ratched is a Man-in-the-Middle (MitM) proxy that specifically intercepts TLS connections. It is intended to be used in conjunction with the Linux iptabes REDIRECT target; all connections that should be intercepted can be redirected to the local ratched port. Through the SO_ORIGINAL_DST sockopt, ratched can determine the intended destination (before iptables packet mangling) and tries to establish a connection to the original target.
The thing that sets it apart from other MitM software is the following:
+ ratched does not intercept traffic indiscriminately. In particular, it first waits for the TLS client to send its ClientHello so that ratched can parse it and decide by the Server Name Indication TLS extension (SNI) if the target should be intercepted or not. This is particularly useful when you have virtual hosting, but only want to intercept connections to a specific hostname.
+ ratched is not intended to sniff passwords, but only dumps the traffic into a PCAPNG file. The PCAPNG file format was chosen because it allows for annotation of connections with comments (in particular, which hostname was indicated in the SNI extension) and also allows name resolution information to be embedded in the capture file (again, to map the target IP address to the SNI extension’s hostname)
+ OpenSSL v1.1
Usage and Install Dependencies:
Install Openssl v1.1 Debian/Ubuntu base:
tar xzvf openssl-1.1.0e.tar.gz
sudo make install
git clone https://github.com/johndoe31415/ratched && cd ratched
iptables -t nat -A PREROUTING -p tcp -s 192.168.1.7 --dport 443 -j REDIRECT --to-ports 9999