MITM Checker

Discussion in 'other anti-malware software' started by svenfaw, May 21, 2019.

  1. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    245
    Untitled.png

    Use MITM Checker to determine if your system is currently under a MITM attack. The program will connect to a list of major websites and alert on any unknown or unusual certificates used in the SSL handshake.

    It will detect obvious cases (such as interception by a local proxy, your employer's SSL inspection gateways, or a malware infection), as well as more advanced attacks (for instance, if the cert is valid but originates from an unusual organization/country).

    The tool is a standalone, browser-independent application.


    Wait, how does this differ from RCC?

    RCC performs a static check on the local certificate store. MITM Checker analyzes the actual certs your machine receives when connecting to popular websites.

    Usage

    Just unzip and launch. Any alerts are flagged in red. Feel free to share your results for discussion.


    This early release is free for use. As it is a beta, bugs and/or false positive detections should be expected. Feedback welcome!

    Available from https://www.trustprobe.com/fs1/apps.html
     
    Last edited: May 21, 2019
  2. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    77
    Location:
    USA
    Another forensic toolbox winner. Thanks!

    FYI: I get a handshake failure for www.go.com and ping timeout for that as well. It redirects to just plain ol' go.com in the browser. Fixed with top100.txt edit.

    I determined one can build one's own list as long as the file is named top100.txt.

    Future feature requests: window sizing, csv report export.
     
    Last edited: May 21, 2019
  3. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    879
  4. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    245
    Likely to be false positives - Could you post the thumbprints for these 2 detections? (Copying text to the clipboard is not possible yet, so I would suggest posting a screenshot)
     
  5. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    844
    Location:
    Baden Germany
    MiM.jpg Same here, see screenshot.
     
  6. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    77
    Location:
    USA
    Not seeing that here. Different Root CAs...

    WildersMITMchkr.jpg
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,721
    Location:
    U.S.A.
    Same here. Did as you and changed to go.com.

    Also no alerts here on those two URLs.

    -EDIT- Do you use Comodo for anything; firewall, etc.?

    Great tool! Kudos on your work.
     
    Last edited: May 21, 2019
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,721
    Location:
    U.S.A.
    Forgot to mention that there is no issue with SSL/TLS protocol scanning by AV; at least with Eset.
     
  9. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    879
    No, I do not.
     
  10. guest

    guest Guest

    SSL-Eye is the one I used to use.
     
  11. svenfaw

    svenfaw Registered Member

    Joined:
    May 7, 2012
    Posts:
    245
    The COMODO ECC detections reported above are false positives. This issue should be fixed in the latest build, available now (v0.39b).
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,721
    Location:
    U.S.A.
    Could never use it. Eset flagged it as malware.
     
  13. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    879
    My router firewall blocks the download site for MITM Checker...
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,721
    Location:
    U.S.A.
    That's strange. My won't won't block any incoming stateful traffic unless it was an IDS detection, ping, etc..
     
  15. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    879
    Looks like it is hosted on a shared server with several malicious “neighbors”:

    https://otx.alienvault.com/indicator/ip/213.186.33.17
     
  16. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    879
    Gone indeed.

    99 OK now. Keep getting handshake errors for wp.com though.
     
  17. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    976
    Everything good and I run CFW.
     

    Attached Files:

  18. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,851
    Location:
    Poland - Cracow
    Hi...I tried MITM Checker on XP and received two alerts (on screenshot) and a lot of "Handshake failure"...why is that?
    190523191216_1.jpg
     
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,359
    Location:
    U.S.A. (South)
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,721
    Location:
    U.S.A.
    My best guess is since you're using XP that isn't supported anymore, its root CA store certificates haven't been updated in ages. For example, www.tinyurl.com uses a Comodo; i.e. AddTrust root certificate.
     
  21. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,851
    Location:
    Poland - Cracow
    Yes...it's reasonable explanation and you are perhaps right. Thanks.
     
  22. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,539
    Location:
    Italy
    No alerts.
    I should have the updated CA store certificates root.

    700.JPG

    These results with Windows XP Home.
     
    Last edited: May 25, 2019
  23. XIII

    XIII Registered Member

    Joined:
    Jan 12, 2009
    Posts:
    879
    Exact same result after upgrading to Windows 10 May 2019 Update (1903).
     
  24. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,156
    Location:
    UK
    I got 59 handshake failures on xp as well
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,539
    Location:
    Italy
    @svenfaw

    Can I get 0 Handshake failure?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.