Skip to content

Instantly share code, notes, and snippets.

@felixhammerl
Last active June 24, 2024 14:58
Show Gist options
  • Save felixhammerl/61e096924af34e91b43a930f36d3e1f9 to your computer and use it in GitHub Desktop.
Save felixhammerl/61e096924af34e91b43a930f36d3e1f9 to your computer and use it in GitHub Desktop.
MitM TLS encrypted traffic in macOS using SSLKEYLOGFILE

Option 1: Via macOS environment variable:

  1. mkdir -p ~/Library/LaunchAgents
  2. Put tlskeylogger.plist at ~/Library/LaunchAgents/tlskeylogger.plist
  3. launchctl load ~/Library/LaunchAgents/tlskeylogger.plist, so it will load on the next restart
  4. launchctl start ~/Library/LaunchAgents/tlskeylogger.plist, so it will load the environment variable immediately
  5. Restart your browser(s)
  6. See how TLS keys are being written to ~/.tlskeyfile via tail -f ~/.tlskeyfile

NB: This may be hit or miss and many apps do not respect the env var.

Option 2 (recommended): Via mitmproxy:

Install xbar (the bitbar successor), use this plugin to toggle the macOS proxy settings for 8080, which is used by Burp and mitmproxy

SSLKEYLOGFILE=~/.tlskeyfile mitmproxy

The certificate for mitmproxy will be generated on install and can be retrieved from http://mitm.it when everything is up and running.

If you are trying to intercept a process running as root, you MUST trust the cert as root

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "path/to/mitmproxy-ca-cert.pem"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>sslkeylogger</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>
launchctl setenv SSLKEYLOGFILE ~/.tlskeyfile
</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
@nsrCodes
Copy link

In option 1, the launch ctl commands seem incorrect. I tried to do that but I get the following errors

image

@felixhammerl
Copy link
Author

felixhammerl commented Jun 21, 2024

i just tried it:

➜  ~ mkdir -p ~/Library/LaunchAgents
➜  ~ vim ~/Library/LaunchAgents/tlskeylogger.plist
➜  ~ launchctl load ~/Library/LaunchAgents/tlskeylogger.plist
➜  ~ launchctl start ~/Library/LaunchAgents/tlskeylogger.plist

(... relaunch firefox ...)

➜  ~ tail -f ~/.tlskeyfile
CLIENT_HANDSHAKE_TRAFFIC_SECRET (... redacted ...)
SERVER_HANDSHAKE_TRAFFIC_SECRET (... redacted ...)
CLIENT_TRAFFIC_SECRET_(... redacted ...)
SERVER_TRAFFIC_SECRET_(... redacted ...)
EXPORTER_SECRET (... redacted ...)
CLIENT_HANDSHAKE_TRAFFIC_SECRET (... redacted ...)
SERVER_HANDSHAKE_TRAFFIC_SECRET (... redacted ...)
CLIENT_TRAFFIC_SECRET_(... redacted ...)
SERVER_TRAFFIC_SECRET_(... redacted ...)
EXPORTER_SECRET (... redacted ...)

not sure what is going wrong for you there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment