Security/Fennec-TLS-MITM

From MozillaWiki
Jump to: navigation, search

Fennec TLS/SSL Man In The Middle

Setting up your network

Tls-mitm-01.png

What you need

  • Raspberry Pi
    • If you have a spare raspberry pi, use it!
    • Raspberry Pi 3 comes with Wifi onboard
    • Freddy used an RPi2 with this wifi usb dongle
    • Install Raspbian. That’s easiest. But other Linuxes will do.
  • Ethernet(!) connectivity between your Raspberry Pi and your main device (highly recommended to plug it into your router)
  • Wifi capabilities

Linux Software Setup on your Raspberry Pi

Setting up an Access Point

Install required software

sudo apt install hostapd dnsmasq

Setup /etc/hostapd/hostapd.conf, e.g.

interface=wlan0
# recommended to add your name in a shared office
ssid=TLS-MITM-AP-YourName
channel=1
macaddr_acl=0 # no mac whitelist
auth_algs=1
ignore_broadcast_ssid=0 # will broadcast ssid
wpa=2
wpa_passphrase=changeme
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
# driver optional, it turns out.
#driver=rtl871xdrv
ieee80211n=1
hw_mode=g

Setting up /etc/dnsmasq.conf

Feel free to change the IP address, depending on your network

dhcp-range=192.168.3.50,192.168.3.150,12h

Setting up iptables

These two shell scripts come in handy. You can set them to executable with chmod +x <file>

$ cat intercept-enable.sh
#!/bin/sh
DESTINATION=10.249.29.77
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination $DESTINATION:8443
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $DESTINATION:8080
$ cat intercept-disable.sh
#!/bin/sh
iptables -t nat -F PREROUTING

Enable/Disabling the routing via ./intercept-disable.sh and ./intercept-enable.sh

Routing all traffic through your local development machine

Tls-mitm-02.png

Using ZAP

OWASP ZAP comes with its own documentation and installation instructions. Follow these first. After ZAP is properly setup, you should find your CA certificate in the Preferences save it to file for later use. We’ll need this on the phone later! Go to ZAP Extensions, select Marketplace Tls-mitm-03.png Install the “SNI Terminator” extension.

Normally, ZAP will expect clients to use it as an HTTP proxy (using the CONNECT request method). This add-on allows raw requests to be captured and rerouted. It will also accept TLS handshakes over port 8443 and issue matching certificates using Server Name Indications.

Test here if you can intercept TLS without adding certificates to the device

At this point all unencrypted traffic should be able to flow from the device under test, to the rogue access point, through ZAP and into the public internet. Test that your setup is sound by navigating your device to e.g., http://example.com (unencrypted). Next, test https://example.com (note HTTPS). You should see warnings about an unknown certificate issuer

Adding certificates to the device

Android System

You will need this as Firefox bits that are implemented in Java use the android certificate store. This is especially relevant for Firefox Focus. Next up, we want to add the OWASP ZAP root CA certificate to your device under test. Android allows this under settings, but only if you set a pin code (or unlock pattern). Do this first and then find the certificate settings (possibly in advanced wifi settings, depends on version) After this, you should see the first HTTPS requests going through ZAP. Some parts of the system, as well as Firefox bits that are implemented in Java use the android certificate store.

Firefox for Android

While this may be the case, Firefox uses its own certificate store and is still going to be annoyed about unknown issuers. Unfortunately, Firefox for Android does not come with a certificate settings UI. I’ve gone the route to debug Firefox for Android using the DevTools. To Debug Firefox for Android you need to set up a separate Firefox profile on Desktop, I’d like to call mine “chrome-debugger”. In this separate browser open Developer Tools, find the cog icon for Settings and scroll for Advanced Settings (bottom right). Enable this checkbox:

  • Enable remote debugging

You will want to debug via USB and not Wifi. This is the easiest way for your network intercepting setup to remain intact. Full instructions are at available on MDN. Once you have WebIDE attached to your phone, you can debug the Main Process and execute chrome privileged JavaScript. To add a certificate via chrome JavaScript, you may use this script, but remember to replace the big block of text with your own certificate! You may have to restart Firefox for the changes to take effect.

Done!

freddy@x270:~$ lowriter /tmp/Fennec\ TLS_SSL\ Man-In-The-Middle.docx ^C freddy@x270:~$ man pandoc freddy@x270:~$ pandoc -t mediawiki /tmp/Fennec\ TLS_SSL\ Man-In-The-Middle.docx

Setting up your network

624x260px

What you need

  • Raspberry Pi

    • If you have a spare raspberry pi, use it!

    • Raspberry Pi 3 comes with Wifi onboard

    • Freddy used an RPi2 with this wifi usb dongle.

    • Install Raspbian. That’s easiest. But other Linuxes will do.

  • Ethernet(!) connectivity between your Raspberry Pi and your main device (highly recommended to plug it into your router)

  • Wifi capabilities

Linux Software Setup on your Raspberry Pi

Setting up an Access Point

Install required software

sudo apt install hostapd dnsmasq

Setup /etc/hostapd/hostapd.conf, e.g.

interface=wlan0

recommended to add your name in a shared office

ssid=TLS-MITM-AP-YourName

channel=1

macaddr_acl=0 # no mac whitelist

auth_algs=1

ignore_broadcast_ssid=0 # will broadcast ssid

wpa=2

wpa_passphrase=changeme

wpa_key_mgmt=WPA-PSK

wpa_pairwise=TKIP

rsn_pairwise=CCMP

driver optional, it turns out.

driver=rtl871xdrv

ieee80211n=1

hw_mode=g

Setting up /etc/dnsmasq.conf

Feel free to change the IP address, depending on your network

dhcp-range=192.168.3.50,192.168.3.150,12h

Setting up iptables

These two shell scripts come in handy. You can set them to executable with chmod +x <file>

$ cat intercept-enable.sh

!/bin/sh

DESTINATION=10.249.29.77

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination $DESTINATION:8443

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination $DESTINATION:8080

$ cat intercept-disable.sh

!/bin/sh

iptables -t nat -F PREROUTING

Enable/Disabling the routing via ./intercept-disable.sh and ./intercept-enable.sh

Routing all traffic through your local development machine

624x241px

Using ZAP

OWASP ZAP comes with its own documentation and installation instructions. Follow these first.

After ZAP is properly setup, you should find your CA certificate in the Preferences save it to file for later use. We’ll need this on the phone later!

Go to ZAP Extensions, select Marketplace

610x107px

Install the “SNI Terminator” extension.

Normally, ZAP will expect clients to use it as an HTTP proxy (using the CONNECT request method). This add-on allows raw requests to be captured and rerouted. It will also accept TLS handshakes over port 8443 and issue matching certificates using Server Name Indications.

Test here if you can intercept TLS without adding certificates to the device

At this point all unencrypted traffic should be able to flow from the device under test, to the rogue access point, through ZAP and into the public internet. Test that your setup is sound by navigating your device to e.g., http://example.com (unencrypted).

Next, test https://example.com (note HTTPS). You should see warnings about an unknown certificate issuer

Adding certificates to the device

Android System

You will need this as Firefox bits that are implemented in Java use the android certificate store. This is especially relevant for Firefox Focus. Next up, we want to add the OWASP ZAP root CA certificate to your device under test. Android allows this under settings, but only if you set a pin code (or unlock pattern). Do this first and then find the certificate settings (possibly in advanced wifi settings, depends on version) After this, you should see the first HTTPS requests going through ZAP. Some parts of the system, as well as Firefox bits that are implemented in Java use the android certificate store.

Firefox for Android

While this may be the case, Firefox uses its own certificate store and is still going to be annoyed about unknown issuers. Unfortunately, Firefox for Android does not come with a certificate settings UI. I’ve gone the route to debug Firefox for Android using the DevTools. To Debug Firefox for Android you need to set up a separate Firefox profile on Desktop, I’d like to call mine “chrome-debugger”. In this separate browser open Developer Tools, find the cog icon for Settings and scroll for Advanced Settings (bottom right). Enable this checkbox:

  • Enable remote debugging

You will want to debug via USB and not Wifi. This is the easiest way for your network intercepting setup to remain intact. Full instructions are at available on MDN. Once you have WebIDE attached to your phone, you can debug the Main Process and execute chrome privileged JavaScript. To add a certificate via chrome JavaScript, you may use this script, but remember to replace the big block of text with your own certificate! You may have to restart Firefox for the changes to take effect.

Done!