to ahead the communication to a
goal handle and port. Can create a number of targets with an area between
the parameters. Including "u:" earlier than the handle will make the goal
talk in UDP protocol.TCP protocol is the default however including "t:" for
cleanliness is feasible. The variety of listeners should match the variety of
targets. The i-th listener will relay to the i-th goal.
-lc <cert_path>, --listener-cert <cert_path>
The certificates that the listener makes use of when a shopper contacts him. Is usually a
self-sign certificates if the shopper will settle for it.
-lk <key_path>, --listener-key <key_path>
The non-public key path for the listener certificates.
-tc <cert_path>, --target-cert <cert_path>
The certificates that used to create a reference to the goal. Is usually a
self-sign certificates if the goal will settle for it. Would not essential if the
goal does not require a particular certificates.
-tk <key_path>, --target-key <key_path>
The non-public key path for the goal certificates.
-w <interface>:<port>, --webserver <interface>:<port>
Specifies the interface and the port the InterceptionServer webserver will
listens on. If omitted the default is 127.0.0.1:49999
-p <addr>:<port>, --proxy <addr>:<port>
Specifies the handle and the port of a proxy between the InterceptionServer
webserver and the SSLInterceptServer. May be configured so the communication
will undergo a l ocal proxy like Burp. If omitted, the communication will
be printed within the shell solely.
-s <script_path>, --script <script_path>
A path to a script that the InterceptionServer webserver executes. Should
include the operate handle_request(message) that can run earlier than sending it
to the goal or handle_response(message) after receiving a message from the
goal. May be omitted if does not essential.
--sni <server_name> If there's a want to alter the server identify within the SSL handshake with the
goal. If omitted, it is going to be the server identify from the handshake with the
listener.
-tv <defualt|tls12|tls11|ssl3|tls1|ssl2>, --tls-version <defualt|tls12|tls11|ssl3|tls1|ssl2>
If wanted could be specified a particular TLS model.< br/> -ci <ciphers>, --ciphers <ciphers>
Units completely different ciphers than the python defaults for the TLS handshake. It
ought to be a string within the OpenSSL cipher record format
(https://www.openssl.org/docs/manmaster/man1/ciphers.html).
For dumping SSL (pre-)grasp secrets and techniques to a file, set the surroundings variable SSLKEYLOGFILE with a
file path. Helpful for Wireshark.
The communication must be directed to the listener for intercepting arbitrary protocols. The best way to take action is determined by how the shopper operates. Generally it makes use of a DNS handle, and altering the hosts file might be sufficient to resolve the listener handle. If the handle is hard-coded, then extra artistic methods have to be utilized (often some modifications of the routing desk, patching the shopper, or utilizing VM and iptables).
Modification Script
The HTTP interception server can run a script given to it with the flag -s. This script runs when the HTTP requests are acquired. The response from the HTTP interception server is the acquired request after operating the script.
When a proxy is configured (like Burp), modifications of the request will occur earlier than the script runs, and modifications on the response might be after that. Alterations on the request and the response by the proxy or the modification script will change the unique message earlier than going to the vacation spot.
The script should include the capabilities handle_request(message) and handle_response(message). The HTTP interception server will name handle_request(message) when the message is from the shopper to the server and handle_response(message) when the message is from the server to the shopper.
An instance of a script that provides a null byte on the finish of the message:
def handle_request(message):
return message + b"x00"def handle_response(message):
# Each capabilities should return a message.
return message
Certificates
The device requires a server certificates and a personal key for SSL interception. Details about producing a self-signed certificates or Burp’s certificates could be discovered right here.
If the server requires a particular certificates, a certificates and a key could be offered to the device.
Demo
The demo beneath exhibits the way to intercept a reference to MSSQL (this demo was carried out on DVTA):
mitm_intercept_mssql_with_text.mp4
Connection to MSSQL is made by TDS protocl on high of TCP. The authentication itself is carried out with TLS on high of the TDS protocol. To see intercept that TLS course of, we’ll want two patchy modification scripts.
demo_script.py:
from time import time
from struct import pack
from pathlib import Pathdef handle_request(message):
if message.startswith(b"x17x03"):
return message
with open("msg_req" + str(time()), "wb") as f:
f.write(message[:8])
return message[8:]
def handle_response(message):
if message.startswith(b"x17x03"):
return message
path = Path(".")
strive:
msg_res = min(i for i in path.iterdir() if i.identify.startswith("msg_res"))
information = msg_res.read_bytes()
msg_res.unlink()
besides ValueError:
information = b'x12x01x00x00x00x00x01x00'
return information[:2] + pack(">h", len(message)+8) + information[4:] + message
demo_script2.py:
from time import time
from struct import pack
from pathlib import Pathdef handle_request(message):
if message.startswith(b"x17x03"):
return message
path = Path(".")
strive:
msg_req = min(i for i in path.iterdir() if i.identify.startswith("msg_req"))
information = msg_req.read_bytes()
msg_req.unlink()
besides ValueError:
information = b'x12x01x00x00x00x00x01x00'
return information[:2] + pack(">h", len(message)+8) + information[4:] + message
def handle_response(message):
if message.startswith(b"x17x03"):
return message
with open("msg_res" + str(time()), "wb") as f:
f.write(message[:8])
return message[8:]
We are going to see among the TLS communication with these patchy scripts, however then the shopper will fail (as a result of with these hacky scripts, we badly alter the TDS communication besides the TLS half).
mitm_intercept_mssql_tls.mp4
License
Copyright (c) 2022 CyberArk Software program Ltd. All rights reserved
This repository is licensed below Apache-2.0 License – see LICENSE for extra particulars.
