| Detect SSL Certificate InjectionKrazyWorks

Networking

Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.

Applications

Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.

Data

Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.

Monitoring

Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » Featured, Networking, Security

Detect SSL Certificate Injection

Submitted by Igor on February 21, 2018 – 3:05 pm

When the SSL Digital Certificate is intercepted and replaced by a device between your browser and the Web site, we call it certificate injection. This method is more commonly used not by hackers, but by corporate IT security utilizing appliances known as SSL sniffers, such as Blue Coat ProxySG or Netronome SSL. These systems are also known as IDS/IPS, or DLP appliances.To make a long story short, the sniffer receives the Web site’s cert but sends you its own – also a perfectly valid cert that has already been added to the trusted sources on your corporate laptop.

Think of this as the sniffer acting as the Web server as far as your browser is concerned. It is also acting as your browser, as far as the Web server can tell. It’s like FedEx leaving a parcel with a nosy neighbor, who looks inside, then reseals it and hand-delivers it to your door.

Now imagine that you obtain the Web site’s certificate’s fingerprint from your laptop and also from your home computer unaffected by the sniffer because it’s not on your company’s network. The two fingerprints will not match and this is how you will know you’re being screwed.

The small script below does just that: gets the fingerprint directly and then repeats the process via one or more remote proxy servers of your choice. It will tell you if the fingerprints don’t match.

#!/bin/bash
#                                      |
#                                  ___/"\___
#                          __________/ o \__________
#                            (I) (G) \___/ (O) (R)
#                                   Igor Os
#                           igor@comradegeneral.com
#                                 2018-01-16
#
# ---------------------------------------------------
# Obtain a remote sites SSL fingerprint via localhost
# and compare it to the fingerprintes received via
# remote proxies. This can be useful for identifying
# potential SSL sniffing via certificate injection.
# ---------------------------------------------------
domains="${@}"
if [ -z "${domains}" ]; then echo "Specify domains"; exit 1; fi
rproxies="192.168.122.12 192.168.122.13"
leip="$(curl -s0 -k -q ifconfig.me 2>/dev/null)"
echo "${HOSTNAME} external IP: ${leip}"
for d in ${domains}; do
  for rproxy in ${rproxies}; do
    lsha="$(openssl s_client -connect ${d}:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha1 -noout -in /dev/stdin | awk -F= '{print $NF}')"
    rsha="$(ssh -qt ${rproxy} "openssl s_client -connect ${d}:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha1 -noout -in /dev/stdin" 2>/dev/null | awk -F= '{print $NF}')"
    if [ "$(echo "$lsha" | tr -dc '[:print:]' | od -c)" != "$(echo "$rsha" | tr -dc '[:print:]' | od -c)" ]; then
      reip="$(ssh -qt ${rproxy} 'curl -s0 -k -q ifconfig.me 2>/dev/null')"
      echo "Proxy's external IP: ${reip}"
      colordiff <(echo "$lsha" | tr -dc '[:print:]' | od -c) <(echo "$rsha" | tr -dc '[:print:]' | od -c)
    else
      echo "${d} checks out via ${rproxy}"
    fi
  done
done