在 Linux 下 MITM 的 httptap

這兩天看到的有趣東西，可以在 Linux 在自動幫你塞 root CA，然後自動 MITM 攔截 HTTPS 連線的工具：「Httptap: View HTTP/HTTPS requests made by any Linux program (github.com/monasticacademy)」，GitHub 專案頁在 monasticacademy/httptap 這邊。

在「How it works」這邊說明了用到的技術，把程式放到獨立的網路環境去跑，這樣就可以攔截 HTTPS 連線：

Httptap creates a TUN device and runs the subprocess in an environment in which all network traffic is routed through that device.

也因為是直接處理 raw packet，變成要實作 TCP stack (至少一部分)：

The traffic from the network device is delivered to us as raw IP packets. We must parse the IP packets as well as the inner TCP and UDP packets, and write raw IP packets back to the subprocess. This requires a software implementation of the TCP/IP protocol, which is by far the most difficult part of httptap. The TCP/IP implementation in httptap is missing many aspects of the full TCP protocol, but still works reasonably well for its purpose.

但這樣只能看到加密過後的 HTTPS traffic，為了要看到裡面的內容，httptap 在跑起來的時候會產生一組 root CA 塞進隔離環境裡面，這組 root CA 可以在後續要對 HTTPS 連結 MITM 用的：

When httptap starts, it creates a certificate authority (actually a private key plus a corresponding x509 certificate), writes it to a file on the filesystem visible only to the subprocess, and sets a few environment variables -- again only visible to the subprocess being run -- that add this certificate authority to the list of trusted certificate authorities. Since the subprocess trusts this certificate authority, and httptap holds the private key for the certificate authority, it can prove to the subprocess that it is the server which which the subprocess was trying to communicate. In this way we can read the plaintext HTTP requests.

這樣大多數的情況下都可以抓出來 (只要沒遇到 certificate pinning 的情境)，值得記錄起來，之後用的到的場景比較容易想起來...

話說自己刻部分的 TCP stack 也是夠硬了...