https://github.com/aapooksman/certmitm

A tool for testing for certificate validation vulnerabilities of TLS connections made by a client device or an application.
https://github.com/aapooksman/certmitm

Last synced: 20 days ago
JSON representation

A tool for testing for certificate validation vulnerabilities of TLS connections made by a client device or an application.

• Host: GitHub
• URL: https://github.com/aapooksman/certmitm
• Owner: aapooksman
• License: mit
• Created: 2023-08-11T14:53:05.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-06-27T05:05:39.000Z (8 months ago)
• Last Synced: 2024-06-27T06:23:32.524Z (8 months ago)
• Language: Python
• Size: 23.4 KB
• Stars: 230
• Watchers: 8
• Forks: 19
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-rainmana - aapooksman/certmitm - A tool for testing for certificate validation vulnerabilities of TLS connections made by a client device or an application. (Python)

README

        
# certmitm

```

               _             _ _               _                                     

              | |           (_) |             | |                                    

  ___ ___ _ __| |_ _ __ ___  _| |_ _ __ ___   | |__  _   _    __ _  __ _ _ __   ___  

 / __/ _ \ '__| __| '_ ` _ \| | __| '_ ` _ \  | '_ \| | | |  / _` |/ _` | '_ \ / _ \ 

| (_|  __/ |  | |_| | | | | | | |_| | | | | | | |_) | |_| | | (_| | (_| | |_) | (_) |

 \___\___|_|   \__|_| |_| |_|_|\__|_| |_| |_| |_.__/ \__, |  \__,_|\__,_| .__/ \___/ 

                                                      __/ |             | |          

                                                     |___/              |_|          

```

A tool for testing for certificate validation vulnerabilities of TLS connections made by a client device or an application.

Created by Aapo Oksman - https://github.com/AapoOksman/certmitm - MIT License

Published in DEF CON 31 on August 11 2023

[YouTube: DEF CON 31 - certmitm: automatic exploitation of TLS certificate validation vulnerabilities - Aapo Oksman](https://www.youtube.com/watch?v=w_l2q_Gyqfo)

[DEF CON 31 certmitm Slides.pdf](https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Aapo%20Oksman%20-%20certmitm%20automatic%20exploitation%20of%20TLS%20certificate%20validation%20vulnerabilities.pdf)

[DEF CON 31 certmitm Demo.mp4](https://media.defcon.org/DEF%20CON%2031/DEF%20CON%2031%20presentations/Aapo%20Oksman%20-%20certmitm%20automatic%20exploitation%20of%20TLS%20certificate%20validation%20vulnerabilities-demo.mp4)

## Installation

certmitm has been tested on Debian 11 and Debian 12. It should work on Linux with Python 3.10 and up

Install required python packages with

```

pip install -r requirements.txt

```

Obtain real certificates such as a Let's Encrypt certificate and save them to [real_certs](real_certs)

## Usage

First you need to intercept TLS connections. The easies way for this is to configure the computer running certmitm to act as a router for other devices in the network.

For example:

1. Start a DHCP/DNS server

```

sudo ip addr add 10.0.0.1/24 dev eth0

sudo dnsmasq --no-daemon --interface eth0 --dhcp-range=10.0.0.100,10.0.0.200 --log-dhcp --log-queries --bind-interfaces -C /dev/null

```

2. Intercept TLS connections from the clients and redirect other connections to the internet through the WLAN interface

```

sudo iptables -A INPUT -i eth0 -j ACCEPT

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9900

sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

```

3. Start certmitm

```

python3 certmitm.py --listen 9900 --workdir testing --verbose --show-data

```

4. Connect clients to the network and start applications. Note that you might need to retry running the applications a couple of times while the tests fail.

You should see any intercepted connections in the output of certmitm as CRITICAL. Additionally, if you run certmitm with the --verbose/-v flag, you will see also properly secured connections as INFO. Below you can see an example where connections to `google.com` are secured properly but connections to `www.google.com` can be intercepted.

```console

test@certmitm$ python3 certmitm.py -v -l 9900

INFO - 10.0.0.140: 216.58.211.238:443:google.com for test self_signed = [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:992)

INFO - 10.0.0.140: 216.58.211.238:443:google.com for test replaced_key = [SSL: TLSV1_ALERT_DECRYPT_ERROR] tlsv1 alert decrypt error (_ssl.c:992)

INFO - 10.0.0.140: 216.58.211.238:443:google.com for test real_cert_letsencrypt = Nothing received

INFO - 10.0.0.140: 216.58.211.238:443:google.com for test real_cert_CA_letsencrypt = [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:992)

CRITICAL - 10.0.0.140: 216.58.209.164:443:www.google.com for test self_signed = data intercepted!

CRITICAL - 10.0.0.140: 216.58.209.164:443:www.google.com for test replaced_key = data intercepted!

CRITICAL - 10.0.0.140: 216.58.209.164:443:www.google.com for test real_cert_letsencrypt = data intercepted!

CRITICAL - 10.0.0.140: 216.58.209.164:443:www.google.com for test real_cert_CA_letsencrypt = data intercepted!

```

You can also recreate these secure and insecure connections with curl on a Linux machine connected to certmitm. You can also see that curl gives different errors for different certmitm tests.

```console

test@victim:~$ curl https://google.com

curl: (60) SSL certificate problem: unable to get local issuer certificate

More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

test@victim:~$ curl https://google.com

curl: (35) error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding

test@victim:~$ curl https://google.com

curl: (60) SSL: no alternative certificate subject name matches target host name 'google.com'

More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

test@victim:~$ curl https://google.com

curl: (60) SSL certificate problem: unable to get local issuer certificate

More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not

establish a secure connection to it. To learn more about this situation and

how to fix it, please visit the web page mentioned above.

test@victim:~$ curl https://google.com

301 Moved

301 Moved

The document has moved

here.


test@victim:~$ curl --insecure https://www.google.com

curl: (52) Empty reply from server

test@victim:~$ curl --insecure https://www.google.com

curl: (52) Empty reply from server

test@victim:~$ curl --insecure https://www.google.com

curl: (52) Empty reply from server

test@victim:~$ curl --insecure https://www.google.com

curl: (52) Empty reply from server

test@victim:~$ curl --insecure https://www.google.com