1

I'm investigating man-in-the-middle attacks and trying to pipe raw HTTPS data (that is, before decryption) to and from a pair of sockets. For now, I just want to listen to the encrypted traffic, so I want any data going out to go from my web browser, through my script, and out to the intended recipient, and any data coming in to do the reverse. Ideally I'd just like to connect the incoming and outgoing sockets together and have them transfer data between each other automatically, but I haven't seen a way to do it in Ruby so I have been using the following, which I took from How can I create a two-way SSL socket in Ruby .

Here is my code: 

def socketLoop(incoming, outgoing)

    loop do
        puts "selecting"
        ready = IO.select([outgoing, incoming])

        if ready[0].include?(incoming)
            data_to_send = incoming.read_nonblock(32768)
            outgoing.write(data_to_send)

            puts "sent out"
            puts  data_to_send
        end

        if ready[0].include?(outgoing)
            data_received = outgoing.read_nonblock(32768)
            incoming.write(data_received)

            puts "read in"
            puts data_received

            break if outgoing.nil? || outgoing.closed? || outgoing.eof?
        end
    end

end

server = TCPServer.open(LISTENING_PORT) 

loop {
    Thread.start(server.accept){ |incoming|

        outgoing = TCPSocket.new(TARGET_IP, TARGET_PORT)
        socketLoop(incoming, outgoing)

        outgoing.close                  # Disconnect from target
        incoming.close                # Disconnect from the client
    }
}

It works beautifully for HTTP but for HTTPS, my browser keeps spinning, and the output seems to indicate that at least part of a certificate has been sent over, but not much more. I presume I was being naïve to think that it would work for SSL, but as far as I know it uses TCP as the transport layer so I'm not sure why it doesn't work. Is it possible to get the raw data in this way? Is it an issue with my Ruby or have I made some wrong assumptions? I'd prefer not to use a system-wide packet sniffer if possible. If it would not be easy in Ruby, I'd be very grateful for any pointers in another language too.

Thanks a lot for your help!

EDIT: It seems that I can do this easily with netcat -

sudo nc -l 443 0<backpipe | nc  $TARGET_IP 443 >backpipe

so I am rather embarassed that I didn't think of something so simple in the first place, however I would still be interested to see what I was not doing right in Ruby.

stellarpower
  • 332
  • 3
  • 13

0 Answers0