{"id":270,"date":"2018-09-19T16:49:05","date_gmt":"2018-09-19T16:49:05","guid":{"rendered":"https:\/\/www.unsafehex.com\/?p=270"},"modified":"2024-09-27T17:29:18","modified_gmt":"2024-09-27T17:29:18","slug":"transparent-ssl-intercept","status":"publish","type":"post","link":"https:\/\/www.unsafehex.com\/index.php\/2018\/09\/19\/transparent-ssl-intercept\/","title":{"rendered":"Intercepting SSL with squid proxy and routing to tor"},"content":{"rendered":"

There was a time when practically all malware communicated with its command and control (C2) servers unencrypted. Those days are long gone, and now much of what we would wish to see is hidden under HTTPS.\u00a0 What are we to do if we want to know what is going on within that traffic?<\/p>\n

Introduction<\/h4>\n

(for those who are unfamiliar with the HTTPS protocol and public key encryption)<\/h5>\n

The foundation of HTTPS is the Public Key Infrastructure. When traffic is to be encrypted, the destination server provides a public key with which to encrypt a message. Only that server, which is in possession of the linked private key, can decrypt the message. Public key, or asymmetric encryption, is relatively slow so instead of all traffic being secured with this, the client and server use this stage only to negotiate a new key in secret<\/a> for a symmetrically encrypted connection. If we wish to be able to read the traffic, we need to obtain the symmetric encryption key.<\/p>\n

How can this be achieved? If we are in a position to intercept the traffic, we could provide a public key that we are in control of to the client, and establish our own connection to the server. The traffic would be decrypted at our interception point with our key, and re-encrypted as we pass it to the server with the server’s key. However, because HTTPS must be able to keep information confidential, it has defences designed with this attack in mind. A key issued by a server is normally provided along with the means to verify that it is genuine, not falsified as we wish to do. The key is accompanied by a cryptographic signature from a Certificate Authority (CA), and computers and other devices using HTTPS to communicate hold a list of CAs which are considered trustworthy and authorised to verify that keys are valid. Comparing the signature against the client’s stored list enables the client to verify the authenticity of the public key.<\/p>\n

If we wish to inspect encrypted communication, we must both intercept the secret key during the exchange, and convince the client that the certificate it receives is genuine. This post will walk through the process needed to achieve those two goals.<\/p>\n

Design<\/h4>\n
Starting point<\/h5>\n

I have already been running a sandbox that routes traffic via tor. It is loosely based on Sean Whalen’s Cuckoo guide<\/a>, and implements the tor routing without going via privoxy, as shown below.<\/p>\n

\"\"<\/a>

Initial setup<\/p><\/div>\n

Using this method allows me to run malware without revealing the public IP of my lab environment. It has certain drawbacks; some malware will recognise that it is being routed via tor and stop functioning, however the tradeoff is acceptable to me.<\/p>\n

squid | tor<\/h5>\n

Using squid with tor comes with some caveats that make the eventual configuration a little complicated. The version of squid I am using (3.5.23) cannot directly connect to a tor process running on the local host. In order to route via tor locally you will need a parent\u00a0<\/strong>cache\u00a0<\/strong>peer<\/strong>\u00a0to which the connection can be forwarded. Privoxy is capable of serving this purpose, so initially I attempted the setup shown below:<\/p>\n

\"\"<\/a>

Via privoxy<\/p><\/div>\n

This configuration will function just fine if all you want is to proxy via squid. Unfortunately, this version of squid does not support SSL\/TLS interception when a parent cache is being used. So, since we cannot use privoxy, and squid cannot route to tor on the same host, what can we do? Run tor on a different host!<\/p>\n

\"\"<\/a>

Via squid and second host running tor<\/p><\/div>\n

Implementation<\/h4>\n

squid with ssl intercept\/ssl-bump<\/h5>\n

In order to use squid with ssl-bump, you must have compiled squid with the –with-openssl<\/em> and –enable-ssl-crtd<\/em> options. The default package on Debian is not compiled this way, so to save you some time I have provided the commands I used to compile it:<\/p>\n

apt-get source squid\ncd squid3-3.5.23\/\n.\/configure --build=x86_64-linux-gnu --prefix=\/usr --includedir=${prefix}\/include --mandir=${prefix}\/share\/man --infodir=${prefix}\/share\/info --sysconfdir=\/etc --localstatedir=\/var --libexecdir=${prefix}\/lib\/squid3 --srcdir=. --disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=\/build\/squid3-4PillG\/squid3-3.5.23=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' --datadir=\/usr\/share\/squid --sysconfdir=\/etc\/squid --libexecdir=\/usr\/lib\/squid --mandir=\/usr\/share\/man --enable-inline --disable-arch-native --enable-async-io=8 --enable-storeio=ufs,aufs,diskd,rock --enable-removal-policies=lru,heap --enable-delay-pools --enable-cache-digests --enable-icap-client --enable-follow-x-forwarded-for --enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB --enable-auth-digest=file,LDAP --enable-auth-negotiate=kerberos,wrapper --enable-auth-ntlm=fake,smb_lm --enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group --enable-url-rewrite-helpers=fake --enable-eui --enable-esi --enable-icmp --enable-zph-qos --enable-ecap --disable-translation --with-swapdir=\/var\/spool\/squid --with-logdir=\/var\/log\/squid --with-pidfile=\/var\/run\/squid.pid --with-filedescriptors=65536 --with-large-files --with-default-user=proxy --enable-build-info='Debian linux' --enable-linux-netfilter build_alias=x86_64-linux-gnu 'CFLAGS=-g -O2 -fdebug-prefix-map=\/build\/squid3-4PillG\/squid3-3.5.23=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=\/build\/squid3-4PillG\/squid3-3.5.23=. -fstack-protector-strong -Wformat -Werror=format-security' --with-openssl --enable-ssl-crtd\nmake && make install<\/pre>\n
The configuration above is identical to the precompiled one in the Debian Stretch repository, apart from the addition of the SSL options. If you are using a different distro the above command may not work.<\/p>\n
Most of my configuration is based on the guide in the official squid documentation<\/a>. My squid configuration is as follows:<\/p>\n
acl ftp proto FTP\nacl SSL_ports port 443\nacl SSL_ports port 1025-65535\nacl Safe_ports port 80 # http\nacl Safe_ports port 21 # ftp\nacl Safe_ports port 443 # https\nacl Safe_ports port 70 # gopher\nacl Safe_ports port 210 # wais\nacl Safe_ports port 1025-65535 # unregistered ports\nacl Safe_ports port 280 # http-mgmt\nacl Safe_ports port 488 # gss-http\nacl Safe_ports port 591 # filemaker\nacl Safe_ports port 777 # multiling http\nacl CONNECT method CONNECT\nacl LANnet src 192.168.80.0\/24 # local network for virtual machines\nacl step1 at_step SslBump1\nhttp_access deny !Safe_ports\nhttp_access deny CONNECT !SSL_ports\nhttp_access allow localhost manager\nhttp_access allow LANnet\nhttp_access deny manager\nhttp_access allow localhost\nhttp_access deny all\nhttp_port 3128 intercept # intercept required for transparent proxy\nhttps_port 3129 intercept ssl-bump \\\n    cert=\/etc\/squid\/antfarm.pem \\\n    generate-host-certificates=on dynamic_cert_mem_cache_size=4MB\nssl_bump peek step1\nssl_bump bump all\nsslcrtd_program \/usr\/lib\/squid\/ssl_crtd -s \/var\/lib\/ssl_db -M 4MB\nsslcrtd_children 8 startup=1 idle=1\naccess_log daemon:\/var\/log\/squid\/access.log logformat=combined\npid_filename \/var\/run\/squid\/squid.pid\ncoredump_dir \/var\/spool\/squid\nrefresh_pattern ^ftp: 1440 20% 10080\nrefresh_pattern ^gopher: 1440 0% 1440\nrefresh_pattern -i (\/cgi-bin\/|\\?) 0 0% 0\nrefresh_pattern . 0 20% 4320\nrequest_header_access X-Forwarded-For deny all\nhttpd_suppress_version_string on\nalways_direct allow all<\/pre>\n
Use the SSL certificate generation process shown in the linked guide. Once you have created the .pem file, copy the section from —–BEGIN CERTIFICATE—–<\/em> to —–END CERTIFICATE—–<\/em> into a new file with the extension .crt.<\/p>\n
A few notes here:<\/p>\n