[HN Gopher] Extracting TLS keys from an unwilling application (2...
___________________________________________________________________
 
Extracting TLS keys from an unwilling application (2020)
 
Author : wwarner
Score  : 96 points
Date   : 2022-05-24 17:13 UTC (5 hours ago)
 

web link (m1el.github.io)

w3m dump (m1el.github.io)

 
| spidey1 wrote:
| Is there a similar tool that a non-security expert could use on
| the Mac?
 
  | matheusmoreira wrote:
  | If the application isn't pinning certificates, you should be
  | able to add your own root certificate to your machine and
  | intercept all encrypted traffic. Same method used by
  | corporations to monitor their own networks. I successfully used
  | this method on a mobile game years ago.
  | 
  | Applications with pinned certificates don't use the system
  | certificates at all which fixes the MITM vulnerability I
  | described. You'd need to reverse engineer them in order to
  | change the certificate to one under your control, difficulty
  | can vary depending on how obfuscated the code is.
 
  | K0nserv wrote:
  | Not sure about the non-security expert bit but I've done
  | stuff[0] similar to this for iOS using Frida[1] which supports
  | macOS too. For apps that use unpinned certificates and the
  | builtin networking libraries(NSURLSession et.al.) you can
  | directly use mimtproxy[2] or Charles[3]
  | 
  | 0: https://hugotunius.se/2020/08/07/stealing-tls-sessions-
  | keys-...
  | 
  | 1: https://frida.re/
  | 
  | 2: https://mitmproxy.org/
  | 
  | 3: https://www.charlesproxy.com/
 
| max1truc wrote:
 
  | ArchOversight wrote:
  | Meta: it's on the front page now.
 
| randomhodler84 wrote:
| Another useful tool I have used in the past in windows is Nektra
| Deviare for function hooking. This is similar to the old
| Microsoft Detours framework, in that one can dynamically patch
| code in the running binary. I have used this to grab raw keys.
| 
| https://www.nektra.com/products/deviare-api-hook-windows/
 
| jcalvinowens wrote:
| Nice work!
| 
| I'm curious: did you consider hacking the Oculus binary to accept
| an SSL cert you made yourself, and MITM-ing it to see the
| traffic?
| 
| I'm sure they have it pinned and don't use the OS certs, but you
| could just overwrite the root cert that must exist in that binary
| somewhere with your own, right?
 
  | zevv wrote:
  | > but you could just overwrite the root cert that must exist in
  | that binary somewhere with your own, right?
  | 
  | Unless they use certificate pinning, which is basically just
  | verifying the CA's are not tampered with. Theoretically that
  | could be attacked as well, but it prevents the "just replace
  | the CA" case.
 
  | severino wrote:
  | > I'm curious: did you consider hacking the Oculus binary to
  | accept an SSL cert you made yourself, and MITM-ing it to see
  | the traffic?
  | 
  | Is that what he refers to when he says "I didn't want to add
  | extra root certificates and proxies to inspect all TLS traffic
  | going on the machine", or are we talking about different
  | things?
 
___________________________________________________________________
(page generated 2022-05-24 23:00 UTC)