Are You Spying on me? Detecting SSL Man-in-the-Middle

Carrie Roberts//*

Image result for spying

Is your employer reading all your sensitive information when you browse the internet from your work computer? Probably. But how can you be sure?

It is common for companies to deploy an SSL decrypting proxy at work in an effort to better protect their assets from attack. It’s something you agree to when you start employment with them, at least when you are using their network and their managed devices. Even so, you may be interested to know what HTTPS traffic they are decrypting and what they are not. For example, the company might not want to be liable for having access to your banking information, including your password, or your private information on government (.gov) websites. For this reason, a company may configure their proxy to not decrypt information to certain websites, while they readily decrypt, or Man-in-the-Middle, other communications.

I developed a PowerShell script that will determine if your connection to external servers over HTTPS is being decrypted. If you happen to be a pentester, you may be especially interested in sites that are not decrypted as you will have better luck getting a Command and Control (C2) connection out of the network, using Domain Fronting for example, if your traffic is not decrypted.

The Script is called Detect-SSLmitm and is available here. Kudos to @malcomvetter for the idea to write this script and for some improvement tips. For example, comparing the intermediate certificate to reduce false positives

Running it is very simple as shown in the image below:

In the output shown, the and sites are the only ones not being decrypted.

You can edit the script to add any test sites that you like, then run the “Get-GoldenHashes” function to update the list of golden hashes.

Be sure to generate the Golden certificate hashes from a network location known to not decrypt SSL traffic, otherwise you will get false positives.

*Carrie frequently guest posts for BHIS and we’re so happy she does!

You can learn more from Carrie in her classes!

Check them out here:

Attack Emulation Tools: Atomic Red Team, CALDERA and More 

PowerShell for InfoSec

Available live/virtual and on-demand!