Extracts SNIs from a pcap and generates output usable in etc/hosts
file and
Burp config for proxying non-proxy-aware thick clients using HTTPs.
Quickstart
go get github.com/parsiya/extract-sni
- Capture traffic for an application and store it in a pcap file.
go run extract-sni.go whatever.pcap -output report
- Open
report.html
to view the instructions.
- Some text should be copied to
etc/hosts
to redirect traffic to Burp.
- Import
report.json
in Burp as the project config to setup proxy listeners
and hostname resolution.
- ???
- Profit
Table of Contents
No, Really? How do I Use This?
You have a non-proxy-aware thickclient that uses HTTPs. This means it does not
like the Windows proxy settings or any other proxy settings. It does not
send the CONNECT request.
Read these blog posts to get started:
If the application uses HTTPs then we can process SNI
Why?
Because Manual Work is a Bug. This program automates some of the
process.
Pre-requisites
You need Burp. Both the pro and community versions work. Other proxy tools
(Fiddler, ZAP, etc.) might work with modification but the config file is created
for Burp.
npcap Must be Installed
On Windows, you need to install npcap for
the Golang's pcap library to work. Be sure to check
Install Npcap in WinPcap API-compatible Mode
in the installer
(it's enabled by default).
I have not tested this tool on other operating systems.
Usage
The only required parameter is the pcap file. Running extract-sni traffic.pcap
will create a report named traffic.html
and a Burp config file name
traffic.json
in the same path as the pcap file.
Use -h
or --help
to see the complete usage.
pcap file
Pass the pcap file. This is a positional and the only required parameter.
extract-sni.go whatever.pcap
DNS -d/-dns
Optional DNS for domain lookup. If this parameter is not provided then the
application uses the destination IP address from the pcap file for each domain.
If provided, the DNS server will be used to do lookups. The value can be a
complete server:port
like dns.google:53
, or IP:port
like 8.8.8.8:53
.
Port is optional and will default to 53
. Both 8.8.8.8
and
dns.google
are both valid values.
The application does some validation checks here but it's mostly the
responsibility of the user to pass a valid and reachable DNS server.
Redirect IP -r/-redirectip
Use the IP address that you want the traffic to be redirected to. This is used
in two places:
- The
hosts
file.
- The Burp proxy listener will listen on this IP address.
For most uses cases this parameter does not need to be provided and the default
value 127.0.0.1
is good enough.
Note: Only use IP addresses here, not domains like example.net
or localhost
.
Output -o/-output
The path of the report. The report contains the instructions on how to set up.
The Burp config file will appear in the same path but with the json
extension.
Any extension here will be ignored. For example, -o report.txt
will result in two
files:
report.html
: Report with instructions.
report.json
: Burp config file.
If this parameter is not used, the name of the pcap file is used. For example
extract-sni app-capture.pcap
creates: app-capture.html
and
app-capture.json
in the same path as the pcap file.
Limitations
The tools does not do everything.
- You need to create the pcap. Use Wireshark or Netmon.
- You need to filter the noisy traffic. In Wireshark, you can filter the
traffic and in Netmon you can capture traffic for specific processes.
- You need to bypass any certificate pinning.
- Usually, adding Burp's CA to the Windows certificate store
is enough.
- The config is for Burp. You could probably replicate it for other proxies but
I only use Burp.
- If there is no SNI header in the
ClientHello
the tool cannot determine the
endpoint. This is usually the case when the application uses an IP address to
target the endpoint.
- Similarly, the
hosts
file cannot redirect IP addresses, only domains.
Questions
- Why doesn't it capture pcaps, too?
- It's a small tool that does one thing. Feature creep is bad.
- It's easier to filter the traffic and reduce noise with Wireshark or
Netmon.
Troubleshooting
My Output File is Noisy
Your pcap is noisy. Try to filter as much unrelated traffic as you can. I use
the techniques described in Network Traffic Attribution on Windows
:
I usually use Microsoft Network Monitor or Netmon. With Netmon you can
filter traffic by process. However, this adds an extra step. Netmon's cap file
must be converted to pcap using Wireshark (or other tools). Keep in mind that
sometimes Wireshark cannot convert cap files to pcap.
Error Couldn't load wpcap.dll
npcap
is not installed. See the npcap section above for more info.
Samples
See a report sample:
The screenshot from a report:
License
Opensourced under the MIT license. See the LICENSE file for details.