Last active
January 31, 2018 14:12
-
-
Save ericlaw1979/6dd32babc67233b62a30 to your computer and use it in GitHub Desktop.
Integrate a CRT.SH tab into Fiddler to show diagnostic information about the server's (or executable's) certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Click Rules > Customize Rules. Inside the HANDLERS class, add the following block: | |
| public BindUITab("CertInfo", "<html>") | |
| static function CRTSHReport(arrSess: Session[]):String { | |
| if ((arrSess.Length != 1) || | |
| ( !arrSess[0].isTunnel && | |
| !(arrSess[0].bHasResponse && | |
| (arrSess[0].responseBodyBytes.Length > 2) && | |
| (arrSess[0].responseBodyBytes[0] == 0x4d) && | |
| (arrSess[0].responseBodyBytes[1] == 0x5a)) | |
| ) | |
| ) | |
| { | |
| return "<html style=\"font-family: 'Segoe UI'; width:100%; height: 100%; background-color: #F1EDED\"><body style='align:center; vertical-align:middle'><div style=\"height: 100%; margin-top: 80px; text-align: center; vertical-align:middle;\" >Please select a single CONNECT tunnel (or signed executable) to view details about the signing certificate.</div></body></html>"; | |
| } | |
| var s = arrSess[0].GetResponseBodyAsString(); | |
| if (s.StartsWith("MZ")) | |
| { | |
| var oCert: X509Certificate2; | |
| try | |
| { | |
| oCert = new X509Certificate2(arrSess[0].responseBodyBytes); | |
| return "<h1>Authenticode Signature</h1><plaintext>" + oCert.ToString() + "\r\n[Certificate Signature Algorithm]\r\n " + oCert.SignatureAlgorithm.FriendlyName+"\r\n"; | |
| } | |
| catch (e) | |
| { | |
| return "This executable does not appear to be code-signed."; | |
| } | |
| } | |
| if (!s.Contains("[Thumbprint]")) | |
| { | |
| return "<html style=\"font-family: 'Segoe UI'; width:100%; height: 100%; background-color: #F1EDED\"><body style='align:center; vertical-align:middle'><div style=\"height: 100%; margin-top: 80px; text-align: center; vertical-align:middle;\" >This CONNECT tunnel does not have a thumbprint.</div></body></html>"; | |
| } | |
| s=Utilities.TrimBefore(s, "[Thumbprint]\r\n"); | |
| s=Utilities.TrimAfter(s, "\r\n"); | |
| s=s.Trim(); | |
| if (s.Length != 40) | |
| { | |
| return "Error in parsing thumbprint: <plaintext>" + s; | |
| } | |
| var sHTML = "<html style=\"font-family: 'Segoe UI'; width:100%; height: 100%; background-color: #F1EDED\">" + | |
| "<body><iframe style='border:0; height=100%; width=100%;' src='https://crt.sh/?q=" + s + "'></iframe></body></html>"; | |
| return sHTML; | |
| } |
Add import System.Security.Cryptography.X509Certificates; at the top of your script
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note: This ugly dirty hackery relies on the fact that Fiddler (when HTTPS decryption is enabled) includes information about the server's certificate in the "response" displayed for the CONNECT tunnel. The script simply parses that string and pulls out the certificate SHA1 thumbprint, then forwards that off to the CRT.sh service.
If you have HTTPS decryption disabled in Fiddler, it won't work (because Fiddler doesn't pull the certificate information into the UI in that case).