MITM Checker

Discussion in 'other anti-malware software' started by svenfaw, May 21, 2019.

  1. svenfaw

    svenfaw Registered Member

    Untitled.png

    Use MITM Checker to determine if your system is currently under a MITM attack. The program will connect to a list of major websites and alert on any unknown or unusual certificates used in the SSL handshake.

    It will detect obvious cases (such as interception by a local proxy, your employer's SSL inspection gateways, or a malware infection), as well as more advanced attacks (for instance, if the cert is valid but originates from an unusual organization/country).

    The tool is a standalone, browser-independent application.


    Wait, how does this differ from RCC?

    RCC performs a static check on the local certificate store. MITM Checker analyzes the actual certs your machine receives when connecting to popular websites.

    Usage

    Just unzip and launch. Any alerts are flagged in red. Feel free to share your results for discussion.


    This early release is free for use. As it is a beta, bugs and/or false positive detections should be expected. Feedback welcome!

    Available from https://www.trustprobe.com/fs1/apps.html
     
    Last edited: May 21, 2019
  2. Surt

    Surt Registered Member

    Another forensic toolbox winner. Thanks!

    FYI: I get a handshake failure for www.go.com and ping timeout for that as well. It redirects to just plain ol' go.com in the browser. Fixed with top100.txt edit.

    I determined one can build one's own list as long as the file is named top100.txt.

    Future feature requests: window sizing, csv report export.
     
    Last edited: May 21, 2019
  3. XIII

    XIII Registered Member

  4. svenfaw

    svenfaw Registered Member

    Likely to be false positives - Could you post the thumbprints for these 2 detections? (Copying text to the clipboard is not possible yet, so I would suggest posting a screenshot)
     
  5. Hiltihome

    Hiltihome Registered Member

    MiM.jpg Same here, see screenshot.
     
  6. Surt

    Surt Registered Member

    Not seeing that here. Different Root CAs...

    WildersMITMchkr.jpg
     
  7. itman

    itman Registered Member

    Same here. Did as you and changed to go.com.

    Also no alerts here on those two URLs.

    -EDIT- Do you use Comodo for anything; firewall, etc.?

    Great tool! Kudos on your work.
     
    Last edited: May 21, 2019
  8. itman

    itman Registered Member

    Forgot to mention that there is no issue with SSL/TLS protocol scanning by AV; at least with Eset.
     
  9. XIII

    XIII Registered Member

    No, I do not.
     
  10. guest

    guest Guest

    SSL-Eye is the one I used to use.
     
  11. svenfaw

    svenfaw Registered Member

    The COMODO ECC detections reported above are false positives. This issue should be fixed in the latest build, available now (v0.39b).
     
  12. itman

    itman Registered Member

    Could never use it. Eset flagged it as malware.
     
  13. XIII

    XIII Registered Member

    My router firewall blocks the download site for MITM Checker...
     
  14. itman

    itman Registered Member

    That's strange. My won't won't block any incoming stateful traffic unless it was an IDS detection, ping, etc..
     
  15. XIII

    XIII Registered Member

    Looks like it is hosted on a shared server with several malicious “neighbors”:

    https://otx.alienvault.com/indicator/ip/213.186.33.17
     
  16. XIII

    XIII Registered Member

    Gone indeed.

    99 OK now. Keep getting handshake errors for wp.com though.
     
  17. Infected

    Infected Registered Member

    Everything good and I run CFW.
     

    Attached Files:

  18. ichito

    ichito Registered Member

    Hi...I tried MITM Checker on XP and received two alerts (on screenshot) and a lot of "Handshake failure"...why is that?
    190523191216_1.jpg
     
  19. EASTER

    EASTER Registered Member

  20. itman

    itman Registered Member

    My best guess is since you're using XP that isn't supported anymore, its root CA store certificates haven't been updated in ages. For example, www.tinyurl.com uses a Comodo; i.e. AddTrust root certificate.
     
  21. ichito

    ichito Registered Member

    Yes...it's reasonable explanation and you are perhaps right. Thanks.
     
  22. Sampei Nihira

    Sampei Nihira Registered Member

    No alerts.
    I should have the updated CA store certificates root.

    700.JPG

    These results with Windows XP Home.
     
    Last edited: May 25, 2019
  23. XIII

    XIII Registered Member

    Exact same result after upgrading to Windows 10 May 2019 Update (1903).
     
  24. trott3r

    trott3r Registered Member

    I got 59 handshake failures on xp as well
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    @svenfaw

    Can I get 0 Handshake failure?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice