[HN Gopher] Extracting TLS keys from an unwilling application (2... ___________________________________________________________________ Extracting TLS keys from an unwilling application (2020) Author : wwarner Score : 96 points Date : 2022-05-24 17:13 UTC (5 hours ago) (HTM) web link (m1el.github.io) (TXT) w3m dump (m1el.github.io) | spidey1 wrote: | Is there a similar tool that a non-security expert could use on | the Mac? | matheusmoreira wrote: | If the application isn't pinning certificates, you should be | able to add your own root certificate to your machine and | intercept all encrypted traffic. Same method used by | corporations to monitor their own networks. I successfully used | this method on a mobile game years ago. | | Applications with pinned certificates don't use the system | certificates at all which fixes the MITM vulnerability I | described. You'd need to reverse engineer them in order to | change the certificate to one under your control, difficulty | can vary depending on how obfuscated the code is. | K0nserv wrote: | Not sure about the non-security expert bit but I've done | stuff[0] similar to this for iOS using Frida[1] which supports | macOS too. For apps that use unpinned certificates and the | builtin networking libraries(NSURLSession et.al.) you can | directly use mimtproxy[2] or Charles[3] | | 0: https://hugotunius.se/2020/08/07/stealing-tls-sessions- | keys-... | | 1: https://frida.re/ | | 2: https://mitmproxy.org/ | | 3: https://www.charlesproxy.com/ | max1truc wrote: | ArchOversight wrote: | Meta: it's on the front page now. | randomhodler84 wrote: | Another useful tool I have used in the past in windows is Nektra | Deviare for function hooking. This is similar to the old | Microsoft Detours framework, in that one can dynamically patch | code in the running binary. I have used this to grab raw keys. | | https://www.nektra.com/products/deviare-api-hook-windows/ | jcalvinowens wrote: | Nice work! | | I'm curious: did you consider hacking the Oculus binary to accept | an SSL cert you made yourself, and MITM-ing it to see the | traffic? | | I'm sure they have it pinned and don't use the OS certs, but you | could just overwrite the root cert that must exist in that binary | somewhere with your own, right? | zevv wrote: | > but you could just overwrite the root cert that must exist in | that binary somewhere with your own, right? | | Unless they use certificate pinning, which is basically just | verifying the CA's are not tampered with. Theoretically that | could be attacked as well, but it prevents the "just replace | the CA" case. | severino wrote: | > I'm curious: did you consider hacking the Oculus binary to | accept an SSL cert you made yourself, and MITM-ing it to see | the traffic? | | Is that what he refers to when he says "I didn't want to add | extra root certificates and proxies to inspect all TLS traffic | going on the machine", or are we talking about different | things? ___________________________________________________________________ (page generated 2022-05-24 23:00 UTC)