View Full Version : SSL Interception with Squid3 (MITM)

2014-10-05, 09:42
The following example is a part of
Aerial - How to E-Z Setup a Multi-mode wireless LAN Based on a Software Access point (https://forums.kali.org/showthread.php?23028-Aerial-Multi-mode-wireless-LAN-Based-on-a-Software-Access-point)
which I called "mode 13" SiTM - Squid in The Middle - Transparent HTTP(S) proxied LAN.
To get this to work you must have something like this:

|=======|................|=============| <---wlan0---> Client 1
| |nternet...| <--eth0-->| Kali Linux (squid3) | <---wlan0---> Client 2
|=======|................|=============| <---wlan0---> Client 3 (and etc)

eth0 and wlan0 could be any network interfaces.

Most distros did not offer Squid3 compiled with SSL Bumping and Dynamic SSL Certificate Generation. I'm offering you dpkg (full packages*) Squid3 v.3.3.8 compiled with SSL Bumping and Dynamic SSL Certificate Generation for Kali amd64(x64) and Kali i386 (x32).

* squid3_3.3.8-1.1Kali1_amd64.deb

First of all you must know that Squid3 v.3.3.8 is incompatible with any previous version of Squid3. So, if you install any version of Squid3 e.g. Kali offers Squid3 v.3.1.20 you must uninstall it first.

apt-get --purge remove -y squid3 squid3-common squid-langpack
Download the appropriate .bz2 file depending the architecture your are running:
For Kali x64:
squid3_3.3.8-1.1Kali1_amd64.tar.bz2 (http://www.mediafire.com/download/cf6gz3e6innlbbn/squid3_3.3.8-1.1Kali1_amd64.tar.bz2) 27.59MB

sha1sum: 52475413ff0954a20721c558afa28ae872abd9f3
and install it:

tar jxf squid3_3.3.8-1.1Kali1_amd64.tar.bz2
cd squid3_3.3.8-1.1Kali1_amd64
dpkg -i squid3_3.3.8-1.1Kali1_amd64.deb squid3-common_3.3.8-1.1Kali1_all.deb squid-langpack_20140506-1.1Kali1_all.deb
For Kali x32:
squid3_3.3.8-1.1Kali1_i386.tar.bz2 (http://www.mediafire.com/download/o3bsnqpjp127qxq/squid3_3.3.8-1.1Kali1_i386.tar.bz2) 26.83MB

sha1sum: 15d3490f350095a6ae6945d14ac502332484c42c

tar jxf squid3_3.3.8-1.1Kali1_i386.tar.bz2
cd squid3_3.3.8-1.1Kali1_i386
dpkg -i squid3_3.3.8-1.1Kali1_i386.deb squid3-common_3.3.8-1.1Kali1_all.deb squid-langpack_20140506-1.1Kali1_all.deb

Let's create a folder for our CA certificates and the cnf file for them:

mkdir /root/CA-certificates
#Create the cnf configuration file x509v3ca.cnf
cat > /root/CA-certificates/x509v3ca.cnf << EOF
[ req ]
default_bits = 4096
default_md = sha1
default_keyfile = Root-ca.key
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
string_mask = nombstr

[ req_distinguished_name ]

[ v3_ca ]
basicConstraints = critical,CA:true
nsCertType = critical,sslCA
extendedKeyUsage = critical,serverAuth,clientAuth,emailProtection,tim eStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEF S,nsSGC
keyUsage = keyCertSign,cRLSign
subjectKeyIdentifier = hash

Now let's create our CA certifificates for Squid3 and for the clients:

#Generate RSA CA private key:
openssl genrsa -out /root/CA-certificates/Root-ca.key 4096
#Create CA certificate
openssl req -new -nodes -x509 -sha1 -out /root/CA-certificates/Root-ca.crt -key /root/CA-certificates/Root-ca.key -config /root/CA-certificates/x509v3ca.cnf -extensions v3_ca -subj '/O=Squid3/OU=Squid3 RootCA/CN=Squid3/' -days 9999
#The certificate in PEM format. Use this to distribute to most non-Windows platforms. e.g. *nix systems.
openssl x509 -in /root/CA-certificates/Root-ca.crt -out /root/CA-certificates/Root-ca-cert.pem -outform PEM
#The certificate in pkcs12 format. Use this to distribute to Windows platforms.
openssl pkcs12 -export -in /root/CA-certificates/Root-ca.crt -inkey /root/CA-certificates/Root-ca.key -out /root/CA-certificates/Root-ca-cert.p12 -name "RootCA" -password pass:
#The certificate in DER binary format format. Use this to distribute to Android Devices.
openssl x509 -inform PEM -outform DER -in /root/CA-certificates/Root-ca.crt -out /root/CA-certificates/Root-ca-cert.crt
Initialize the SSL database for storing cached certificates and make the directory writable for the squid user:

/usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db -M 4MB
chown -R proxy.proxy /var/lib/ssl_db

Let's create a sample configuration file for Squid3:

cat > /etc/squid3/squid.conf <<EOF
# Access Controls
acl localnet src # RFC1918 class C internal network replace it with your own internal network.
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3127-3129 1025-65535
acl sslports port 443 563 81 2087 8081 10000
acl connect method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !safeports
http_access deny CONNECT !sslports
http_access allow localhost
http_access allow localnet
http_access deny all

always_direct allow all
ssl_bump server-first all

# Ports :3127 http proxy, 3128 http transparent, 3129 https transparent.
http_port 3127
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/root/CA-certificates/Root-ca.crt key=/root/CA-certificates/Root-ca.key

sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 10 startup=4 idle=2

# Lets use DNS servers that we have found.
dns_nameservers #DNS servers. The first one is my LAN's DNS and the second one is an OPEN DNS server. Replace them with your own.
positive_dns_ttl 8 hours
negative_dns_ttl 30 seconds
hierarchy_stoplist cgi-bin ?

# Disk Cache Options
# Uncomment the following to enable hdd/sdd disk cache.
#cache_dir aufs /var/spool/squid3 200 16 256
#cache_replacement_policy heap LFUDA
#minimum_object_size 0 KB
#maximum_object_size 4096 KB
#cache_swap_low 90
#cache_swap_high 95

# Memory Cache Options
# You may want to increase 64 MB RAM to something higher.
cache_mem 64 MB
maximum_object_size_in_memory 512 KB
memory_replacement_policy heap GDSF

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
coredump_dir /var/spool/squid3
access_log stdio:/var/log/squid3/access.log squid
and let's start Squid3:

/etc/init.d/squid3 start
Let's setup our iptables:

export IFACE="`ip route show to | awk '{print $5}'`" # This is your Internet Interface
export INETIP="`/sbin/ifconfig $IFACE | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" # This is your IP you are getting from your Internet Interface.
export LAN_IFACE="wlan0" # Put here your LAN's Interface. e.g. eth0
export LAN_IP="`/sbin/ifconfig $LAN_IFACE | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" # This is the IP from your LAN Interface.

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface $IFACE -j MASQUERADE
iptables --append FORWARD --in-interface $ATFACE -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $INETIP
# Transparent Squid3 Http & Https (Squid3 listens to 3129 (http traffic) and 3127 (https traffic)
iptables -t nat -A PREROUTING -i $ATFACE -p tcp -m tcp --dport 80 -j DNAT --to-destination "$LAN_IP":3128
iptables -t nat -A PREROUTING -i $ATFACE -p tcp -m tcp --dport 443 -j DNAT --to-destination "$LAN_IP":3129
iptables -t nat -A PREROUTING -i $IFACE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i $IFACE -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129

At this point your client(s) should be able to surf transparently the web through Squid3.

But you must first install the CA certificate that we have created above, so they will not get certificate warnings.

For *nix clients for example who is having Firefox/Iceweasel you must transfer Root-ca-cert.pem that was created previously to your client.

Start Firefox/Iceweasel:
Open 'Preferences'
Go to the 'Advanced' section, 'Certificates' tab
Press the 'View Certificates' button and go to the 'Authorities' tab
Press the 'Import' button, select the Root-ca-cert.pem file , check 'Trust this CA to indetify websites' press 'OK'.

That's it. No more warnings and if you visit a https site you will see that site was signed by Squid3 with the certificate that we have previously created.

Enjoy !


Dynamic SSL Certificate Generation (http://wiki.squid-cache.org/Features/DynamicSslCert)
Squid-in-the-middle SSL Bump (http://wiki.squid-cache.org/Features/SslBump)
SslBump using Bump-Server-First method (http://wiki.squid-cache.org/Features/BumpSslServerFirst)
Mimic original SSL server certificate when bumping traffic (http://wiki.squid-cache.org/Features/MimicSslServerCert)

2014-10-25, 20:27
Moved to github:
Squid3 v3.3.8 - SSL enabled - Kali Linux i386/amd64 (https://github.com/Nick-the-Greek/Squid3_SSL_Kali-Linux)
You can download it by:

git clone https://github.com/Nick-the-Greek/Squid3_SSL_Kali-Linux
and follow the above instructions.

2015-02-27, 05:57
Hi Sir Nick,

Can these be done using the following setup:

Client 1,2,3,etc are connected to internet via my pocket wifi/router.

and my linux machine (installed in VMware) is connected to internet via eth0 (shared/bridged internet with windows).
Do I need to have administrator privilege on the computer (linux/windows) to be able to port forward? (echo 1 > /proc/sys/net/ipv4/ip_forward)

Many Thanks