Detect SSL Certificate Injection
When the SSL Digital Certificate is intercepted and replaced by a device between your browser and the Web site, we call it certificate injection. This method is more commonly used not by hackers, but by corporate IT security utilizing appliances known as SSL sniffers, such as Blue Coat ProxySG or Netronome SSL. These systems are also known as IDS/IPS, or DLP appliances.To make a long story short, the sniffer receives the Web site’s cert but sends you its own – also a perfectly valid cert that has already been added to the trusted sources on your corporate laptop.
Think of this as the sniffer acting as the Web server as far as your browser is concerned. It is also acting as your browser, as far as the Web server can tell. It’s like FedEx leaving a parcel with a nosy neighbor, who looks inside, then reseals it and hand-delivers it to your door.
Now imagine that you obtain the Web site’s certificate’s fingerprint from your laptop and also from your home computer unaffected by the sniffer because it’s not on your company’s network. The two fingerprints will not match and this is how you will know you’re being screwed.
The small script below does just that: gets the fingerprint directly and then repeats the process via one or more remote proxy servers of your choice. It will tell you if the fingerprints don’t match.
#!/bin/bash # | # ___/"\___ # __________/ o \__________ # (I) (G) \___/ (O) (R) # Igor Os # igor@comradegeneral.com # 2018-01-16 # # --------------------------------------------------- # Obtain a remote sites SSL fingerprint via localhost # and compare it to the fingerprintes received via # remote proxies. This can be useful for identifying # potential SSL sniffing via certificate injection. # --------------------------------------------------- domains="${@}" if [ -z "${domains}" ]; then echo "Specify domains"; exit 1; fi rproxies="192.168.122.12 192.168.122.13" leip="$(curl -s0 -k -q ifconfig.me 2>/dev/null)" echo "${HOSTNAME} external IP: ${leip}" for d in ${domains}; do for rproxy in ${rproxies}; do lsha="$(openssl s_client -connect ${d}:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha1 -noout -in /dev/stdin | awk -F= '{print $NF}')" rsha="$(ssh -qt ${rproxy} "openssl s_client -connect ${d}:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha1 -noout -in /dev/stdin" 2>/dev/null | awk -F= '{print $NF}')" if [ "$(echo "$lsha" | tr -dc '[:print:]' | od -c)" != "$(echo "$rsha" | tr -dc '[:print:]' | od -c)" ]; then reip="$(ssh -qt ${rproxy} 'curl -s0 -k -q ifconfig.me 2>/dev/null')" echo "Proxy's external IP: ${reip}" colordiff <(echo "$lsha" | tr -dc '[:print:]' | od -c) <(echo "$rsha" | tr -dc '[:print:]' | od -c) else echo "${d} checks out via ${rproxy}" fi done done