|
|||
TLS intercepting proxy [MitM]
Hello
I wonder is this possible: I use Firefox to visit website https://domain Firefox -> relayd 1-> privoxy -> relayd 2- -> Internet 1. relayd 1 decrypts https traffic then forwards this to privoxy 2. privoxy makes its job on http/html 3. privoxy forwards traffic to relayd 2 4. relayd 2 encrypts traffic Privoxy is listening on 8118 tcp port Relayd1 is listening on 445 tcp port I want to note that domain is changing, sometimes it is google.com, sometimes mail.yahoo.com etc, and all configurations can not be preconfigured (so relayd 2 must forward traffic to destination on the basis of destination IP in IP packet or Host header in http protocol). I have done configuration up to forwarding traffic to privoxy with rdr-to in pf. Privoxy receives IP packets with changed IP dst, but probably can send it further because of Host in http data. It can even send decrypted traffic to 80 port and I actually used that to talk to google.com: firefox visits https://google.com -> relayd 1 -> privoxy -> (dst port changed, traffic decrypted) http://google.com:80 If there is another tool that can do it for me instead of relayd, please inform me. My config: /etc/pf.conf Code:
pass match out on bge0 inet proto tcp to port 443 rdr-to lo0 port 445 match in on lo0 inet proto tcp to port 445 nat-to lo0 Code:
relay sslaccelerator { listen on 127.0.0.1 port 445 tls forward to 127.0.0.1 port 8118 } |
|
|||
I have posted to misc mailing list Subject about this on 2015-11-23 called "TLS intercepting proxy [MitM]" and also asked a question on 2015-11-24 in Subject called "Re: pf change destination port for outgoing traffic". People were kind, they shared they knowledge and now I am able to do this MitM attack on myself to enhance my privacy. I don't have time now, to make sure everything is secure, so I don't use this config yet. I am going to do this in one month. Probably connect 2 PC in series/serial way to router using Ethernet over twisted-pair cable to sniff and try to find hypothetical leaks, bad ciphers etc.
|
Tags |
intercepting proxy, openbsd, ssl, tls |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Ftp-proxy with NAT PF not working | nocturnal | OpenBSD Security | 3 | 13th October 2011 03:54 AM |
pf routing to proxy | silverstream | OpenBSD Security | 3 | 26th August 2011 05:50 PM |
ftp-proxy | kazuya25 | OpenBSD Installation and Upgrading | 4 | 25th November 2010 06:48 PM |
"Man-in-the-Middle" (MitM) DNS Attacks | hunteronline | Off-Topic | 0 | 26th August 2008 03:15 PM |
pf and ftp-proxy | clinty | OpenBSD Security | 5 | 7th May 2008 10:36 PM |