lcsouzamenezes / jackal Goto Github PK
View Code? Open in Web Editor NEWThis project forked from rtfcode/jackal
SSL certificate cloner
License: GNU General Public License v2.0
This project forked from rtfcode/jackal
SSL certificate cloner
License: GNU General Public License v2.0
jackal - certificate cloner - K Sheldrake Copyright (C) 2018 Kevin Sheldrake This file is part of jackal. Jackal is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. Overview -------- jackal clones SSL certificates. The purpose is to automate and simplify a step in the SSL MITM process. SSL/TLS connections are established on trust provided by the certificates that are exchanged. Typically the server sends a certificate to the client for verification. All certificates are signed by another certificate. Self-signed certificates are signed by themselves; in all other cases, an end user cerficate is signed by an intermediate certificate authority, which is in-turn signed by other intermediates, the last of which is signed by a root certificate authority. The root certificate authority is self-signed and should be available to the tool or client that wants to verify the end user certificate. To verify an end user certificate a tool or client finds the certificate that signed it, and then recursively verifies that. If any of the certificates are contained in the CA store, the certificate is deemed to have a valid signature. There are other checks, such as validity dates and confirmation of the end user certificate details to ensure the right certificate is in use. Man-in-the-middle attacks are possible if the certificate verification routines are flawed or if it is possible to add a fake CA to the CA store. In order to effect such an attack, certificates that mimic the real certificates are required. This tool, jackal, makes fake certificates that are identical to the originals except for the change of keys. Supported platforms: * 32bit (Arch) linux * 64bit (Arch && Kali) linux Expecting it to work on any other platforms is very optimistic of you. Obtain certficate chain ----------------------- Obtain a certificate chain from a SSL server with something like: $ openssl s_client -connect anywhere.com:443 -showcerts < /dev/null > certs The file certs will then contain the s_client output including the certs in PEM format. Jackal can take this file and clone the certificates within it. Create a new CA --------------- Create a new CA with: $ openssl genrsa -des3 -out ca.key 2048 $ openssl req -new -x509 -days 3650 -key ca.key -out ca.pem Check certificate with: $ openssl x509 -in certificate.pem -noout -text Verify certificate trust with: $ openssl verify -CAfile ca.pem -untrusted intermediatecas.pem certificate.pem Cloning options --------------- Jackal only deals with the certificates you supply; it will not go foraging for missing CA certificates. If the certificate chain you have obtained is lacking the CA certificate, then you may need to obtain it yourself from the trusted CA store and add it to the end of the file (depending on whether you also want to clone the chain's CA or not). The cloning options are: Leaf certificate (-sl): Jackal will clone the leaf certficate (the server certificate) and ignore the rest of the chain. If a CA is supplied (with key, obvs) then it will sign the new certificate with the supplied CA; otherwise, it will self-sign the cert. Chain (-sc): Jackal will clone the entire certificate chain. If a CA is supplied, it will then sign the root of the chain with the supplied CA; otherwise, it will self-sign the root of the chain. Resign (-sr): Jackal will clone the certificate chain, but will replace the root of the chain with the supplied CA. Output filename spec -------------------- Options -sl, -sc and -sr take an output filespec option, -o. Option -sl outputs one certificate and an associated key. It appends '.pem' and '.key' to the filespec. Options -sc and -sr output multiple certificates, each with associated keys. Jackal appends '.n.pem' and '.n.key' to the filespec, numbering each certificate in the new chain, starting with the leaf certificate as 0 and increasing with each certificate in the chain. Examples -------- $ jackal -sc -c certfile -o clonefile -C newca.pem -K newca.key Jackal will clone the certificate chain in certfile, signing it with newca, and output the certificates to clonefile.0.pem/key, clonefile.1.pem/key, etc. Command Line Arguments ---------------------- -c certificate Specifies the input certificate to clone. If no other options are given, jackal will simply display the leaf certificate in the file (not as nice as openssl x509 -text but hey). The certificate file must be in PEM format, but jackal will silently ignore anything it doesn't recognise so other guff in there is usually acceptable. -sl / -sc / -sr Specifies the kind of cloning to perform: leaf, chain, or resign. -o outputfilespec Specifies the prefix for the output clone certificate files. -C newCAcert / -K newCAkey Specifies the CA certificate and key to use in signing operations. Support / Patches ----------------- The latest version of the code can be found at rtfc.org.uk and github/rtfcode. No support is offered, but if you report bugs I may try to fix them. Patches are especially welcome. Feature requests are best accompanied with a working patch. I'm more likely to work on it if I have beer; see rtfc.org.uk for details. Changes ------- Version 1.3 has corrected version numbers, etc. Version 1.2 properly supports openssl 1.1.0; prev version was a half-arsed attempt at a fix/port and was mostly rubbish. This version actually compiles and appears to work. Version 1.1 supports openssl 1.1.0; someone sneakily took away ->extra_certs and that broke version 1.0. Contact details are at rtfc.org.uk.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.