Nogotofail released : is a network security testing tool designed to help developers and security researchers.

Nogotofail released : is a network security testing tool designed to help developers and security researchers.

Nogotofail is a network security testing tool designed to help developers and security researchers spot and fix weak TLS/SSL connections and sensitive cleartext traffic on devices and applications in a flexible, scalable, powerful way. It includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, and more.
Design Goals :
Nogotofail was designed to be an automated, powerful, flexible and scalable tool for testing for network security issues on any device whose network traffic could be made to go through it. why use nogofail? in this cases:
– Finding bugs and vulnerabilities.
– Verifying fixes and watching for regressions.
– Understanding what applications and devices are generating what traffic.

Nogotofail is centered around a on path man in the middle tool written in python with an optional client application to provide additional attribution and configuration support.

Man in The Middle:
The core of nogotofail is the on path network MiTM named nogotofail.mitm that intercepts TCP traffic. It is designed to primarily run on path and centers around a set of handlers for each connection which are responsible for actively modifying traffic to test for vulnerabilities or passively look for issues. nogotofail is completely port agnostic and instead detects vulnerable traffic using DPI instead of based on port numbers. Additionally, because it uses DPI, it is capable of testing TLS/SSL traffic in protocols that use STARTTLS.
Dependencies :
Nogotofail depends only on Python 2.7 and pyOpenSSL>=0.13. The MiTM is designed to work on Linux machines and the transparent traffic capture modes are Linux specific and require iptables as well.

::Getting Started::
Before running nogotofail there are some files you’ll need to create or provide.

::MiTM Server certificate::
The connection between clients and the MiTM is protected by a self-signed certificate. When the client first connects the user will be prompted with the fingerprint and asked if the server should be trusted.
For example the OpenSSL command to generate such a certificate is:nogofail1

Here is a quick walkthrough of running and testing the MiTM locally.
First, start the MiTM running as a SOCKS5 proxy.socks-proxy5

Now you can connect through the socks proxy using a tool like tproxy or proxychains. For this example we’ll proxy chains with the config:Proxychains

Now let’s run wget using proxychains. exam

Note: proxychains doesn’t support IPv6 so force IPv4 with -4.

Now, let’s try again but this time with the Linux nogotofail client.nogofail-client

Now let’s look at a basic SSL MiTM attack, using wget.
First, let’s re run the client and tell the MiTM to always run a simple self signed certificate attack:nogofail2

::Getting on path::
Now that you’ve set up nogotofail and seen how it runs the next step is to put it in a setup where you can use it on path. Nogotofail was designed to work anywhere on path, so you have a lot of flexibility in deployment. Here are a few ways we have deployed nogotofail in our testing. Setting up these deployments is beyond the scope of this document but there is plently of open documentation out there for how to set up machines in these configuration.
Run nogotofail on an actual router. This has the benefit of being completely transparent to the clients as they simply connect through router as usual. Unfortunately setting up a router can be somewhat painful and router hardware tends to be a bit limited. nogotofail.mitm’s only dependency is pyOpenSSL >=0.13, so it isn’t hard to configure a router that can run nogotofail.
Run nogotofail on a Linux machine with two network interfaces. This is transparent like the router case but easier to set up. You will want one interface connected to the Internet and the other to the client. You will need to run dnsmasq to handle DNS and DHCP for the client. If your machine supports it you can use WiFi to connect the clients, but that requires your WiFi driver to support AP mode.
Another option which is easier to set up but less transparent is to run a nogotofail.mitm on a VPN server, and have the clients connect over the VPN. This is less transparent to the client but usually easier to set up. We recommend OpenVPN as there is lots of documentation for how to set up an OpenVPN server. Our main setup has been OpenVPN running on a Google Compute Engine instance.

::Testing Android ::
For testing Android devices we have included our Android client ready to be imported into Eclipse. You will have to build the app and install it on your test device.
For testing you can use the access point nogotofail setups or on devices >=JB you can use the OpenVPN setup and a third party VPN application to route your traffic.

::Useful arguments::usefull-argument
python -m nogotofail.mitm –help

Download Zipball : KB) 
or clone git |
Source :