Need to understand "nogotofail MiTM tester" app
100 views
Skip to first unread message
swaraj...@gmail.com
Feb 8, 2017, 7:45:45 PM2/8/17
to nogotofail
We have install the following apps,
(I am testing it on Android TV)
1) nogotofail
Configuration nogotofail --> settings --> Attacks
Probability of attack -- 100%
Custom list of attacks -- Checked
Only following attack was checked rest all the attacks were unchecked,
Self-signed TLS cert -- Checked
2) nogotofail MiTM tester
Test scenario
When we click on
1. nogotofail MiTM tester --> TLS/SSL --> HTTPS REQUEST WITHOUT SSL CERTIFICATE CHAIN-OF-TRUST CHECK
following message is displayed
TEST RESULT
HTTP/1.0 302 Found
Log from server
2017-02-09 09:37:43,805 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d logging](Unknown) Selected for connection
2017-02-09 09:37:43,820 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d logging](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Connection established2017-02-09 09:37:43,820 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d logging](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Handler being removed
2017-02-09 09:37:43,820 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Selected for connection
2017-02-09 09:37:43,821 [DEBUG] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") SSL starting
2017-02-09 09:37:43,862 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") SSL connection established
2017-02-09 09:37:43,864 [CRITICAL] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") MITM Success! Cert file: /tmp/._cert_ca.pem_-4408897662695739272.pem
2017-02-09 09:37:43,870 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Connection closed
2. nogotofail MiTM tester --> TLS/SSL --> HTTPS REQUEST WITHOUT SSL CERTIFICATE HOSTNAME VERIFICATION
following message is displayed
Test failed
javax.net.ssl.SSLHandshakeException.....
...........
Log from server
2017-02-09 09:41:23,577 [DEBUG] Using data handlers clientreport, bufferedhttp
2017-02-09 09:41:23,579 [INFO] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 logging](Unknown) Selected for connection
2017-02-09 09:41:23,597 [INFO] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 logging](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Connection established
2017-02-09 09:41:23,598 [INFO] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 logging](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Handler being removed
2017-02-09 09:41:23,598 [INFO] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Selected for connection
2017-02-09 09:41:23,598 [DEBUG] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") SSL starting
2017-02-09 09:41:23,621 [DEBUG] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") SSL exception: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert certificate unknown')]
2017-02-09 09:41:23,621 [INFO] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Connection closed
2017-02-09 09:41:23,579 [INFO] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 logging](Unknown) Selected for connection
2017-02-09 09:41:23,597 [INFO] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 logging](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Connection established
2017-02-09 09:41:23,598 [INFO] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 logging](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Handler being removed
2017-02-09 09:41:23,598 [INFO] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Selected for connection
2017-02-09 09:41:23,598 [DEBUG] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") SSL starting
2017-02-09 09:41:23,621 [DEBUG] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") SSL exception: [('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert certificate unknown')]
2017-02-09 09:41:23,621 [INFO] [10.0.0.2:39070<=>172.217.25.100:443 6947ef14-7787-4b10-b5d7-7dbfddcc8615 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Connection closed
So my question is what is the meaning of this log, what is this nogotofail MiTM tester app used for ?
Swaraj Waikar
Feb 8, 2017, 9:39:46 PM2/8/17
to nogotofail, swaraj...@gmail.com
My second question with nogotofail MiTM tester is
when i tried to review the code , i saw that
There is
| enabledCipherSuites.add("TLS_DH_anon_WITH_AES_128_CBC_SHA");
enabledCipherSuites.add("TLS_ECDH_anon_WITH_AES_128_CBC_SHA");
This is not supported by current Android version. WHY it has been added to code?
The current supported cipher suit are as follows,
Cipher Suits 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_DHE_RSA_WITH_AES_128_CBC_SHA 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_DHE_RSA_WITH_AES_256_CBC_SHA 02-09 10:47:08.387 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_RSA_WITH_AES_128_GCM_SHA256 02-09 10:47:08.388 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_RSA_WITH_AES_256_GCM_SHA384 02-09 10:47:08.388 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_RSA_WITH_AES_128_CBC_SHA 02-09 10:47:08.388 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_RSA_WITH_AES_256_CBC_SHA 02-09 10:47:08.388 22221-22432/net.nogotofail.mitmtester D/TlsUtil: TLS_EMPTY_RENEGOTIATION_INFO_SCSV ------------------------------------------------------------------------------------------------------------ Test Scenario When i commented the following two lines //enabledCipherSuites.add("TLS_DH_anon_WITH_AES_128_CBC_SHA");
//enabledCipherSuites.add("TLS_ECDH_anon_WITH_AES_128_CBC_SHA"); and created and install apk on my device step 2 nogotofail MiTM tester --> TLS/SSL --> HTTPS REQUEST WITHOUT SERVER AUTHENTICATION following message is displayed HTTP/1.0 302 Found Log for server 2017-02-09 10:53:17,826 [DEBUG] Using data handlers clientreport, bufferedhttp 2017-02-09 10:53:17,828 [INFO] [10.0.0.2:51117<=>172.217.26.100:443 54c21f79-37c5-4a85-a0a5-56620de50e59 logging](Unknown) Selected for connection 2017-02-09 10:53:17,854 [INFO] [10.0.0.2:51117<=>172.217.26.100:443 54c21f79-37c5-4a85-a0a5-56620de50e59 logging](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Connection established 2017-02-09 10:53:17,855 [INFO] [10.0.0.2:51117<=>172.217.26.100:443 54c21f79-37c5-4a85-a0a5-56620de50e59 logging](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Handler being removed 2017-02-09 10:53:17,855 [INFO] [10.0.0.2:51117<=>172.217.26.100:443 54c21f79-37c5-4a85-a0a5-56620de50e59 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Selected for connection 2017-02-09 10:53:17,855 [DEBUG] [10.0.0.2:51117<=>172.217.26.100:443 54c21f79-37c5-4a85-a0a5-56620de50e59 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") SSL starting 2017-02-09 10:53:17,909 [INFO] [10.0.0.2:51117<=>172.217.26.100:443 54c21f79-37c5-4a85-a0a5-56620de50e59 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") SSL connection established 2017-02-09 10:53:17,910 [CRITICAL] [10.0.0.2:51117<=>172.217.26.100:443 54c21f79-37c5-4a85-a0a5-56620de50e59 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") MITM Success! Cert file: /tmp/._cert_ca.pem_-4408897662695739272.pem 2017-02-09 10:53:17,926 [INFO] [10.0.0.2:51117<=>172.217.26.100:443 54c21f79-37c5-4a85-a0a5-56620de50e59 selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Connection closed | |
Alex Klyubin
Feb 10, 2017, 5:57:48 PM2/10/17
to Swaraj Waikar, nogotofail
These ciphersuites were supported on Android when the code in question was written. The situation has changed since then.
--
You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/4a829a29-fa17-440d-affa-82af63fdcb0f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
swaraj...@gmail.com
Feb 12, 2017, 9:19:46 PM2/12/17
to nogotofail, swaraj...@gmail.com
Thanks for answering my second question.
Regarding my first question which is as follows,
Configuration setting
1) nogotofail
Configuration nogotofail --> settings --> Attacks
Probability of attack -- 100%
Custom list of attacks -- Checked
Only following attack was checked rest all the attacks were unchecked,
Self-signed TLS cert -- Checked
2) nogotofail MiTM tester
Test scenario
When we click on
1. nogotofail MiTM tester --> TLS/SSL --> HTTPS REQUEST WITHOUT SSL CERTIFICATE CHAIN-OF-TRUST CHECK
following message is displayed
TEST RESULT
HTTP/1.0 302 Found
Log from server
2017-02-09 09:37:43,805 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d logging](Unknown) Selected for connection
2017-02-09 09:37:43,820 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d logging](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Connection established2017-02-09 09:37:43,820 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d logging](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Handler being removed
2017-02-09 09:37:43,820 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Selected for connection
2017-02-09 09:37:43,821 [DEBUG] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") SSL starting
2017-02-09 09:37:43,862 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") SSL connection established
2017-02-09 09:37:43,864 [CRITICAL] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") MITM Success! Cert file: /tmp/._cert_ca.pem_-4408897662695739272.pem
2017-02-09 09:37:43,870 [INFO] [10.0.0.2:37198<=>172.217.26.36:443 99124100-43eb-4143-9dc5-d7b6bcf3030d selfsigned](client=Sony/BRAVIA_ATV2_JP/BRAVIA_ATV2:7.0/NRD91N.S4/0.1.0.08.01.1.00:userdebug/dev-keys application="net.nogotofail.mitmtester" version="1") Connection closed
As highlighted, its says MITM success, so is its vulnerability or a mis-configuration?? I did not see any pop-up or notification on client app.
Regards,
Swaraj
Alex Klyubin
Feb 13, 2017, 12:31:50 PM2/13/17
to swaraj...@gmail.com, nogotofail
Nogotofail MiTM tester app is on purpose creating vulnerable traffic. This is so that you can test whether your setup correctly detects it and notifies you. If you're not getting notifications, check whether the nogotofail app (not nogotofail MiTM tester app) on the device under test is connected to the MiTM server. The app should say "Connected" in its main screen.
--
You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/61a019eb-a8a4-4375-896e-292648930f93%40googlegroups.com.
swaraj...@gmail.com
Feb 15, 2017, 1:51:04 AM2/15/17
to nogotofail, swaraj...@gmail.com
Thanks for your support , keep the good work going !
Regards
SwaraJ
Reply all
Reply to author
Forward
0 new messages