Nogotofail released : is a network security testing tool designed to help developers and security researchers.
Nogotofail is a network security testing tool designed to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way. It includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, and more.
Design Goals :
Nogotofail was designed to be an automated, powerful, flexible and scalable tool for testing for network security issues on any device whose network traffic could be made to go through it. why use nogofail? in this cases:
– Finding bugs and vulnerabilities.
– Verifying fixes and watching for regressions.
– Understanding what applications and devices are generating what traffic.
Nogotofail is centered around a on path man in the middle tool written in python with an optional client application to provide additional attribution and configuration support.
Man in The Middle:
The core of nogotofail is the on path network MiTM named nogotofail.mitm that intercepts TCP traffic. It is designed to primarily run on path and centers around a set of handlers for each connection which are responsible for actively modifying traffic to test for vulnerabilities or passively look for issues. nogotofail is completely port agnostic and instead detects vulnerable traffic using DPI instead of based on port numbers. Additionally, because it uses DPI, it is capable of testing TLS/SSL traffic in protocols that use STARTTLS.
Nogotofail depends only on Python 2.7 and pyOpenSSL>=0.13. The MiTM is designed to work on Linux machines and the transparent traffic capture modes are Linux specific and require iptables as well.
Before running nogotofail there are some files you’ll need to create or provide.
::MiTM Server certificate::
The connection between clients and the MiTM is protected by a self-signed certificate. When the client first connects the user will be prompted with the fingerprint and asked if the server should be trusted.
For example the OpenSSL command to generate such a certificate is:
Note: proxychains doesn’t support IPv6 so force IPv4 with -4.
::Getting on path::
Now that you’ve set up nogotofail and seen how it runs the next step is to put it in a setup where you can use it on path. Nogotofail was designed to work anywhere on path, so you have a lot of flexibility in deployment. Here are a few ways we have deployed nogotofail in our testing. Setting up these deployments is beyond the scope of this document but there is plently of open documentation out there for how to set up machines in these configuration.
Run nogotofail on an actual router. This has the benefit of being completely transparent to the clients as they simply connect through router as usual. Unfortunately setting up a router can be somewhat painful and router hardware tends to be a bit limited. nogotofail.mitm’s only dependency is pyOpenSSL >=0.13, so it isn’t hard to configure a router that can run nogotofail.
Run nogotofail on a Linux machine with two network interfaces. This is transparent like the router case but easier to set up. You will want one interface connected to the Internet and the other to the client. You will need to run dnsmasq to handle DNS and DHCP for the client. If your machine supports it you can use WiFi to connect the clients, but that requires your WiFi driver to support AP mode.
Another option which is easier to set up but less transparent is to run a nogotofail.mitm on a VPN server, and have the clients connect over the VPN. This is less transparent to the client but usually easier to set up. We recommend OpenVPN as there is lots of documentation for how to set up an OpenVPN server. Our main setup has been OpenVPN running on a Google Compute Engine instance.
::Testing Android ::
For testing Android devices we have included our Android client ready to be imported into Eclipse. You will have to build the app and install it on your test device.
For testing you can use the access point nogotofail setups or on devices >=JB you can use the OpenVPN setup and a third party VPN application to route your traffic.