Results 1 to 3 of 3

Thread: SSL Interception with Squid3 (MITM)

  1. #1
    Join Date
    2014-Jun
    Location
    Greece
    Posts
    133

    [B]SSL Interception with Squid3 (MITM)[/B]

    The following example is a part of
    Aerial - How to E-Z Setup a Multi-mode wireless LAN Based on a Software Access point
    which I called "mode 13" SiTM - Squid in The Middle - Transparent HTTP(S) proxied LAN.
    To get this to work you must have something like this:

    |=======|................|=============| <---wlan0---> Client 1
    | |nternet...| <--eth0-->| Kali Linux (squid3) | <---wlan0---> Client 2
    |=======|................|=============| <---wlan0---> Client 3 (and etc)

    eth0 and wlan0 could be any network interfaces.

    Most distros did not offer Squid3 compiled with SSL Bumping and Dynamic SSL Certificate Generation. I'm offering you dpkg (full packages*) Squid3 v.3.3.8 compiled with SSL Bumping and Dynamic SSL Certificate Generation for Kali amd64(x64) and Kali i386 (x32).

    * squid3_3.3.8-1.1Kali1_amd64.deb
    squid3-common_3.3.8-1.1Kali1_all.deb
    squid3-dbg_3.3.8-1.1Kali1_i386.deb
    squid3-dbg_3.3.8-1.1Kali1_amd64.deb
    squid3_3.3.8-1.1Kali1_i386.deb
    squid3_3.3.8-1.1Kali1_amd64.deb
    squid-cgi_3.3.8-1.1Kali1_i386.deb
    squid-cgi_3.3.8-1.1Kali1_amd64.deb
    squidclient_3.3.8-1.1Kali1_i386.deb
    squidclient_3.3.8-1.1Kali1_amd64.deb
    squid-langpack_20140506-1.1Kali1_all.deb

    First of all you must know that Squid3 v.3.3.8 is incompatible with any previous version of Squid3. So, if you install any version of Squid3 e.g. Kali offers Squid3 v.3.1.20 you must uninstall it first.
    Code:
    apt-get --purge remove -y squid3 squid3-common squid-langpack
    Download the appropriate .bz2 file depending the architecture your are running:
    For Kali x64:
    squid3_3.3.8-1.1Kali1_amd64.tar.bz2 27.59MB
    Code:
    sha1sum: 52475413ff0954a20721c558afa28ae872abd9f3
    and install it:
    Code:
    tar jxf squid3_3.3.8-1.1Kali1_amd64.tar.bz2
    cd squid3_3.3.8-1.1Kali1_amd64
    dpkg -i squid3_3.3.8-1.1Kali1_amd64.deb squid3-common_3.3.8-1.1Kali1_all.deb squid-langpack_20140506-1.1Kali1_all.deb
    For Kali x32:
    squid3_3.3.8-1.1Kali1_i386.tar.bz2 26.83MB
    Code:
    sha1sum: 15d3490f350095a6ae6945d14ac502332484c42c
    Code:
    tar jxf squid3_3.3.8-1.1Kali1_i386.tar.bz2
    cd squid3_3.3.8-1.1Kali1_i386
    dpkg -i squid3_3.3.8-1.1Kali1_i386.deb squid3-common_3.3.8-1.1Kali1_all.deb squid-langpack_20140506-1.1Kali1_all.deb
    Let's create a folder for our CA certificates and the cnf file for them:
    Code:
    mkdir /root/CA-certificates
    #Create the cnf configuration file x509v3ca.cnf
    cat > /root/CA-certificates/x509v3ca.cnf << EOF
    [ req ]
    default_bits              = 4096
    default_md               = sha1
    default_keyfile          = Root-ca.key
    distinguished_name  = req_distinguished_name
    x509_extensions      = v3_ca
    string_mask             = nombstr
    
    [ req_distinguished_name ]
    
    [ v3_ca ]
    basicConstraints        = critical,CA:true
    nsCertType  		= critical,sslCA
    extendedKeyUsage  	= critical,serverAuth,clientAuth,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC
    keyUsage  		= keyCertSign,cRLSign
    subjectKeyIdentifier    = hash
    EOF
    Now let's create our CA certifificates for Squid3 and for the clients:
    Code:
    #Generate RSA CA private key:
    openssl genrsa -out /root/CA-certificates/Root-ca.key 4096
    #Create CA certificate
    openssl req -new -nodes -x509 -sha1 -out /root/CA-certificates/Root-ca.crt -key /root/CA-certificates/Root-ca.key -config /root/CA-certificates/x509v3ca.cnf -extensions v3_ca -subj '/O=Squid3/OU=Squid3 RootCA/CN=Squid3/' -days 9999
    #The certificate in PEM format. Use this to distribute to most non-Windows platforms. e.g. *nix systems.
    openssl x509 -in /root/CA-certificates/Root-ca.crt -out /root/CA-certificates/Root-ca-cert.pem -outform PEM
    #The certificate in pkcs12 format. Use this to distribute to Windows platforms.
    openssl pkcs12 -export -in /root/CA-certificates/Root-ca.crt -inkey /root/CA-certificates/Root-ca.key -out /root/CA-certificates/Root-ca-cert.p12 -name "RootCA" -password pass:
    #The certificate in DER binary format format. Use this to distribute to Android Devices.
    openssl x509 -inform PEM -outform DER -in /root/CA-certificates/Root-ca.crt -out /root/CA-certificates/Root-ca-cert.crt
    Initialize the SSL database for storing cached certificates and make the directory writable for the squid user:
    Code:
    /usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db -M 4MB
    chown -R proxy.proxy /var/lib/ssl_db
    Let's create a sample configuration file for Squid3:
    Code:
    cat > /etc/squid3/squid.conf <<EOF
    # Access Controls
    acl localnet src 192.168.60.0/24  	# RFC1918 class C internal network replace it with your own internal network.
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 81 3127-3129 1025-65535
    acl sslports port 443 563 81 2087 8081 10000
    acl connect method CONNECT
    http_access allow manager localhost
    http_access deny manager
    http_access deny !safeports
    http_access deny CONNECT !sslports
    http_access allow localhost
    http_access allow localnet
    http_access deny all
    
    always_direct allow all
    ssl_bump server-first all
    
    # Ports :3127 http proxy, 3128 http transparent, 3129 https transparent.
    http_port 3127
    http_port 3128 intercept
    https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/root/CA-certificates/Root-ca.crt key=/root/CA-certificates/Root-ca.key
    
    sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
    sslcrtd_children 10 startup=4 idle=2
    
    # Lets use DNS servers that we have found.
    dns_nameservers 192.168.1.1 208.67.222.222  #DNS servers. The first one is my LAN's DNS and the second one is an OPEN DNS server. Replace them with your own.
    positive_dns_ttl 8 hours
    negative_dns_ttl 30 seconds
    hierarchy_stoplist cgi-bin ?
    
    # Disk Cache Options
    # Uncomment the following to enable hdd/sdd disk cache.
    #cache_dir aufs /var/spool/squid3 200 16 256
    #cache_replacement_policy heap LFUDA
    #minimum_object_size 0 KB
    #maximum_object_size 4096 KB
    #cache_swap_low 90
    #cache_swap_high 95
    
    # Memory Cache Options
    # You may want to increase 64 MB RAM to something higher.
    cache_mem 64 MB
    maximum_object_size_in_memory 512 KB
    memory_replacement_policy heap GDSF
    
    refresh_pattern ^ftp:                1440  20%    10080
    refresh_pattern ^gopher:          1440   0%      1440
    refresh_pattern -i (/cgi-bin/|\?)       0    0%           0
    refresh_pattern .                          0  20%      4320
    coredump_dir /var/spool/squid3
    access_log stdio:/var/log/squid3/access.log squid
    EOF
    and let's start Squid3:
    Code:
    /etc/init.d/squid3 start
    Let's setup our iptables:
    Code:
    export IFACE="`ip route show to 0.0.0.0/0 | awk '{print $5}'`" # This is your Internet Interface
    export INETIP="`/sbin/ifconfig $IFACE | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" # This is your IP you are getting from your Internet Interface.
    export LAN_IFACE="wlan0" # Put here your LAN's Interface. e.g. eth0
    export LAN_IP="`/sbin/ifconfig $LAN_IFACE | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" # This is the IP from your LAN Interface.
    
    iptables --flush
    iptables --table nat --flush
    iptables --delete-chain
    iptables --table nat --delete-chain
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables --table nat --append POSTROUTING --out-interface $IFACE -j MASQUERADE
    iptables --append FORWARD --in-interface $ATFACE -j ACCEPT
    iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to $INETIP
    # Transparent Squid3 Http & Https (Squid3 listens to 3129 (http traffic) and 3127 (https traffic)
    iptables -t nat -A PREROUTING -i $ATFACE -p tcp -m tcp --dport 80 -j DNAT --to-destination "$LAN_IP":3128
    iptables -t nat -A PREROUTING -i $ATFACE -p tcp -m tcp --dport 443 -j DNAT --to-destination "$LAN_IP":3129
    iptables -t nat -A PREROUTING -i $IFACE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    iptables -t nat -A PREROUTING -i $IFACE -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
    At this point your client(s) should be able to surf transparently the web through Squid3.

    But you must first install the CA certificate that we have created above, so they will not get certificate warnings.

    For *nix clients for example who is having Firefox/Iceweasel you must transfer Root-ca-cert.pem that was created previously to your client.

    Start Firefox/Iceweasel:
    Open 'Preferences'
    Go to the 'Advanced' section, 'Certificates' tab
    Press the 'View Certificates' button and go to the 'Authorities' tab
    Press the 'Import' button, select the Root-ca-cert.pem file , check 'Trust this CA to indetify websites' press 'OK'.

    That's it. No more warnings and if you visit a https site you will see that site was signed by Squid3 with the certificate that we have previously created.

    Enjoy !

    Nick_the_Greek

    References:
    Dynamic SSL Certificate Generation
    Squid-in-the-middle SSL Bump
    SslBump using Bump-Server-First method
    Mimic original SSL server certificate when bumping traffic
    Last edited by Nick_the_Greek; 2014-10-25 at 18:42. Reason: Typo.
    Security always begins with personal responsibility. - quietman7

  2. #2
    Join Date
    2014-Jun
    Location
    Greece
    Posts
    133
    Moved to github:
    Squid3 v3.3.8 - SSL enabled - Kali Linux i386/amd64
    You can download it by:
    Code:
    git clone https://github.com/Nick-the-Greek/Squid3_SSL_Kali-Linux
    and follow the above instructions.
    Security always begins with personal responsibility. - quietman7

  3. #3
    Join Date
    2015-Feb
    Posts
    2
    Hi Sir Nick,

    Can these be done using the following setup:

    Client 1,2,3,etc are connected to internet via my pocket wifi/router.

    and my linux machine (installed in VMware) is connected to internet via eth0 (shared/bridged internet with windows).
    Do I need to have administrator privilege on the computer (linux/windows) to be able to port forward? (echo 1 > /proc/sys/net/ipv4/ip_forward)


    Many Thanks

Similar Threads

  1. Mitm
    By machx in forum General Archive
    Replies: 2
    Last Post: 2016-06-26, 13:27

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •