DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th August 2015
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 597
Default TLS intercepting proxy [MitM]

Hello
I wonder is this possible:
I use Firefox to visit website https://domain
Firefox -> relayd 1-> privoxy -> relayd 2- -> Internet
1. relayd 1 decrypts https traffic then forwards this to privoxy
2. privoxy makes its job on http/html
3. privoxy forwards traffic to relayd 2
4. relayd 2 encrypts traffic

Privoxy is listening on 8118 tcp port
Relayd1 is listening on 445 tcp port

I want to note that domain is changing, sometimes it is google.com, sometimes mail.yahoo.com etc, and all configurations can not be preconfigured (so relayd 2 must forward traffic to destination on the basis of destination IP in IP packet or Host header in http protocol).

I have done configuration up to forwarding traffic to privoxy with rdr-to in pf. Privoxy receives IP packets with changed IP dst, but probably can send it further because of Host in http data. It can even send decrypted traffic to 80 port and I actually used that to talk to google.com:
firefox visits https://google.com -> relayd 1 -> privoxy -> (dst port changed, traffic decrypted) http://google.com:80

If there is another tool that can do it for me instead of relayd, please inform me.

My config:
/etc/pf.conf
Code:
pass
match out on bge0 inet proto tcp to port 443 rdr-to lo0 port 445
match in  on lo0  inet proto tcp to port 445 nat-to lo0
/etc/relayd.conf
Code:
relay sslaccelerator {
        listen on 127.0.0.1 port 445 tls
        forward to 127.0.0.1 port 8118
}
I wanted to make it further, but if relayd 2 receives packed redirected in pf, relayd 2 is trying to send packet to: unknownIP port 0. I have tried using diver-to, but I can not use divert-to in pass out rules.
Reply With Quote
  #2   (View Single Post)  
Old 29th November 2015
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 597
Default

I have posted to misc mailing list Subject about this on 2015-11-23 called "TLS intercepting proxy [MitM]" and also asked a question on 2015-11-24 in Subject called "Re: pf change destination port for outgoing traffic". People were kind, they shared they knowledge and now I am able to do this MitM attack on myself to enhance my privacy. I don't have time now, to make sure everything is secure, so I don't use this config yet. I am going to do this in one month. Probably connect 2 PC in series/serial way to router using Ethernet over twisted-pair cable to sniff and try to find hypothetical leaks, bad ciphers etc.
Reply With Quote
Reply

Tags
intercepting proxy, openbsd, ssl, tls

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ftp-proxy with NAT PF not working nocturnal OpenBSD Security 3 13th October 2011 03:54 AM
pf routing to proxy silverstream OpenBSD Security 3 26th August 2011 05:50 PM
ftp-proxy kazuya25 OpenBSD Installation and Upgrading 4 25th November 2010 06:48 PM
"Man-in-the-Middle" (MitM) DNS Attacks hunteronline Off-Topic 0 26th August 2008 03:15 PM
pf and ftp-proxy clinty OpenBSD Security 5 7th May 2008 10:36 PM


All times are GMT. The time now is 12:29 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick