hngopher.com

       [HN Gopher] Extracting TLS keys from an unwilling application (2...
       ___________________________________________________________________
        
       Extracting TLS keys from an unwilling application (2020)
        
       Author : wwarner
       Score  : 96 points
       Date   : 2022-05-24 17:13 UTC (5 hours ago)
        
 (HTM) web link (m1el.github.io)
 (TXT) w3m dump (m1el.github.io)
        
       | spidey1 wrote:
       | Is there a similar tool that a non-security expert could use on
       | the Mac?
        
         | matheusmoreira wrote:
         | If the application isn't pinning certificates, you should be
         | able to add your own root certificate to your machine and
         | intercept all encrypted traffic. Same method used by
         | corporations to monitor their own networks. I successfully used
         | this method on a mobile game years ago.
         | 
         | Applications with pinned certificates don't use the system
         | certificates at all which fixes the MITM vulnerability I
         | described. You'd need to reverse engineer them in order to
         | change the certificate to one under your control, difficulty
         | can vary depending on how obfuscated the code is.
        
         | K0nserv wrote:
         | Not sure about the non-security expert bit but I've done
         | stuff[0] similar to this for iOS using Frida[1] which supports
         | macOS too. For apps that use unpinned certificates and the
         | builtin networking libraries(NSURLSession et.al.) you can
         | directly use mimtproxy[2] or Charles[3]
         | 
         | 0: https://hugotunius.se/2020/08/07/stealing-tls-sessions-
         | keys-...
         | 
         | 1: https://frida.re/
         | 
         | 2: https://mitmproxy.org/
         | 
         | 3: https://www.charlesproxy.com/
        
       | max1truc wrote:
        
         | ArchOversight wrote:
         | Meta: it's on the front page now.
        
       | randomhodler84 wrote:
       | Another useful tool I have used in the past in windows is Nektra
       | Deviare for function hooking. This is similar to the old
       | Microsoft Detours framework, in that one can dynamically patch
       | code in the running binary. I have used this to grab raw keys.
       | 
       | https://www.nektra.com/products/deviare-api-hook-windows/
        
       | jcalvinowens wrote:
       | Nice work!
       | 
       | I'm curious: did you consider hacking the Oculus binary to accept
       | an SSL cert you made yourself, and MITM-ing it to see the
       | traffic?
       | 
       | I'm sure they have it pinned and don't use the OS certs, but you
       | could just overwrite the root cert that must exist in that binary
       | somewhere with your own, right?
        
         | zevv wrote:
         | > but you could just overwrite the root cert that must exist in
         | that binary somewhere with your own, right?
         | 
         | Unless they use certificate pinning, which is basically just
         | verifying the CA's are not tampered with. Theoretically that
         | could be attacked as well, but it prevents the "just replace
         | the CA" case.
        
         | severino wrote:
         | > I'm curious: did you consider hacking the Oculus binary to
         | accept an SSL cert you made yourself, and MITM-ing it to see
         | the traffic?
         | 
         | Is that what he refers to when he says "I didn't want to add
         | extra root certificates and proxies to inspect all TLS traffic
         | going on the machine", or are we talking about different
         | things?
        
       ___________________________________________________________________
       (page generated 2022-05-24 23:00 UTC)