Skip to content

A tool for testing for certificate validation vulnerabilities of TLS connections made by a client device or an application.

License

Notifications You must be signed in to change notification settings

ouspg/certmitm_logging

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

certmitm

               _             _ _               _                                     
              | |           (_) |             | |                                    
  ___ ___ _ __| |_ _ __ ___  _| |_ _ __ ___   | |__  _   _    __ _  __ _ _ __   ___  
 / __/ _ \ '__| __| '_ ` _ \| | __| '_ ` _ \  | '_ \| | | |  / _` |/ _` | '_ \ / _ \ 
| (_|  __/ |  | |_| | | | | | | |_| | | | | | | |_) | |_| | | (_| | (_| | |_) | (_) |
 \___\___|_|   \__|_| |_| |_|_|\__|_| |_| |_| |_.__/ \__, |  \__,_|\__,_| .__/ \___/ 
                                                      __/ |             | |          
                                                     |___/              |_|          

A tool for testing for certificate validation vulnerabilities of TLS connections made by a client device or an application.

Created by Aapo Oksman - https://github.com/AapoOksman/certmitm - MIT License

Published in DEF CON 31 on August 11 2023

YouTube: DEF CON 31 - certmitm: automatic exploitation of TLS certificate validation vulnerabilities - Aapo Oksman

DEF CON 31 certmitm Slides.pdf

DEF CON 31 certmitm Demo.mp4

Installation

certmitm has been tested on Debian 11 and Debian 12. It should work on Linux with Python 3.10 and up

Install required python packages with

pip install -r requirements.txt

Obtain real certificates such as a Let's Encrypt certificate and save them to real_certs

Usage

First you need to intercept TLS connections. The easies way for this is to configure the computer running certmitm to act as a router for other devices in the network.

For example:

  1. Start a DHCP/DNS server
sudo ip addr add 10.0.0.1/24 dev eth0
sudo dnsmasq --no-daemon --interface eth0 --dhcp-range=10.0.0.100,10.0.0.200 --log-dhcp --log-queries --bind-interfaces -C /dev/null
  1. Intercept TLS connections from the clients and redirect other connections to the internet through the WLAN interface
sudo iptables -A INPUT -i eth0 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 9900
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
  1. Start certmitm
python3 certmitm.py --listen 9900 --workdir testing --verbose --show-data
  1. Connect clients to the network and start applications. Note that you might need to retry running the applications a couple of times while the tests fail.

Hall of fame

List of publicly disclosed vulnerabilities found with certmitm. Open an issue if you have found a vulnerability with certmitm and want to be included.

Author Product Details CVE
Aapo Oksman [in] [X] Microsoft Azure Java SDK Microsoft advisory CVE-2020-16971
Aapo Oksman [in] [X] Microsoft Azure C SDK Microsoft advisory CVE-2020-17002
Aapo Oksman [in] [X] Disk-o-cloud HackerOne report
Aapo Oksman [in] [X] Apple iOS App Store Apple security update CVE-2021-1837
Aapo Oksman [in] [X] Microsoft Intune Microsoft advisory CVE-2021-31980
Aapo Oksman [in] [X] Acronis True Image Acronis advisory, HackerOne report CVE-2021-32581
Aapo Oksman [in] [X] Microsoft Windows Authentication Microsoft advisory CVE-2022-26913
Aapo Oksman [in] [X] Mattermost iOS Mattermost advisory MMSA-2023-00220 CVE-2023-3615
Aapo Oksman [in] [X] Microsoft Windows Enroll Engine Microsoft advisory CVE-2023-28226
Aapo Oksman [in] [X] Samsung Email for Android Samsung advisory SVE-2023-1004 CVE-2023-30729
Aapo Oksman [in] [X] Apple Books for iOS, macOS and watchOS macOS Sonoma 14 security updates, iOS 17 and iPadOS 17 security updates, watchOS 10 security updates
Aapo Oksman [in] [X] Line iOS HackerOne report CVE-2023-5554

About

A tool for testing for certificate validation vulnerabilities of TLS connections made by a client device or an application.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%