Windows 10でHTTPS通信をINTERCEPT
- 1. WINDOWS 10 で HTTPS通信 を INTERCEPT AVTOKYO 2016 Oct. 22th 2016
- 2. 自己紹介 ? Soya Aoyama(あお) ? FRONTALEおよびDRINKをこよなく愛する セキュリティ研究者 ? 富士通システム統合研究所に勤務 (2014年~) ? https://www.facebook.com/soya.aoyama.3 2
- 5. 確認手順 1. イベントビューアーを起動し、以下を選択 “Applications and Services Logs” “Microsoft” “Windows” “WinINet (Microsoft-Windows-WinINet-Capture)” “Capture/Analytic” 2. “Enable Log”をクリックし、ログを有効化 3. Edgeを起動し、WEBにアクセス 5
- 8. 文字列変換 1. Payloadの内容をコピー 2. http://singoro.net/16henkan/に貼り付け 8 485454502F312E3120323030204F4B0D0A43616368652D436F6E74726F6C3A206E6F2D63616368652C206E6F2D73746F72 652C206D7573742D726576616C69646174650D0A507261676D613A206E6F2D63616368650D0A436F6E74656E742D547970 653A20746578742F706C61696E0D0A457870697265733A202D310D0A5365727665723A204D6963726F736F66742D494953 2F382E350D0A533A20434831415050455830393436360D0A4163636573732D436F6E74726F6C2D416C6C6F772D4F726967 696E3A202A0D0A4163636573732D436F6E74726F6C2D416C6C6F772D486561646572733A20436F6E74656E742D54797065 0D0A4163636573732D436F6E74726F6C2D416C6C6F772D4D6574686F64733A20504F53542C204745542C204F5054494F4E 532C20484541440D0A4163636573732D436F6E74726F6C2D4D61782D4167653A2032313630300D0A446174653A20546875 2C2030382053657020323031362030353A34323A313820474D540D0A436F6E74656E742D4C656E6774683A20300D0A0D0A HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Type: text/plain Expires: -1 Server: Microsoft-IIS/8.5 S: CH1APPEX09466 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type Access-Control-Allow-Methods: POST, GET, OPTIONS, HEAD Access-Control-Max-Age: 21600 Date: Thu, 08 Sep 2016 05:42:18 GMT Content-Length: 0
- 9. とある2人の会話3 9 本当にキャプチャできてるすね… でも1パケットずつ変換してられないすね? 大丈夫 アプリからキャプチャできるようにしてあるんだよね さすがビル、抜け目がないすね… どうやるんすかね? Event Tracing for Windows(ETW) を使用するんだよね
- 10. ソースプログラム 10 WinINetの内容をリアルタイムにキャプチャするアプリ #include <Windows.h> #include <Evntrace.h> #include <stdio.h> #include <wchar.h> #include <tdh.h> TRACEHANDLE controllerHandle = INVALID_PROCESSTRACE_HANDLE; LPWSTR sessionName = L"Microsoft-Windows-WinInet-Capture"; HANDLE event = NULL; EXTERN_C __declspec(selectany) const GUID PROVIDERID_Microsoft_Windows_WinInet_Capture = { 0xa70ff94f, 0x570b, 0x4979,{ 0xba, 0x5c, 0xe5, 0x9c, 0x9f, 0xea, 0xb6, 0x1b } }; // イベントコールバック void WINAPI EventRecordCallback(PEVENT_RECORD EventRecord) { if (TRUE == IsEqualGUID(PROVIDERID_Microsoft_Windows_WinInet_Capture, EventRecord->EventHeader.ProviderId)) { char *UserData = (char *)malloc(EventRecord->UserDataLength); memset(UserData, 0, EventRecord->UserDataLength); memcpy(UserData, (PBYTE)EventRecord->UserData + 0x10, EventRecord->UserDataLength - 0x10); printf("%sn", UserData); free(UserData); } } // コンシューマ用スレッド DWORD WINAPI ThreadProc(LPVOID lpParamater) { // セッションオープン EVENT_TRACE_LOGFILE logFile = {}; logFile.LogFileName = NULL; logFile.LoggerName = sessionName; logFile.ProcessTraceMode = PROCESS_TRACE_MODE_EVENT_RECORD | PROCESS_TRACE_MODE_REAL_TIME; logFile.EventRecordCallback = &EventRecordCallback;
- 11. EVENT TRACING FOR WINDOWS Microsoftのブログ https://blogs.msdn.microsoft.com/jpwdkblog/2011/1 2/27/event-tracing-for-windows-etw/ あえとすさんのブログ http://tech.blog.aerie.jp/archive/category/ETW 11
- 14. その結果 _PAGEID=AA011&_SENDTS=1467876489534&_TRANID=AA011_001&_SUBINDEX=- 1&_TARGET=MUFGpop_syokai&_FRAMID=&_LUID=LUID&_WINID=root&_TARGETWINID=&DEVICEPRINT=version%253D3%252E4%252E1%2 52E0%255F1%2526pm%255Ffpua%253Dmozilla%252F5%252E0%2520%2528windows%2520nt%252010%252E0%2529%2520applewebkit%2 52F537%252E36%2520%2528khtml%252C%2520like%2520gecko%2529%2520chrome%252F46%252E0%252E2486%252E0%2520safari%25 2F537%252E36%2520edge%252F13%252E10586%257C5%252E0%2520%2528Windows%2520NT%252010%252E0%2529%2520AppleWebKit%2 52F537%252E36%2520%2528KHTML%252C%2520like%2520Gecko%2529%2520Chrome%252F46%252E0%252E2486%252E0%2520Safari%25 2F537%252E36%2520Edge%252F13%252E10586%257CWin32%2526pm%255Ffpsc%253D24%257C1729%257C864%257C824%2526pm%255Ffp sw%253D%2526pm%255Ffptz%253D9%2526pm%255Ffpln%253Dlang%253Dja%252DJP%257Csyslang%253D%257Cuserlang%253D%2526pm %255Ffpjv%253D1%2526pm%255Ffpco%253D1%2526pm%255Ffpasw%253Dflash%257C%2526pm%255Ffpan%253DNetscape%2526pm%255F fpacn%253DMozilla%2526pm%255Ffpol%253Dtrue%2526pm%255Ffposp%253D%2526pm%255Ffpup%253D%2526pm%255Ffpsaw%253D172 9%2526pm%255Ffpspd%253D24%2526pm%255Ffpsbd%253D0%2526pm%255Ffpsdx%253D96%2526pm%255Ffpsdy%253D96%2526pm%255Ffp slx%253D96%2526pm%255Ffpsly%253D96%2526pm%255Ffpsfse%253Dtrue%2526pm%255Ffpsui%253D%2526pm%255Fos%253DWindows% 2526pm%255Fbrmjv%253D46%2526pm%255Fbr%253DChrome%2526pm%255Finpt%253D%2526pm%255Fexpt%253D&KEIYAKU_NO=12345678 &PASSWORD=87654321 HTTP/1.1 200 OK Date: Thu, 07 Jul 2016 07:28:47 GMT Server: Apache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-Control: no-cache Pragma: no-cache Content-length: 11661 Content-Type: text/html;charset=Shift_JIS Connection: close 14 KEIYAKU_NO=12345678 PASSWORD=87654321