un-MTLS proxy is a simple proxy service to remove the mutual TLS authentication to some services. This is useful when a tool is not supporting mTLS.
⚠️ DO NOT RUN IT IN PRODUCTION⚠️ This will kill the value added by mTLS.
NEVER EVER USE IT AGAINST IN PRODUCTION
It's not a tool for daily life, only a tool when nothing else is possible and is really required.
Do NOT use it if you don't know EXACTLY what you are doing!
My use-case is during penetration testing when some tools are not supporting mTLS, but, be careful of:
- What you are doing!
- Which interface you are binding!
- How may access this interface!
Note: it has been based on github.com/PaloAltoNetworks/mtlsproxy, but, honestly, there are not a lot of commons, except:
- The architecture;
- The command line options;
- Some pieces of code;
- The dependencies.
Thus, I deleted the "Fork" status on GitHub.
Just run:
go install github.com/ajabep/unmtlsproxy@latest
See in the ./example/
directory.
Multiple ways are possibles:
- The classic environment variables works well!
- Using
proxychains
should also work.
- Now, it removes the mTLS layer. Actually, all the TLS part is removed.
- Added some options to ease the debug
- The docker version is no longer available: Not useful for penetration testing and I don't want to encourage this to be used to expose a service.
Check all the known issues... in the issue section of the GitHub repo!
The answer my client receive is net/http: HTTP/1.x transport connection broken: malformed HTTP status code "response"
The server may support only HTTP/0.9, or is not an HTTP server. Try to use the TCP mode.
The private key encryption (RFC 1423) is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.
Also, if the private key is accessible by someone else on your disk, a simple ps auxe
would help them to extract the password, not enabling any better security than a good MAC.
In other words, it just gives you the feeling of being secured. Nothing more.