Initial import.
This commit is contained in:
Kyle Isom
42
cmd/stealchain/README
Normal file
42
cmd/stealchain/README
Normal file
@@ -0,0 +1,42 @@
|
||||
stealchain
|
||||
|
||||
This is a utility to extract the verified X.509 chain from a TLS
|
||||
connection. It takes a list of sites on the command line; for each
|
||||
site that it can connect to, it will dump the certificates that the
|
||||
peer actually sent (and not the verified chain that is built from
|
||||
this).
|
||||
|
||||
It was written to assist in debugging issues with certificate chains.
|
||||
|
||||
There are a few knobs:
|
||||
|
||||
-ca allows the trusted CA roots to be specified via a PEM bundle of
|
||||
root certificates.
|
||||
|
||||
-sni specifies the server name for SNI. This applies to all hosts in
|
||||
the run; if this is run as
|
||||
|
||||
$ stealchain -sni foo.com foo.com bar.com
|
||||
|
||||
it will attempt to use "foo.com" as the server name for both hosts.
|
||||
|
||||
-noverify skips certificate verification. This might be useful for seeing
|
||||
what certificates a server is actually sending.
|
||||
|
||||
|
||||
Examples:
|
||||
|
||||
$ stealchain kyleisom.net
|
||||
[+] wrote kyleisom.net.pem.
|
||||
$ readchain kyleisom.net.pem
|
||||
[+] kyleisom.net.pem:
|
||||
*.kyleisom.net
|
||||
COMODO RSA Domain Validation Secure Server CA
|
||||
|
||||
$ stealchain google.com microsoft.com apple.com amazon.com
|
||||
[+] wrote google.com.pem.
|
||||
[+] wrote microsoft.com.pem.
|
||||
[+] wrote apple.com.pem.
|
||||
[+] wrote amazon.com.pem.
|
||||
|
||||
|
||||
63
cmd/stealchain/thief.go
Normal file
63
cmd/stealchain/thief.go
Normal file
@@ -0,0 +1,63 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/pem"
|
||||
"flag"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"os"
|
||||
|
||||
"github.com/kisom/goutils/die"
|
||||
)
|
||||
|
||||
func main() {
|
||||
var cfg = &tls.Config{}
|
||||
|
||||
var sysRoot, serverName string
|
||||
flag.StringVar(&sysRoot, "ca", "", "provide an alternate CA bundle")
|
||||
flag.StringVar(&cfg.ServerName, "sni", cfg.ServerName, "provide an SNI name")
|
||||
flag.BoolVar(&cfg.InsecureSkipVerify, "noverify", false, "don't verify certificates")
|
||||
flag.Parse()
|
||||
|
||||
if sysRoot != "" {
|
||||
pemList, err := ioutil.ReadFile(sysRoot)
|
||||
die.If(err)
|
||||
|
||||
roots := x509.NewCertPool()
|
||||
if !roots.AppendCertsFromPEM(pemList) {
|
||||
fmt.Printf("[!] no valid roots found")
|
||||
roots = nil
|
||||
}
|
||||
|
||||
cfg.RootCAs = roots
|
||||
}
|
||||
|
||||
if serverName != "" {
|
||||
cfg.ServerName = serverName
|
||||
}
|
||||
|
||||
for _, site := range flag.Args() {
|
||||
conn, err := tls.Dial("tcp", site+":443", cfg)
|
||||
if err != nil {
|
||||
fmt.Println(err.Error())
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
cs := conn.ConnectionState()
|
||||
var chain []byte
|
||||
|
||||
for _, cert := range cs.PeerCertificates {
|
||||
p := &pem.Block{
|
||||
Type: "CERTIFICATE",
|
||||
Bytes: cert.Raw,
|
||||
}
|
||||
chain = append(chain, pem.EncodeToMemory(p)...)
|
||||
}
|
||||
|
||||
err = ioutil.WriteFile(site+".pem", chain, 0644)
|
||||
die.If(err)
|
||||
fmt.Printf("[+] wrote %s.pem.\n", site)
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user