This tool will listen on a given port, strip SSL encryption, forward traffic through a plain TCP proxy, then encrypt the returning traffic again and send it to the target of your choice. Unlike most SSL stripping solutions this tool will negotiate ALPN and preserve the negotiated protocol all the way to the target.

Overview

ALPN Pass

This tool will listen on a given port, strip SSL encryption, forward traffic through a plain TCP proxy, then encrypt the returning traffic again and send it to the target of your choice. Unlike most SSL stripping solutions this tool will negotiate ALPN and preserve the negotiated protocol all the way to the target.

The intended use of the tool is helping analyze SSL encrypted traffic in any app that uses ALPN to multiplex several protocols into one port. You will need something else to actually look at the traffic, such as IO Ninja with the TCP Proxy plugin for example.

Compiling

Just run "go build" and everything should work automagically. There are no external dependencies.

Usage

./alpnpass [alpnpass.json]

The alpnpass.json configuration file is currently the only way to configure this tool. You can specify any other filename of course. Here is an example with all default values:

{
	"InputPort":            "1111",
	"InterceptorPort":      "2222",
	"ReturnPort":           "3333",
	"OutputPort":           "4444",
	"InputBindIP":          "127.0.0.1",
	"InterceptorConnectIP": "127.0.0.1",
	"ReturnBindIP":         "127.0.0.1",
	"OutputConnectIP":      "127.0.0.1",
	"MinVersion":           "SSL30",
	"MaxVersion":           "TLS13",
	"Hostname":             "127.0.0.1",
	"CACert":               "ca.crt",
	"ServerCert":           "server.crt",
	"ServerKey":            "server.key",
	"ClientCert":           "client.crt",
	"ClientKey":            "client.key",
	"ALPN":                 [
		"h2",
		"h2c",
		"http/1.1",
		"http/1.0",
		"spdy/3",
		"spdy/2",
		"spdy/1",
		"stun.turn",
		"stun.nat-discovery",
		"webrtc",
		"c-webrtc",
		"ftp",
		"imap",
		"pop3",
		"managesieve",
		"coap",
		"xmpp-client",
		"xmpp-server",
		"acme-tls/1",
		"mqtt",
		"dot",
		"ntske/1",
		"sunrpc",
		"spdy/3.1",
		"h2-14",
		"h2-15",
		"h2-16"
	],
	"Ciphers": [
		"TLS_RSA_WITH_RC4_128_SHA",
		"TLS_RSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
		"TLS_ECDHE_RSA_WITH_RC4_128_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
		"TLS_RSA_WITH_3DES_EDE_CBC_SHA",
		"TLS_RSA_WITH_AES_128_CBC_SHA",
		"TLS_RSA_WITH_AES_256_CBC_SHA",
		"TLS_RSA_WITH_AES_128_GCM_SHA256",
		"TLS_RSA_WITH_AES_256_GCM_SHA384",
		"TLS_AES_128_GCM_SHA256",
		"TLS_AES_256_GCM_SHA384",
		"TLS_CHACHA20_POLY1305_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
		"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
		"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
		"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
		"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
		"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
	]
}

If the configuration file cannot be read or some settings are missing, the above default values will be used. (Note that the default list of ciphers may differ from the one you see above, since it depends on the exact version of golang used to compile the tool).

With the default configuration, alpnpass will open TCP port 1111, receive SSL connections and negotiate ALPN. Then it will connect to any intercepting TCP proxy of your choice in plaintext on port 2222, and expect return connections on port 3333. When receiving the return connection, traffic will be SSL encrypted again and sent to port 4444, using the same ALPN negotiated protocol.

For example, if you set the IO Ninja TCP proxy to listen on port 2222 and connect on port 3333, this will happen:

client -> alpnpass (port 1111, SSL) -> IO Ninja (port 2222, plain) -> alpnpass (port 3333, plain) -> server (port 4444, SSL)

Limitations

SSL certificates are currently not autogenerated, you'll have to create one on your own.

Only one connection at a time is supported. This is probably what you want anyway since multiple simultaneous connections would be hard to handle if you're inspecting traffic manually, which is likely the only use case for this tool. :)

You might also like...
go-jsonc provides a way to work with commented json by converting it to plain json.

JSON with comments for GO Decodes a "commented json" to "json". Provided, the input must be a valid jsonc document. Supports io.Reader With this, we c

SmartGateway is smart gateway.It uses iptables to forward traffic.

SmartGateway SmartGateway is smart gateway.It uses iptables to forward traffic. The traffic outbounds is tproxy of v2ray. SmartGateway run in docker,

Helps you to send ssh commands to target machine in your local network from outside via gRPC
Helps you to send ssh commands to target machine in your local network from outside via gRPC

rpc-ssh In case, you don't want to make your ssh port accessible from outside local network. This repository helps you to send ssh commands to target

Port-proxy - Temporary expose port for remote connections

Port proxy util Temporary expose port for remote connections. E.g. database/wind

A simple port forward tools build on libp2p with holepunch support.

p2p-tun A simple port forward and tun2socks tools build on libp2p with holepunch support. Usage NAME: p2p-tun - port forward and tun2socks through

A repository for the X-Team community to collaborate and learn solutions to most coding challenges to help prepare for their interviews.
A repository for the X-Team community to collaborate and learn solutions to most coding challenges to help prepare for their interviews.

Community Coding Challenge Handbook This repository focuses on helping X-Teamers and community members to thrive through coding challenges offering so

UDP Transport: compress, encrypt and send any data reliably over unreliable UDP connections

udpt UDP Transport Compresses, encrypts and transfers data between a sender and receiver using UDP protocol. Features and Design Aims: Avoid the overh

parse-curl.js golang version. Parse curl commands, returning an object representing the request.

parse-curl.js golang version. Parse curl commands, returning an object representing the request.

Tcp-proxy - A dead simple reverse proxy server.

tcp-proxy A proxy that forwords from a host to another. Building go build -ldflags="-X 'main.Version=$(git describe --tags $(git rev-list --tags --max

Comments
  • Tag the source

    Tag the source

    Could you please tag the source? This allows distributions to get the source from GitHub without dealing with commits and allow the consumers to know more about the "version".

    Or in short please create a release :wink:

    Thanks

    opened by fabaff 1
  • Document how to use wireshark with alpnpass

    Document how to use wireshark with alpnpass

    Thank you for this lovely tool! It was very useful to me while debugging an HTTP/2 protocol issue. I took a moment to describe how to use it with Wireshark.

    opened by raboof 0
Releases(0.1)
Owner
VerSprite, LLC
VerSprite, LLC
Program to simultaneously listen and respond on multiple TCP/UDP ports

listen Program to simultaneously listen on multiple TCP/UDP ports and reply back to anything sent along with IP addresses and lengths of data received

Purplecarrot 1 Feb 20, 2022
Multiplexer over TCP. Useful if target server only allows you to create limited tcp connections concurrently.

tcp-multiplexer Use it in front of target server and let your client programs connect it, if target server only allows you to create limited tcp conne

许嘉华 3 May 27, 2021
[WIP] gg is a portable tool to redirect the traffic of a given program to your modern proxy without installing any other programs.

gg gg (go-graft), was inspired by graftcp. go-graft is a pure golang implementation with more useful features. TODO: Use system DNS as the fallback. R

mzz 208 Sep 25, 2022
TCP output for beats to send events over TCP socket.

beats-tcp-output How To Use Clone this project to elastic/beats/libbeat/output/ Modify elastic/beats/libbeat/publisher/includes/includes.go : // add i

ichx 2 Aug 25, 2022
Mutual TLS encryption TCP proxy with golang

mtls-tcp-proxy Mutual Authentication TLS encryption TCP proxy with golang Why? I created this because of sometimes, it is not possible for us to estab

Habibie Faried 2 Jul 23, 2022
Websockify-go - A reverse proxy that support tcp, http, https, and the most important, noVNC, which makes it a websockify

websockify-go | mproxy a reverse proxy that support tcp, http, https, and the mo

null 3 Aug 14, 2022
A simple tool to convert socket5 proxy protocol to http proxy protocol

Socket5 to HTTP 这是一个超简单的 Socket5 代理转换成 HTTP 代理的小工具。 如何安装? Golang 用户 # Required Go 1.17+ go install github.com/mritd/[email protected] Docker 用户 docker pull m

mritd 7 Sep 7, 2022
Go pkg for returning your public facing IP address.

#publicip This package returns the public facing IP address of the calling client (a la https://icanhazip.com, but from Go!) Author James Polera james

James Polera 26 Sep 27, 2022
Simple TCP proxy to visualise NATS client/server traffic

NATS uses a simple publish/subscribe style plain-text protocol to communicate between a NATS Server and its clients. Whilst this connection should remain opaque to the user, it can be quite handy to see the data being passed from time to time - this tool does just that (it also saves me loading Wireshark and filtering the NATS traffic).

Joseph Woodward 0 Jan 15, 2022
Ipctl - Listen to IP change and change your DNS' records dynamically

ipctl Listen to IP change and change your DNS' records dynamically Table of cont

Daniel Svitan 1 Feb 17, 2022