Man-in-the-middling SSL / TLS on Windows

-
"Is there a lock in the URL bar?"
Funny how the proliferation of commercial CA's led to this question to become the hallmark of Internet security circa 2001. I'll keep that rant for another day. Thumbs up to EFF and Mozilla for finally doing something about it.

When debugging issues with network connections or reverse engineering products, you might find the need to take the gloves off and find out exactly what an application is doing on the wire.

You'll need a man in the middle. (instantcsi)

Providing the application you're targeting uses a web protocol, you'll be in with some luck- there are heaps of web debugging proxies and tools you can use on any platforms.

If you have physical access to the network (i.e. a non-corporate environment), or you have a Linux machine on the network that IT security approve of- the conversation effectively ends here:
Use MITMproxy.

Unfortunately I don't have either physical access or a Linux machine on the network I can use that is suitable for MITMing. Additionally, the particular application I was targeting was not proxy aware, thus the solution needed to be network-layer. I get that's a specific circumstance, but that's the point of this blog.

So you're stuck on Windows. Let's run through your options:
Fiddler was first cab off the rank. I think I'll leave my review of it short and simple: If you're not debugging something running in your web browser, forget it. It does all weird shit with injecting and automagicking around with system proxy settings, and requires you to restart the entire application to make minor changes. Not suitable for hardcore application debugging.

Burp was next. Burp I found to be a very robust, easy to understand solution with plenty of good features without getting in your way. I've used it for web debugging before, and have found it extremely effective.

But it couldn't cut it for application debugging. The particular application I was troubleshooting somehow knew its response was being tampered with and killed the connection (mind you, only post authentication it noticed this. I still haven't worked that out- may have to do with keep-alives).


HoneyProxy gets an honorable mention because of its ease of use, a fork of the powerful mitmproxy for Linux that includes a micro webserver. Slight problem, no transparent proxy support. No use for debugging applications that are not proxy-aware.

Charles looks like it belongs on the Mac App Store debugging iPhone apps, not on a Windows corporate desktop. However, it was the only application I found capable of serving the purpose of a lower-layer transparent proxy that could go undetected by my desktop application. Charles doesn't specifically have a "transparent proxy" mode of operation- but does have a reverse proxy which works all the same.

tldr, use charles, awkward-looking but it works.



Notes
At a later stage, the age-old Cain & Able came to mind. It sets off a lot of enterprise anti-virus solutions, so I'll stick with my recommendation for Charles, but it's not any less of a viable solution by the sounds of it.

Comments

Post a Comment

Popular posts from this blog

2020 Hack-A-Sat DEFCON Space Security Challenge CTF Qualifiers 2020 - Part 1

-
Image
Preface This year the US Air Force teamed up with DoD's Digital Service and DEFCON's Aerospace village to build a CTF - the first of it's kind - to hack satellites. I joined with some colleagues and their CTF team to get our numbers around half a dozen. We missed the top ten by ~50 points, which was disappointing, but shows the quality of the teams we were up against and that the tournament attracted. Since joining a Bay Area tech company, I haven't found much time or mental space for CTFs or bug bounties. But aerospace has a special place in my heart, and with numerous commercial launch companies massively driving down the costs to get satellites up, understanding the frameworks, communication protocols, physics, tools, history etc. is going to be super important. Before I get to the goods, a hat tip to the USAF & DoD for getting behind this. Satellites are going to become increasingly important in our day-to-day lives, and investing in bringing the security commun
Read more

2021 Hack-A-Sat DEFCON Space Security Challenge CTF Qualifiers Writeup - Linky

-
Image
Linky was an RF math problem, introducing the link-budget algorithm and getting contestants to calculate missing parameters for the operation of the radio link. Years have passed since our satellite was designed, and the Systems Engineers didn't do a great job with the documentation. Partial information was left behind in the user documentation and we don't know what power level we should configure the Telemetry transmitter to ensure we have 10 dB of Eb/No margin over the minimum required for BER (4.4 dB) . Upon connecting to the target port and presenting token, you're presented with a TUI of sorts: _ _ _ | | (_)_ __ | | ___ _ | | | | '_ \| |/ / | | | | |___| | | | | <| |_| | |_____|_|_| |_|_|\_\\__, | |___/ .-. (;;;) \_| \ _.--l--._ . \ | `. .` `.\ | .` `. .` `\ | .` `. / __ \.|.` __ \/ | ''--._ \V _.--'' | | _ (") _ |
Read more