Comments (9)
I guess you already know that sslsplit opens a new connection to the server, so the server receives packets from the new source address, which is the external address of the MiTM proxy. So, it's perhaps my lack of knowledge, but I don't how tproxy can help us use the client address while connecting to the server.
from sslsplit.
What I understand is we can read the source and destination IP address on the packets intercepted via TPROXY.
Currently (with masquerading)
I'm not sure how exactly masquerading works on SSLSplit, so below is my vague vision of it.
Outgoing traffic (traffic originating from SSLSplit):
Source IP address is translated to the external address, source port is either kept or translated to whatever port is available on the server SSLSplit runs on.
Incoming traffic (traffic coming into SSLSplit from the targeted server):
Traffic for a client is distinguished by the destination port on the incoming traffic. After we figure out which client the incoming packet is supposed to go to, destination IP address is translated to the said client's address, destination port is kept if it wasn't changed on outgoing traffic, or translated to the original if it was.
Would be (without masquerading)
Outgoing traffic (traffic originating from SSLSplit):
Since SSLSplit opens a new connection, packets will leave with the server's external address as the source IP. SSLSplit needs to read the source IP of the intercepted packets and rewrite the source IP when going out of SSLSplit. Source port is kept.
Incoming traffic (traffic coming into SSLSplit from the targeted server):
Traffic for a client is distinguished by the destination address on the incoming traffic. Destination address and port is kept.
from sslsplit.
Sslsplit establishes a new connection with the server. There is no address translation in sslsplit. And I have no idea how sslsplit can use the client address to connect to the server (sslsplit and the client run on separate machines).
from sslsplit.
Sslsplit establishes a new connection with the server. There is no address translation in sslsplit.
Understood, that's misconception from my part. Although there's a certain mechanism to distinguish traffic intended to go to different clients (which packet should go to which client), similar to what I pictured above, correct? I don't really know how handling clients over transparent proxy works so I had assumed the proxy program would do sort of what the MASQUERADE target does.
And I have no idea how sslsplit can use the client address to connect to the server (sslsplit and the client run on separate machines).
It's technically originating a packet from SSLSplit with a fake IP (which is the address of the client). It doesn't belong in the network MitM proxy is in. So, once the packet with fake IP is delivered to the targeted server, it's going to reply back to that said IP address, which will flow through our device being the MitM. We can easily intercept that and feed it to SSLSplit. Then SSLSplit would do what I explained above to distinguish the packet to a certain client, do the SSL/TLS inspection and send the packet back to that client.
Reading the source and destination address of the intercepted packet from SSLSplit though, that, I do not know. Coding is not my strong suit.
from sslsplit.
You apparently have a very special network configuration. Underneath sslsplit is libevent. I don't think libevent can spoof IP addresses. So, in the end, the answer is that sslsplit does not support IP spoofing.
from sslsplit.
I wouldn't call it special but rather a specific attack vector. I'm currently writing a research piece about the importance of layer 2 security on hosting providers. I want to point out the catastrophy their carelessness of properly isolating virtual servers would bring upon them.
This gives me the ability to do ARP spoofing attack on the targeted webserver which allows me to get a valid Let's Encrypt certificate for their domain and run SSLSplit with it to sniff client's sensitive information without them seeing any insecure connection warnings.
This process is already completely transparent to the client as the only thing that would give this away is the different certificate but since it's valid, no one would look at it twice.
Webserver side could very easily notice the attack with the current state of SSLSplit. Suddenly, all the traffic they serve over TLS becomes this single IP address. This is why I wanted to hand the traffic to the webserver with the original source as the source IP so the attack would become much harder to detect.
Squid's TPROXY page seems to imply that this is possible via the spoof_client_ip config directive. I basically want the same thing on SSLSplit.
TPROXY seems to support what I want:
https://github.com/darkk/redsocks/blob/master/doc/balabit-TPROXY-README.txt#L28
The doc above also explains the implementation to bind to foreign addresses to listen for connections.
from sslsplit.
Here's an answer related to bind()
to remote addresses:
https://stackoverflow.com/a/26507847
from sslsplit.
I also have the exact same network setup and am looking for a way to implement this! Did you ever find anything that would allow you to keep client source IP, if you control the upstream router that any returning traffic would be passing through? I really want to use sslsplit for this for the packet mirror feature, but in my architecture there is a second router upstream of me that is responsible for all NAT, so I don't want to introduce a second layer of NAT, especially with IPv6!
from sslsplit.
Unfortunately I didn't. I had to move on to other things at hand and have been handling them since. Life amiright?
from sslsplit.
Related Issues (20)
- Openssl 3.0 HOT 4
- Error from src bufferevent HOT 7
- How will sslsplit handle quic? HOT 5
- An error was encountered while using HTTPS spec: peeking did not yield a (truncated) clienthello message, aborting connection HOT 5
- evbuffer_get_length of autossl in environment where sender speed is slower than receiver (Buffer watermarking not working in autossl) HOT 28
- [solved] Problems to build sslsplit HOT 1
- Connection not found in NAT state table, aborting connection HOT 7
- Error from src bufferevent: 0:- 337092801:193:no shared cipher:20:SSL routines:378:tls_post_process_client_hello HOT 3
- tests fail without network connection HOT 1
- Failed to lookup target ether, without error from logpkt_ether_lookup HOT 7
- Bind to specific interface
- Downloading specific file results in "Terminating connection (out of memory)!" even when unencrypted HOT 3
- intercept localhost traffic HOT 1
- Compiling Statically linked binaries not possible anymore ?
- selective TLS interception HOT 1
- Musl build error: Undefined reference to [`fts_open, fts_read, fts_set, fts_close]
- SSLKEYLOGFILE can not support TLSv1.3 HOT 1
- Cannot intercept protocol in which SSL connection is initiated by the server HOT 17
- Please support a non‑transparent mode…
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sslsplit.