unmtlsproxy

command module
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 10, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

README

unmtlsproxy

OpenSSF Scorecard Security Rating

un-MTLS proxy is a simple proxy service to remove the mutual TLS authentication to some services. This is useful when a tool is not supporting mTLS.

⚠️ DO NOT RUN IT IN PRODUCTION ⚠️

This will kill the value added by mTLS.

NEVER EVER USE IT AGAINST IN PRODUCTION

It's not a tool for daily life, only a tool when nothing else is possible and is really required.

Do NOT use it if you don't know EXACTLY what you are doing!

My use-case is during penetration testing when some tools are not supporting mTLS, but, be careful of:

  1. What you are doing!
  2. Which interface you are binding!
  3. How may access this interface!

Note: it has been based on github.com/PaloAltoNetworks/mtlsproxy, but, honestly, there are not a lot of commons, except:

  1. The architecture;
  2. The command line options;
  3. Some pieces of code;
  4. The dependencies.

Thus, I deleted the "Fork" status on GitHub.

How to install?

Just run:

go install github.com/ajabep/unmtlsproxy@latest

How to use?

See in the ./example/ directory.

How to define a proxy?

Multiple ways are possibles:

  1. The classic environment variables works well!
  2. Using proxychains should also work.

Changes from github.com/PaloAltoNetworks/mtlsproxy

  1. Now, it removes the mTLS layer. Actually, all the TLS part is removed.
  2. Added some options to ease the debug
  3. The docker version is no longer available: Not useful for penetration testing and I don't want to encourage this to be used to expose a service.

Known issues

Check all the known issues... in the issue section of the GitHub repo!

The answer my client receive is net/http: HTTP/1.x transport connection broken: malformed HTTP status code "response"

The server may support only HTTP/0.9, or is not an HTTP server. Try to use the TCP mode.

How to use an encrypted private key?

The private key encryption (RFC 1423) is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

Also, if the private key is accessible by someone else on your disk, a simple ps auxe would help them to extract the password, not enabling any better security than a good MAC.

In other words, it just gives you the feeling of being secured. Nothing more.

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
internal
configuration
Package configuration is a small package for handling configuration
 Package configuration is a small package for handling configuration
configuration/configurationtest
httpproxy
log
tcpproxy

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.