Newbie q: need to capture cipher list from client_hello

[Jay S]

I just wanted to log/print the ciphers my client app is presenting in the client_hello. I am doing this on mac btw. 

I first installed nogotofail using sudo python setup.py install (which seemed to go well). 

I had modified the on_ssl method in the "insecurecipherdetection" handler inside of this file: nogotofail/mitm/connection/handlers/data/ssl.py to simply log the client_hello.ciphers. This is in my cloned copy but done after the install step above. 

I then launched this for the mitm proxy: 

python -m nogotofail.mitm -A invalidhostname -D insecurecipherdetection --mode socks --port 8080 --serverssl server.crt

Then attempted to connect using this: 

python -m nogotofail.clients.linux.pyblame  -A salidhostname -D insecurecipherdetection -p 1  localhost 8443

I get prompted on whether to connect to the fingerprint of the server certificate. After answering yes the connection gets established fine but dont see the log message that I had added to the above handler in on_ssl method. It is as if it did not get called at all. 

I am thinking if the change I made to the handler was after installing it so it is not taking effect. I tried re-installing again but it does not help. What could I be missing?

thx

Jay

[Chad Brubaker]

On Thu, Mar 23, 2017 at 5:07 PM Jay S <jayan...@puppet.com> wrote:

I just wanted to log/print the ciphers my client app is presenting in the client_hello. I am doing this on mac btw. 

I first installed nogotofail using sudo python setup.py install (which seemed to go well). 

I had modified the on_ssl method in the "insecurecipherdetection" handler inside of this file: nogotofail/mitm/connection/handlers/data/ssl.py to simply log the client_hello.ciphers. This is in my cloned copy but done after the install step above. 

I then launched this for the mitm proxy: 

python -m nogotofail.mitm -A invalidhostname -D insecurecipherdetection --mode socks --port 8080 --serverssl server.crt

If you're just testing you can run without a connection attack and let the connection complete, e.g.

python -m nogotofail.mitm -D insecurecipherdetection --mode socks --port 8080 --serverssl server.crt -p 0

-p 0 puts the probably of running any active attacks at 0, which you might want for this so you can just do passive detection. 

Then attempted to connect using this: 

python -m nogotofail.clients.linux.pyblame  -A salidhostname -D insecurecipherdetection -p 1  localhost 8443 

I get prompted on whether to connect to the fingerprint of the server certificate. After answering yes the connection gets established fine but dont see the log message that I had added to the above handler in on_ssl method. It is as if it did not get called at all. 

The client is only there to provide the mitm server additional information, it doesn't make any connections yourself.

You'll need to use something with a socks5 proxy pointed at the MiTM to see traffic. You should be able to get proxychains on a mac and run

proxychains4 wget https://www.google.com -4 -O example

At which point you should see the connection(s) getting logged in the MiTM along with your extra logging. You could also set up your browsers proxy to point to the MiTM.

I am thinking if the change I made to the handler was after installing it so it is not taking effect. I tried re-installing again but it does not help. What could I be missing?

thx

Jay

--
You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/88889055-018c-456b-b0fc-d0ca6b740741%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jay S]

Thanks! That worked - I can see the ciphers fine now. I have to do sudo python setup install everything I change any of the files within nogotofail. 

rgds, Jay