• Stars
    star
    201
  • Rank 194,491 (Top 4 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created almost 3 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A little bit less hackish way to intercept and modify non-HTTP protocols through Burp & others.

MITM_Intercept

A little bit less hackish way to intercept and modify non-HTTP protocols through Burp and others with SSL and TLS interception support. This tool is for researchers and applicative penetration testers that perform thick clients security assesments.

An improved version of the fantastic mitm_relay project.

The Story

As part of our work in the research department of CyberArk Labs, we needed a way to inspect SSL and TLS communication over TCP and have the option to modify the content of packets on the fly. There are many ways to do so (for example, the known Burp Suite extension NoPE), but none of them worked for us in some cases. In the end we stumbled upon mitm_relay.

mitm_relay is a quick and easy way to perform MITM of any TCP-based protocol through existing HTTP interception software like Burp Suite’s proxy. It is particularly useful for thick clients security assessments. But it didn’t completely work for us, so we needed to customize it. After a lot of customizations, every new change required a lot of work, and we ended up rewriting everything in a more modular way.

We hope that others will find this script helpful, and we hope that adding functionality will be easy.

How does it work

For a start, listeners’ addresses and ports need to be configured. For each listener, there also needs to be a target configured (address and port). Every data received from the listener will be wrapped into a body of an HTTP POST request with the URL containing “CLIENT_REQUEST”. Every data received from the target will be wrapped into a body of an HTTP POST request with the URL containing “SERVER_RESPONSE”. Those requests are sent to a local HTTP interception server.

There is the option to configure an HTTP proxy and use a tool like burp suite as an HTTP interception tool and view the messages there. This way, it is easy to modify the messages by using Burp’s “Match and Replace”, extensions or even manually (Remember, the timeout mechanism of the intercepted protocol can be very short).

Another way to modify the messages is by using a python script that the HTTP interception server will run when it receives messages.

The body of the messages sent to the HTTP interception server will be printed to the shell. The messages will be printed after the changes if the modification script is given. After all the modifications, the interception server will also echo back as an HTTP response body.

To decrypt the SSL/TLS communication, mitm_intercept need to be provided a certificate and a key that the client will accept when starting a handshake with the listener. If the target server requires a specific certificate for a handshake, there is an option to give a certificate and a key.

A small chart to show the typical traffic flow:

test

Differences from mitm_relay

mitm_intercept is compatible with newer versions of python 3 (python 3.9) and is also compatible with windows (socket.MSG_DONTWAIT does not exist in windows, for example). We kept the option of using “STARTTLS,” and we called it “Mixed” mode. Using the SSL key log file is updated (the built-in option to use it is new from python 3.8), and we added the option to change the sni header. Now, managing incoming and outgoing communication is done by socketserver, and all the data is sent to a subclass of ThreadingHTTPServer that handle the data representation and modification. This way, it is possible to see the changes applied by the modification script in the response (convenient for using Burp). Also, we can now change the available ciphers that the script uses using the OpenSSL cipher list format

Prerequisites

  1. Python 3.9
  2. requests: $ python -m pip install requests

Usage

usage: mitm_intercept.py [-h] [-m] -l [u|t:]<interface>:<port> [[u|t:]<interface>:<port> ...] -t
                         [u|t:]<addr>:<port> [[u|t:]<addr>:<port> ...] [-lc <cert_path>]
                         [-lk <key_path>] [-tc <cert_path>] [-tk <key_path>] [-w <interface>:<port>]
                         [-p <addr>:<port>] [-s <script_path>] [--sni <server_name>]
                         [-tv <defualt|tls12|tls11|ssl3|tls1|ssl2>] [-ci <ciphers>]

mitm_intercept version 1.6

options:
  -h, --help            show this help message and exit
  -m, --mix-connection  Perform TCP relay without SSL handshake. If one of the relay sides starts an
                        SSL handshake, wrap the connection with SSL, and intercept the
                        communication. A listener certificate and private key must be provided.
  -l [u|t:]<interface>:<port> [[u|t:]<interface>:<port> ...], --listen [u|t:]<interface>:<port> [[u|t:]<interface>:<port> ...]
                        Creates SSLInterceptServer listener that listens on the specified interface
                        and port. Can create multiple listeners with a space between the parameters.
                        Adding "u:" before the address will make the listener listen in UDP
                        protocol. TCP protocol is the default but adding "t:" for cleanliness is
                        possible. The number of listeners must match the number of targets. The i-th
                        listener will relay to the i-th target.
  -t [u|t:]<addr>:<port> [[u|t:]<addr>:<port> ...], --target [u|t:]<addr>:<port> [[u|t:]<addr>:<port> ...]
                        Directs each SSLInterceptServer listener to forward the communication to a
                        target address and port. Can create multiple targets with a space between
                        the parameters. Adding "u:" before the address will make the target
                        communicate in UDP protocol.TCP protocol is the default but adding "t:" for
                        cleanliness is possible. The number of listeners must match the number of
                        targets. The i-th listener will relay to the i-th target.
  -lc <cert_path>, --listener-cert <cert_path>
                        The certificate that the listener uses when a client contacts him. Can be a
                        self-sign certificate if the client will accept it.
  -lk <key_path>, --listener-key <key_path>
                        The private key path for the listener certificate.
  -tc <cert_path>, --target-cert <cert_path>
                        The certificate that used to create a connection with the target. Can be a
                        self-sign certificate if the target will accept it. Doesn't necessary if the
                        target doesn't require a specific certificate.
  -tk <key_path>, --target-key <key_path>
                        The private key path for the target certificate.
  -w <interface>:<port>, --webserver <interface>:<port>
                        Specifies the interface and the port the InterceptionServer webserver will
                        listens on. If omitted the default is 127.0.0.1:49999
  -p <addr>:<port>, --proxy <addr>:<port>
                        Specifies the address and the port of a proxy between the InterceptionServer
                        webserver and the SSLInterceptServer. Can be configured so the communication
                        will go through a local proxy like Burp. If omitted, the communication will
                        be printed in the shell only.
  -s <script_path>, --script <script_path>
                        A path to a script that the InterceptionServer webserver executes. Must
                        contain the function handle_request(message) that will run before sending it
                        to the target or handle_response(message) after receiving a message from the
                        target. Can be omitted if doesn't necessary.
  --sni <server_name>   If there is a need to change the server name in the SSL handshake with the
                        target. If omitted, it will be the server name from the handshake with the
                        listener.
  -tv <defualt|tls12|tls11|ssl3|tls1|ssl2>, --tls-version <defualt|tls12|tls11|ssl3|tls1|ssl2>
                        If needed can be specified a specific TLS version.
  -ci <ciphers>, --ciphers <ciphers>
                        Sets different ciphers than the python defaults for the TLS handshake. It
                        should be a string in the OpenSSL cipher list format
                        (https://www.openssl.org/docs/manmaster/man1/ciphers.html).

For dumping SSL (pre-)master secrets to a file, set the environment variable SSLKEYLOGFILE with a
file path. Useful for Wireshark.

The communication needs to be directed to the listener for intercepting arbitrary protocols. The way to do so depends on how the client operates. Sometimes it uses a DNS address, and changing the hosts file will be enough to resolve the listener address. If the address is hard-coded, then more creative ways need to be applied (usually some modifications of the routing table, patching the client, or using VM and iptables).

Modification Script

The HTTP interception server can run a script given to it with the flag -s. This script runs when the HTTP requests are received. The response from the HTTP interception server is the received request after running the script.

When a proxy is configured (like Burp), modifications of the request will happen before the script runs, and modifications on the response will be after that. Alterations on the request and the response by the proxy or the modification script will change the original message before going to the destination.

The script must contain the functions handle_request(message) and handle_response(message). The HTTP interception server will call handle_request(message) when the message is from the client to the server and handle_response(message) when the message is from the server to the client.

An example of a script that adds a null byte at the end of the message:

def handle_request(message):
    return message + b"\x00"

def handle_response(message):
    # Both functions must return a message.
    return message

Certificates

The tool requires a server certificate and a private key for SSL interception. Information about generating a self-signed certificate or Burp’s certificate can be found here.

If the server requires a specific certificate, a certificate and a key can be provided to the tool.

Demo

The demo below shows how to intercept a connection with MSSQL (this demo was performed on DVTA):

mitm_intercept_mssql_with_text.mp4

Connection to MSSQL is made by TDS protocl on top of TCP. The authentication itself is performed with TLS on top of the TDS protocol. To see intercept that TLS process, we will need two patchy modification scripts.

demo_script.py:

from time import time
from struct import pack
from pathlib import Path


def handle_request(message):

    if message.startswith(b"\x17\x03"):
        return message

    with open("msg_req" + str(time()), "wb") as f:
        f.write(message[:8])

    return message[8:]


def handle_response(message):

    if message.startswith(b"\x17\x03"):
        return message

    path = Path(".")
    try:
        msg_res = min(i for i in path.iterdir() if i.name.startswith("msg_res"))
        data = msg_res.read_bytes()
        msg_res.unlink()
    except ValueError:
        data = b'\x12\x01\x00\x00\x00\x00\x01\x00'

    return data[:2] + pack(">h", len(message)+8) + data[4:] + message

demo_script2.py:

from time import time
from struct import pack
from pathlib import Path

def handle_request(message):

    if message.startswith(b"\x17\x03"):
        return message

    path = Path(".")
    try:
        msg_req = min(i for i in path.iterdir() if i.name.startswith("msg_req"))
        data = msg_req.read_bytes()
        msg_req.unlink()
    except ValueError:
        data = b'\x12\x01\x00\x00\x00\x00\x01\x00'


    return data[:2] + pack(">h", len(message)+8) + data[4:] + message


def handle_response(message):

    if message.startswith(b"\x17\x03"):
        return message

    with open("msg_res" + str(time()), "wb") as f:
        f.write(message[:8])

    return message[8:]

We will see some of the TLS communication with those patchy scripts, but then the client will fail (because with those hacky scripts, we badly alter the TDS communication except the TLS part).

mitm_intercept_mssql_tls.mp4

License

Copyright (c) 2022 CyberArk Software Ltd. All rights reserved
This repository is licensed under Apache-2.0 License - see LICENSE for more details.

More Repositories

1

KubiScan

A tool to scan Kubernetes cluster for risky permissions
Python
1,310
star
2

SkyArk

SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS
PowerShell
862
star
3

ACLight

A script for advanced discovery of Privileged Accounts - includes Shadow Admins
PowerShell
783
star
4

conjur

CyberArk Conjur automatically secures secrets used by privileged users and machine identities
Ruby
760
star
5

kubeletctl

A client for kubelet
Go
730
star
6

summon

CLI that provides on-demand secrets access for common DevOps tools
Go
687
star
7

bash-lib

Library for bash utility methods and tools
Shell
656
star
8

PipeViewer

A tool that shows detailed information about named pipes in Windows
C#
551
star
9

DLLSpy

DLL Hijacking Detection Tool
C++
481
star
10

zBang

zBang is a risk assessment tool that detects potential privileged account threats
C#
332
star
11

shimit

A tool that implements the Golden SAML attack
Python
331
star
12

RPCMon

RPC Monitor tool based on Event Tracing for Windows
C#
317
star
13

Evasor

A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies
C#
309
star
14

BlobHunter

Find exposed data in Azure with this public blob scanner
Python
306
star
15

RiskySPN

Detect and abuse risky SPNs
PowerShell
258
star
16

secretless-broker

Secure your apps by making them Secretless
Go
234
star
17

White-Phoenix

A tool to recover content from files encrypted with intermittent encryption
Python
218
star
18

kubernetes-rbac-audit

Tool for auditing RBACs in Kubernetes
Python
215
star
19

epv-api-scripts

These API scripts enable CyberArk users to automate privileged account management task like account creation, user management, and more.
PowerShell
197
star
20

ketshash

A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
PowerShell
168
star
21

rdpfuzz

Tools for fuzzing RDP
C
122
star
22

SkyWrapper

SkyWrapper helps to discover suspicious creation forms and uses of temporary tokens in AWS
Python
104
star
23

EasyPeasy

Find accounts using common and default passwords in Active Directory.
PowerShell
65
star
24

pas-on-cloud

CyberArk Privileged Access Security on Cloud
Python
60
star
25

ansible-security-automation-collection

CyberArk Ansible Security Automation Collection
Python
60
star
26

CYBRHardeningCheck

A utility to check CyberArk component servers hardening status
PowerShell
53
star
27

summon-aws-secrets

Summon provider for AWS Secrets Manager
Go
52
star
28

cyberark-aws-auto-onboarding

Solutions for automatically detecting, managing and securing privileged accounts in AWS EC2
Python
40
star
29

pas-orchestrator

CyberArk Privileged Access Security automatic deployment using Ansible
Python
38
star
30

summon-conjur

CyberArk Conjur provider for Summon
Go
38
star
31

ansible-modules

Ansible Modules for CyberArk Privileged Account Security Web Service SDK
Python
37
star
32

conjur-quickstart

Start securing your secrets and infrastructure by installing Conjur, using Docker and the official Conjur containers on DockerHub.
Shell
33
star
33

malware-research

C++
33
star
34

Fuzzer-V

C
30
star
35

sidecar-injector

Sidecar Injector for the Conjur Kubernetes Authenticator and Secretless
Go
29
star
36

ChattyCaty

JavaScript
28
star
37

conjur-oss-helm-chart

Helm chart for deploying Conjur OSS to Kubernetes
Shell
27
star
38

secrets-provider-for-k8s

Cyberark secrets provider for k8s
Go
26
star
39

PwnKit-Hunter

PwnKit-Hunter is here to help you check if your systems are vulnerable to CVE-2021-4043, a.k.a. PwnKit
Python
25
star
40

PreCog

Discover "HotSpots" - potential spots for credentials theft
PowerShell
23
star
41

terraform-provider-conjur

Terraform provider for Conjur
Shell
21
star
42

pvwa

Ansible role to deploy Cyberark Password Vault Web Access
Jinja
20
star
43

conjur-api-go

Go client for the CyberArk Conjur API
Go
20
star
44

slosilo

A Ruby interface to standard cryptographic primitives
Ruby
17
star
45

password-lookup-plugin

cyberarkpassword Lookup Plugin
17
star
46

cyberark-conjur-cli

CyberArk Conjur command line interface written in Python
Python
17
star
47

psm

Ansible role to deploy Cyberark Privileged Session Manager
PowerShell
16
star
48

conjur-template

Template repo for Conjur repositories
16
star
49

conjur-api-java

Java client for the CyberArk Conjur API
Java
15
star
50

summon-keyring

Cross-platform provider for Summon that talks to keyrings.
Python
15
star
51

cpm

Ansible role to deploy Cyberark Central Policy Manager
PowerShell
15
star
52

conjur-api-dotnet

.NET client for the CyberArk Conjur API
C#
15
star
53

cyberark-conjur-cli-docker-based

CyberArk Conjur command line interface (Ruby)
Ruby
15
star
54

parse-a-changelog

A validator for changelogs using the Keep a Changelog standard (http://keepachangelog.com)
Ruby
15
star
55

ansible-aim-provider

Ansible Galaxy Role to install and uninstall Cyberark AIM provider
14
star
56

kubernetes-conjur-deploy

Scripts for deploying DAP followers to Kubernetes and OpenShift given an existing DAP master cluster
Shell
14
star
57

Symda

Python
13
star
58

summon-s3

AWS S3 provider for Summon
Shell
13
star
59

KDSnap

C++
12
star
60

ansible-role-conjur

Grants Conjur machine identity to hosts
Python
12
star
61

conjur-credentials-plugin

Conjur plugin for securely providing credentials to Jenkins jobs
Java
12
star
62

conjur-openapi-spec

OpenAPI v3 specification for Conjur / DAP v10+
Mustache
11
star
63

conjur-authn-k8s-client

Authentication sidecar for Conjur Kubernetes integration.
Shell
11
star
64

dev-flow

Opinionated CLI that standardizes and automates common development tasks
Go
11
star
65

ark-sdk-python

CyberArk's Official SDK and CLI - https://cyberark.github.io/ark-sdk-python/
Python
10
star
66

ansible-conjur-host-identity

This project encapsulates the functionality of our `cyberark.conjur-host-identity role for Ansible
Shell
8
star
67

conjur-api-python

Python client for the CyberArk Conjur API
Python
8
star
68

conjur-oss-suite-release

Under development - Latest stable releases of the Conjur OSS suite
Go
7
star
69

community

Information for the CyberArk contributor community
7
star
70

cyberark-aim-chef

Chef custom resource for CyberArk AIM
Ruby
7
star
71

homebrew-tools

Homebrew formulas for different CyberArk tooling.
Shell
7
star
72

cacookiecleaner

C#
7
star
73

conjur-policy-generator

Tools to create sample Conjur policies for testing, etc.
Ruby
7
star
74

atyourservice

The atyourservice project is intended to provide highly-customizable utilities for troubleshooting issues.
Python
7
star
75

identity-aws-verified-permissions-demo

Python
7
star
76

summon-chefapi

Summon provider for Chef encrypted data bags
Go
6
star
77

conjur-puppet

Official Puppet module for CyberArk Conjur
Ruby
6
star
78

sample-siem-dashboards

6
star
79

escape-the-cloud

Web Application for CyberArk Cloud Escape Room CTF challenge
JavaScript
5
star
80

helm-charts

CyberArk Helm charts repository.
Shell
5
star
81

psmp-deploy-ansible-role

Ansible role to deploy Cyberark Privileged Session Manager SSH Proxy (PSM-SSH)
Shell
5
star
82

ansible-conjur-collection

Ansible Collection for Conjur
Python
5
star
83

conjur-spring-boot-sdk

Java
5
star
84

SafeNet

5
star
85

conjur-azure-devops-extension

Azure DevOps Extension for retrieving secrets from CyberArk Conjur
JavaScript
5
star
86

conjur-api-ruby

Ruby client for the CyberArk Conjur API
Ruby
4
star
87

conjur-base-image

Base Docker images for CyberArk Conjur
Shell
4
star
88

conjur-cli-go

CyberArk Conjur command line interface (Go)
Go
4
star
89

conjur-aws

[DEPRECATED] - AWS CloudFormation templates for Conjur
Shell
4
star
90

conjur-google-cloud-marketplace

[DEPRECATED] Conjur application for Google Cloud Marketplace
Shell
4
star
91

conjur-service-broker

Implementation of the Open Service Broker API for Conjur
Ruby
4
star
92

identity-demo-android

This is to demonstrate CyberArk Identity capabilities of Android SDK in a sample app.
Kotlin
3
star
93

pas-reporter-dataprocessing

C#
3
star
94

conjur-inspect

Go
3
star
95

dap-web-utility

DAP web utility to simplify DAP/Conjur deployment & operations
JavaScript
3
star
96

urbancode-conjur-aim

A plugin which allows UrbanCode Deploy to get credentials from EPV via AIM, and to get secrets from Conjur for setting up a CI/CD workflow
Groovy
3
star
97

psmp-activate-ansible-role

Ansible role to activate Cyberark Privileged Session Manager SSH Proxy (PSM-SSH)
Shell
3
star
98

conjur-tutorials

A repository for tutorials related to Conjur
Shell
2
star
99

conjur-authn-iam-client-python

Python client for using Conjur with authn-iam
Python
2
star
100

aim-puppet

Ruby
2
star