Skip to content

Instantly share code, notes, and snippets.

@kennwhite

kennwhite/opendns mitm

Forked from withzombies/opendns mitm
Created October 21, 2016 18:44
Show Gist options
  • Save kennwhite/b1cbbe7164b7c9d92cacc438d2c70a86 to your computer and use it in GitHub Desktop.
Save kennwhite/b1cbbe7164b7c9d92cacc438d2c70a86 to your computer and use it in GitHub Desktop.
Download ZIP
opendns is man-in-the-middling me
Raw
opendns mitm
$ dig calendar.google.com @208.67.222.222
; <<>> DiG 9.8.3-P1 <<>> calendar.google.com @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19048
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;calendar.google.com. IN A
;; ANSWER SECTION:
calendar.google.com. 0 IN A 146.112.61.106
;; Query time: 5 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Oct 21 14:22:59 2016
;; MSG SIZE rcvd: 53
$ openssl s_client -connect 146.112.61.106:443
CONNECTED(00000003)
depth=2 /CN=Cisco Umbrella Primary SubCA/O=Cisco
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
i:/CN=Cisco Umbrella Secondary SubCA nyc-SG/O=Cisco
1 s:/CN=Cisco Umbrella Secondary SubCA nyc-SG/O=Cisco
i:/CN=Cisco Umbrella Primary SubCA/O=Cisco
2 s:/CN=Cisco Umbrella Primary SubCA/O=Cisco
i:/CN=OpenDNS Root CA 1/C=US/O=OpenDNS, Inc.
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDITCCAgkCBFgCFQMwDQYJKoZIhvcNAQELBQAwQDEuMCwGA1UEAwwlQ2lzY28g
VW1icmVsbGEgU2Vjb25kYXJ5IFN1YkNBIG55Yy1TRzEOMAwGA1UECgwFQ2lzY28w
HhcNMTYxMDE4MjAzMjE4WhcNMTYxMDIzMjAzMjE4WjBqMQswCQYDVQQGEwJVUzET
MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEWMBQG
A1UECgwNT3BlbkROUywgSW5jLjEWMBQGA1UEAwwNKi5vcGVuZG5zLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN2ruRk27mwMpRGemHZpOZein16E
mD20mPawaaRF9TiZm5WffxFz3+P0qOB+PGbLDlq4WmzX7MoxBPLdY78B2Xzv71os
P1X+h87rxij+i2n5Mh8rtVaQEoOEcq/KmvebOHYX58QjZb3GbTVjno/42fvJ7LCi
11PPWox/yS/VEeMJqKmUW2kGY9JCxfbun5DfnhD8ZhTTc001xXXeFl0ZGpZ43yTl
CeFP/AuKXbksLpTR22nv1+SU9mPwNOoMuBdymDcz51pQpAPSL4ZUkkgJ2M4GWw+S
6E10C9C4WO1kIVJ28ngya2hgJG7i3IgfdPs31HCTpWBnNwL6WtNlz+Em1F0CAwEA
ATANBgkqhkiG9w0BAQsFAAOCAQEAiSkDFG00pI2ulW9smviw32GqJNzYPiCamHi7
4gFuSBWP2Jf+KIxSNt/6d3QlKZls5h38ov+OhtifCLzef4/MaCDbfZM0NRBnRWlO
Pk65kUdNhesdpTHZOoOX2HllET4gYiUbJeGNrLtys8xnijJpy+0ZwEklQDdXfsGF
dd9CsgP5esK5ACX4zfzLB5zIgP+n2Oh7rSbeuFoCN6SqB0O9IPI4JfQRPSjwyJjM
aw3riVHcK2NAMhvqb6xdZ3NU/arkfl7PwBf91ELTCP8kfWB11k+fzuZzKRloQyW6
Uahxf4CCBB3saGIDf38xChgbRPKWCP20nMnFwABE8DoVKTpvaw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
issuer=/CN=Cisco Umbrella Secondary SubCA nyc-SG/O=Cisco
---
No client certificate CA names sent
---
SSL handshake has read 2920 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 1EC6193DFD8D4BA12652D7894B279DA393D68CF2D38BA975B880EBFD148EC64B
Session-ID-ctx:
Master-Key: DE857F4B73C4973DB6C7B70085BEB28E477FFD04D41BA93EAA671E6783C343051B44188AD551CB3BABD33671B9200343
Key-Arg : None
Start Time: 1477074181
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
@mransley
Copy link

You probably worked this out (it just freaked me out) but when you hit a blocked page over HTTP OpenDNS will return the page back to you with a signed certificate signed by this Cisco thing, that is by default not trusted. Hence the error.

Yes, it is a man in the middle attack... but you are using OpenDNS for your DNS...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment