ohpe/MiTM-SSL.md

Created February 12, 2018 20:03

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/ohpe/e02596a2c2247ea1a212e019c355e2c3.js"></script>
Save ohpe/e02596a2c2247ea1a212e019c355e2c3 to your computer and use it in GitHub Desktop.

Download ZIP

Simple SSL MiMT using stunnel

Raw

MiTM-SSL.md

Simple SSL MiTM

A quick and dirty SSL MiTM using stunnel

Generate a SSL certificate .. or use Let's Encrypt (for the green lock)

openssl req -batch -new -x509 -days 365 -nodes -out mitm.pem -keyout mitm.pem

Run stunnel

stunnel mitm.conf

;mitm.conf
[server]
client = no
cert= ./mitm.pem
accept = <EXPOSEDIP>:443
connect = 127.0.0.1:31337

[client]
client = yes
accept = 127.0.0.1:31337
connect = <TARGET>:443

Capture unencrypted traffic

sudo tcpdump -ilo -s0 -v -w ./mitm.pcap 'port 31337'

mouchh commented Sep 4, 2019

Thanks for this one!
As I had some struggle to move ahead with TLS decryption once the packets were captured, I wanted to share how I managed to get it working. Hopefully it will help someone

Actually, the only way to decrypt TLS with the pem file only (including your private key) is to use TLS with a RSA cipher.
More and more clients and servers are handling TLS with DiffieHellman ciphers (DH) so if you want to be able to decrypt easily your traffic, you should add this config either on the [server] or [client] config

ciphers = RSA

It will tell the counterpart that you want to negiotiate your TLS encryption with a cipher from the RSA-family. Hopefully you will find a common RSA cipher to ease your decryption process by using the private key from the pem file.

There are ways to decrypt DH ciphers also but its more complex... as this gist is for simple MITM I guess we should not mention this here :)

Author

ohpe commented Sep 4, 2019

Awesome, thanks @mouchh

Saya47 commented Oct 18, 2019 •

edited

Loading

Hello @ohpe :)
I want to use Privoxy to block an HTTPS URL like this one: https://github.com/Setaran/
But Privoxy is not able to block HTTPS paths, it can only block HTTPS domains which is already achievable with HOSTS file on Windows so I don't need that.
I found your config for stunnel, I want to use in my case.
Can you please tell me after I add the above config to stunnel, how I can send the unencrypted data to Privoxy?
And then I think I should encrypt it with the .pem key?
Thanks very much in advance 👍

diveshu commented Nov 29, 2023 •

edited

Loading

Hello @ohpe :) I want to use Privoxy to block an HTTPS URL like this one: https://github.com/Setaran/ But Privoxy is not able to block HTTPS paths, it can only block HTTPS domains which is already achievable with HOSTS file on Windows so I don't need that. I found your config for stunnel, I want to use in my case. Can you please tell me after I add the above config to stunnel, how I can send the unencrypted data to Privoxy? And then I think I should encrypt it with the .pem key? Thanks very much in advance 👍

Hi,
Were you able to get any solution?

Saya47 commented Nov 30, 2023

Hello @ohpe :) I want to use Privoxy to block an HTTPS URL like this one: https://github.com/Setaran/ But Privoxy is not able to block HTTPS paths, it can only block HTTPS domains which is already achievable with HOSTS file on Windows so I don't need that. I found your config for stunnel, I want to use in my case. Can you please tell me after I add the above config to stunnel, how I can send the unencrypted data to Privoxy? And then I think I should encrypt it with the .pem key? Thanks very much in advance 👍

Hi, Were you able to get any solution?

Hello I used Fiddler!