Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. 

2# 

3# This software is provided under under a slightly modified version 

4# of the Apache Software License. See the accompanying LICENSE file 

5# for more information. 

6# 

7# SSL utilities 

8# 

9# Author: 

10# Dirk-jan Mollema (@_dirkjan) / Fox-IT (https://www.fox-it.com) 

11# 

12# Description: 

13# Various functions and classes for SSL support: 

14# - generating certificates 

15# - creating SSL capable SOCKS protocols 

16# 

17# Most of the SSL generation example code comes from the pyopenssl examples 

18# https://github.com/pyca/pyopenssl/blob/master/examples/certgen.py 

19# 

20# Made available under the Apache license by the pyopenssl team 

21# See https://github.com/pyca/pyopenssl/blob/master/LICENSE 

22from OpenSSL import crypto, SSL 

23from impacket import LOG 

24 

25# This certificate is not supposed to be exposed on the network 

26# but only used for the local SOCKS plugins 

27# therefore, for now we don't bother with a CA and with hosts/hostnames matching 

28def generateImpacketCert(certname='/tmp/impacket.crt'): 

29 # Create a private key 

30 pkey = crypto.PKey() 

31 pkey.generate_key(crypto.TYPE_RSA, 2048) 

32 

33 # Create the certificate 

34 cert = crypto.X509() 

35 cert.gmtime_adj_notBefore(0) 

36 # Valid for 5 years 

37 cert.gmtime_adj_notAfter(60*60*24*365*5) 

38 subj = cert.get_subject() 

39 subj.CN = 'impacket' 

40 cert.set_pubkey(pkey) 

41 cert.sign(pkey, "sha256") 

42 # We write both from the same file 

43 with open(certname, 'w') as certfile: 

44 certfile.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey).decode('utf-8')) 

45 certfile.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf-8')) 

46 LOG.debug('Wrote certificate to %s' % certname) 

47 

48# Class to wrap the client socket in SSL when serving as a SOCKS server 

49class SSLServerMixin(object): 

50 # This function will wrap the socksSocket in an SSL layer 

51 def wrapClientConnection(self, cert='/tmp/impacket.crt'): 

52 # Create a context, we don't really care about the SSL/TLS 

53 # versions used since it is only intended for local use and thus 

54 # doesn't have to be super-secure 

55 ctx = SSL.Context(SSL.SSLv23_METHOD) 

56 try: 

57 ctx.use_privatekey_file(cert) 

58 ctx.use_certificate_file(cert) 

59 except SSL.Error: 

60 LOG.info('SSL requested - generating self-signed certificate in /tmp/impacket.crt') 

61 generateImpacketCert(cert) 

62 ctx.use_privatekey_file(cert) 

63 ctx.use_certificate_file(cert) 

64 

65 sslSocket = SSL.Connection(ctx, self.socksSocket) 

66 sslSocket.set_accept_state() 

67 

68 # Now set this property back to the SSL socket instead of the regular one 

69 self.socksSocket = sslSocket