/alpnpass

This tool will listen on a given port, strip SSL encryption, forward traffic through a plain TCP proxy, then encrypt the returning traffic again and send it to the target of your choice. Unlike most SSL stripping solutions this tool will negotiate ALPN and preserve the negotiated protocol all the way to the target.

Primary LanguageGoThe UnlicenseUnlicense

ALPN Pass

This tool will listen on a given port, strip SSL encryption, forward traffic through a plain TCP proxy, then encrypt the returning traffic again and send it to the target of your choice. Unlike most SSL stripping solutions this tool will negotiate ALPN and preserve the negotiated protocol all the way to the target.

The intended use of the tool is helping analyze SSL encrypted traffic in any app that uses ALPN to multiplex several protocols into one port. You will need something else to actually look at the traffic, such as IO Ninja with the TCP Proxy plugin or Wireshark.

Compiling

Just run "go build" and everything should work automagically. There are no external dependencies.

Usage

./alpnpass [alpnpass.json]

The alpnpass.json configuration file is currently the only way to configure this tool. You can specify any other filename of course. Here is an example with all default values:

{
	"InputPort":            "1111",
	"InterceptorPort":      "2222",
	"ReturnPort":           "3333",
	"OutputPort":           "4444",
	"InputBindIP":          "127.0.0.1",
	"InterceptorConnectIP": "127.0.0.1",
	"ReturnBindIP":         "127.0.0.1",
	"OutputConnectIP":      "127.0.0.1",
	"MinVersion":           "SSL30",
	"MaxVersion":           "TLS13",
	"Hostname":             "127.0.0.1",
	"CACert":               "ca.crt",
	"ServerCert":           "server.crt",
	"ServerKey":            "server.key",
	"ClientCert":           "client.crt",
	"ClientKey":            "client.key",
	"ALPN":                 [
		"h2",
		"h2c",
		"http/1.1",
		"http/1.0",
		"spdy/3",
		"spdy/2",
		"spdy/1",
		"stun.turn",
		"stun.nat-discovery",
		"webrtc",
		"c-webrtc",
		"ftp",
		"imap",
		"pop3",
		"managesieve",
		"coap",
		"xmpp-client",
		"xmpp-server",
		"acme-tls/1",
		"mqtt",
		"dot",
		"ntske/1",
		"sunrpc",
		"spdy/3.1",
		"h2-14",
		"h2-15",
		"h2-16"
	],
	"Ciphers": [
		"TLS_RSA_WITH_RC4_128_SHA",
		"TLS_RSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
		"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
		"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
		"TLS_RSA_WITH_AES_128_CBC_SHA",
		"TLS_RSA_WITH_AES_256_CBC_SHA",
		"TLS_RSA_WITH_AES_128_GCM_SHA256",
		"TLS_RSA_WITH_AES_256_GCM_SHA384",
		"TLS_AES_128_GCM_SHA256",
		"TLS_AES_256_GCM_SHA384",
		"TLS_CHACHA20_POLY1305_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
	]
}

If the configuration file cannot be read or some settings are missing, the above default values will be used. (Note that the default list of ciphers may differ from the one you see above, since it depends on the exact version of golang used to compile the tool).

With the default configuration, alpnpass will open TCP port 1111, receive SSL connections and negotiate ALPN. Then it will connect to any intercepting TCP proxy of your choice in plaintext on port 2222, and expect return connections on port 3333. When receiving the return connection, traffic will be SSL encrypted again and sent to port 4444, using the same ALPN negotiated protocol.

For example, if you set the IO Ninja TCP proxy to listen on port 2222 and connect on port 3333, this will happen:

client -> alpnpass (port 1111, SSL) -> IO Ninja (port 2222, plain) -> alpnpass (port 3333, plain) -> server (port 4444, SSL)

If you use a tool like Wireshark which can monitor traffic without being part of the stream itself, you can set InterceptPort and ReturnPort to the same value (for example '5555') and sniff the traffic on that port on the lo loopback device:

client -> alpnpass (port 1111, SSL) -> alpnpass (port 5555, plain) -> server (port 4444, SSL)

Limitations

SSL certificates are currently not autogenerated, you'll have to create one on your own.

Only one connection at a time is supported. This is probably what you want anyway since multiple simultaneous connections would be hard to handle if you're inspecting traffic manually, which is likely the only use case for this tool. :)