ratched – Transparent Man-in-the-Middle TLS Proxy
ratched is a Man-in-the-Middle (MitM) proxy that specifically intercepts TLS connections. It is intended to be used in conjunction with the Linux iptabes REDIRECT target; all connections that should be intercepted can be redirected to the local ratched port. Through the SO_ORIGINAL_DST sockopt, ratched can determine the intended destination (before iptables packet mangling) and tries to establish a connection to the original target.
The thing that sets it apart from other MitM software is the following:
- ratched does not intercept traffic indiscriminately. In particular, it first waits for the TLS client to send its ClientHello so that ratched can parse it and decide by the Server Name Indication TLS extension (SNI) if the target should be intercepted or not. This is particularly useful when you have virtual hosting, but only want to intercept connections to a specific hostname.
- ratched is not intended to only sniff passwords, but primarily dumps the traffic into a PCAPNG file. The PCAPNG file format was chosen because it allows for annotation of connections with comments (in particular, which hostname was indicated in the SNI extension) and also allows name resolution information to be embedded in the capture file (again, to map the target IP address to the SNI extension’s hostname)
- ratched has individual configuration for each intercepted SNI, including supported groups (formerly known as “supported elliptic curves”), cipher suites and specific TLS versions on client and server side, and allows for specifying custom certificates/keys for different intercepted hosts.
- ratched provides extensive support for client certificates and also offers automatic forging for client certificates as well (similar to forged server certificates in the other direction).
- ratched supports OCSP stapling and can automatically forge positive OCSP responses when a client sends a status request TLS extension.
Once ratched is listening on the routing machine (in the example, on port 9999), simply add an iptables entry that specifies what traffic you want to capture. For example, to intercept everything from 192.168.1.7 that tries to reach port 443, use:
# iptables -t nat -A PREROUTING -p tcp -s 192.168.1.7 --dport 443 -j REDIRECT --to-ports 9999
In order to intercept everything that goes to 443, simply do:
# iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 9999
If you’re acting as a router and want to intercept locally incoming traffic, use the DNAT target instead of REDIRECT, such as:
# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to 192.168.123.1:9999
Here, eth1 is the interface you’re intercepting traffing at and 192.168.123.1 is the local interface IP address.
The help page should be pretty self-explanatory:
usage: ratched [-c path] [-f hostname:port] [--single-shot] [--dump-certs] [--keyspec keyspec] [--initial-read-timeout secs] [--mark-forged-certificates] [--no-recalculate-keyids] [--daemonize] [--logfile file] [--flush-logs] [--crl-uri uri] [--ocsp-uri uri] [--write-memdumps-into-files] [--use-ipv6-encapsulation] [-l hostname:port] [-d key=value[,key=value,...]] [-i hostname[,key=value,...]] [--pcap-comment comment] [-o filename] [-v] ratched - TLS connection router that performs a man-in-the-middle attack optional arguments: -c path, --config-dir path Configuration directory where the default root CA certificate, CA keypair and server keypair are stored. Defaults to ~/.config/ratched -f hostname:port, --local-fwd hostname:port When local connection to listening port is made, the connection is discarded by default. Specifying this option makes ratched forward to the given hostname/port combination instead. Useful for testing the proxy without the iptables REDIRECT. --single-shot Only handle a single connection and terminate directly after. Useful for debugging purposes. --dump-certs Print created certificates for each intercepted connection in the log file. Note that in many cases you will also need to increase the log level to at least DEBUG in order to see certificates. --keyspec keyspec Specification for the private keys that should be used. Can be either in the form "rsa:bitlen" or "ecc:curvename". Valid choices, therefore, would be, for example, "rsa:1024" or "ecc:secp256r1". Defaults to rsa:2048 --initial-read-timeout secs Specifies the amount of time in seconds (as a floating point number) that ratched waits for the client to provide its ClientHello before giving up. The default is 1.0 secs. --mark-forged-certificates Include an OU=ratched entry to the subjects of all created certificates (including dynamically forged client certificates) for easy debugging. --no-recalculate-keyids When forging client certificates, by default the subject and authority key identifiers are removed and recreated to fit the actually used key ids. With this option, they're used as-is (i.e., the key identifier metadata will not fit the actually used keys). This option might expose bugs in certain frameworks which regard these identifiers as trusted information. --daemonize Do not run in foreground mode, but in the background as a daemon. --logfile file Instead of logging to stderr, redirect logs to given file. --flush-logs Flush logfile after each call to logmsg(). Decreases performance, but gives line-buffered logs. --crl-uri uri Encode the given URI into the CRL Distribution Point X.509 extension of server certificates. --ocsp-uri uri Encode the given URI into the Authority Info Access X.509 extension of server certificates as the OCSP responder URI. --write-memdumps-into-files When dumping a piece of memory in the log, also output its binary equivalent into a file called hexdump_####.bin, where #### is an ascending number. Useful for debugging of internal data structures. --use-ipv6-encapsulation For writing the PCAPNG file format, usually IPv4 is emulated. This has the drawback that when one IPv4 endpoint serves multiple servers via the TLS Server Name Indication extension, they cannot be differentiated by their hostname. With this parameter, ratched wraps the packets in IPv4-in-IPv6 emulation and assigns different IPv6 addresses for different server names, thus enabling accurate name resolution. -l hostname:port, --listen hostname:port Specify the address and port that ratched is listening on. Defaults to 127.0.0.1:9999. -d key=value[,key=value,...], --defaults key=value[,key=value,...] Specify the server and client connection parameters for all hosts that are not explicitly listed via a --intercept option. Arguments are given in a key=value fashion; valid arguments are shown below. -i hostname[,key=value,...], --intercept hostname[,key=value,...] Intercept only a specific host name, as indicated by the Server Name Indication inside the ClientHello. Can be specified multiple times to include interception or more than one host. Additional arguments can be specified in a key=value fashion to further define interception parameters for that particular host. --pcap-comment comment Store a particular piece of information inside the PCAPNG header as a comment. -o filename, --outfile filename Specifies the PCAPNG file that the intercepted traffic is written to. Mandatory argument. -v, --verbose Increase logging verbosity. The arguments which are valid for the --intercept argument are as follows: intercept=[opportunistic|mandatory|forward|reject] Specifies the mode that ratched should act in for this particular connection. Opportunistic TLS interception is the default; it means that TLS interception is tried first. Should it fail, however (because someone tries to send non-TLS traffic), it falls back to 'forward' mode (i.e., forwarding all data unmodified). Mandatory TLS interception means that if no TLS interception is possible, the connection is terminated. 'forward', as explained, simply forwards everything unmodified. 'reject' closes the connection altogether, regardless of the type of seen traffic. s_tlsversions=versions Colon-separated string that specifies the acceptable TLS version for the ratched server component. Valid elements are ssl2, ssl3, tls10, tls11, tls12, tls13. Defaults to tls10:tls11:tls12. s_reqclientcert=bool Ask all connecting clients to the server side of the TLS proxy for a client certificate. If not replacement certificate (at least certfile and keyfile) is given, forge all metadata of the incoming certificate. If a certfile/keyfile is given, this option is implied. s_send_rot=bool By default, the ratched TLS server does not include its own root of trust (RoT) CA certificate in the server certificates list. With this option, it is added to the certificates sent to its peer. s_certfile=filename Specifies an X.509 certificate in PEM format that should be used by ratched as the server certificate. By default, this certificate is automatically generated. Must be used in conjunction with s_keyfile. s_keyfile=filename Specifies the private key for the given server certificate, in PEM format. s_chainfile=filename Specifies the X.509 certificate chain that is to be sent to the client, in PEM format. s_cacert=filename The X.509 CA certificate that issues server certificates, in PEM format. s_cakey=filename The X.509 CA certificate key that signs server certificates, in PEM format. s_ciphers=ciphers The cipher suite string that the ratched TLS server uses. s_groups=groups The key agreement 'supported groups' string (formerly known as 'elliptic curves') that the ratched TLS server uses. s_sigalgs=algs The key agreement 'signature algorithms' string which the ratched TLS server uses. s_ocsp=bool Respond to clients requesting an OCSP status request by sending an OCSP ticket as a response. Enabled by default. c_tlsversions=versions Colon-separated string that specifies the acceptable TLS version for the ratched client component. Valid elements are ssl2, ssl3, tls10, tls11, tls12, tls13. Defaults to tls10:tls11:tls12. c_certfile=filename Specifies an X.509 certificate in PEM format that should be used by ratched as a client certificate. It will only be used when the connecting client also provided a client certificate. Must be used in conjunction with c_keyfile. c_keyfile=filename The private key for the given client certificate, in PEM format. c_chainfile=filename The X.509 certificate chain that is to be sent to the server, in PEM format. c_ciphers=ciphers The cipher suite string that the ratched TLS client uses. c_groups=groups The key agreement 'supported groups' string (formerly known as 'elliptic curves') that the ratched TLS client uses. c_sigalgs=algs The key agreement 'signature algorithms' string which the ratched TLS client uses. examples: $ ratched -o output.pcapng Open up local port 9999 and listen for incoming connections, intercept all TLS traffic and write output into given capture file. $ ratched -f google.com:443 -o output.pcapng Same as before, but redirect all traffic of which the destination cannot be determined (e.g., local connections to port 9999) to google.com on port 443. $ ratched -vvv --dump-certs -o output.pcapng Be much more verbose during interception and also print out forged certificates in the log. $ ratched --defaults intercept=forward -intercept --intercept www.johannes-bauer.com -o output.pcapng Do not generally intercept connections (but rather forward all traffic unmodified) except for connections with Server Name Indication www.johannes-bauer.com, on which interception is performed. $ ratched --intercept www.johannes-bauer.com,s_reqclientcert=true -o output.pcapng Generally do not request client certificates from connecting peers except for connections with Server Name Indication www.johannes- bauer.com, where clients are sent a CertificateRequest TLS message. If clients do not provide a client certificate, just use regular TLS interception. If they do provide a client certificate, forge all client certificate metadata and use the forged client certificate in the connection against the real server. $ ratched --intercept www.johannes-bauer.com,c_certfile=joe.crt,c_keyfile=joe.key -o output.pcapng Same as before, but for connections to johannes-bauer.com, do not forge client certificates, but always use the given client certificate and key (joe.crt / joe.key) for authentication against the server. $ ratched --keyspec ecc:secp256r1 --ocsp-uri http://www.ocsp-server.com -o output.pcapng Choose secp256r1 instead of RSA-2048 for all used certificates and encode an OCSP Responder URI into those forged certificates as well. $ ratched --initial-read-timeout 5.0 --default intercept=mandatory -o output.pcapng Wait five seconds for connecting clients to send a valid ClientHello message. If after five seconds nothing is received or if unknown (non- TLS) traffic is received, terminate the connection instead of performing unmodified forwarding.
The name “ratched” alludes to nurse Ratched of “One Flew Over The Cuckoo’s Nest”. If you use the tool to spy on people, you’re a complete douchebag and abusing your power. You should watch the movie. Please use ratched responsibly to increase security of our infrastructure, not undermine it. TLS interception for spying purposes is despicable and dangerous.
ratched requires at least OpenSSL v1.1.