Nicholai
6fada7889a
This toolkit provides comprehensive monitoring, analysis, and blocking capabilities for network telemetry sent by The Foundry's Nuke compositor on Linux. Key features: - Network monitoring scripts with automated alerts - Multi-tier blocking methods (hosts, firewall, namespace, AppArmor) - Detailed packet capture analysis and documentation - EULA legal analysis and privacy assessment - Sanitized example captures and comprehensive guides All sensitive data (personal IPs, usernames, packet captures) removed. Ready for public sharing on Gitea.
243 lines
9.6 KiB
Bash
Executable File
243 lines
9.6 KiB
Bash
Executable File
#!/bin/bash
|
|
# Automated HTTPS decryption for Nuke telemetry
|
|
# Tries mitmproxy method, provides instructions for frida fallback
|
|
|
|
OUTPUT_DIR="$HOME/Documents/obsidian-vault/2-projects/Nuke-monitoring/dump/decrypted"
|
|
mkdir -p "$OUTPUT_DIR"
|
|
TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
|
|
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo " Nuke HTTPS Traffic Decryption Tool"
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo ""
|
|
echo "This tool will attempt to decrypt HTTPS traffic from Nuke"
|
|
echo "using SSL/TLS interception (mitmproxy method)."
|
|
echo ""
|
|
echo "LEGAL NOTE: This intercepts YOUR traffic from YOUR software"
|
|
echo "on YOUR computer. This is legal and ethical for privacy research."
|
|
echo ""
|
|
|
|
# Check if mitmproxy is installed
|
|
if ! command -v mitmproxy &> /dev/null; then
|
|
echo "ERROR: mitmproxy is not installed."
|
|
echo ""
|
|
echo "Install with:"
|
|
echo " sudo pacman -S mitmproxy"
|
|
echo ""
|
|
exit 1
|
|
fi
|
|
|
|
# Check if Nuke is running (it shouldn't be yet)
|
|
if pgrep -f Nuke > /dev/null 2>&1; then
|
|
echo "WARNING: Nuke is currently running."
|
|
echo "For best results, close Nuke before starting interception."
|
|
echo ""
|
|
read -p "Continue anyway? (y/n): " continue_anyway
|
|
if [ "$continue_anyway" != "y" ]; then
|
|
echo "Aborted."
|
|
exit 0
|
|
fi
|
|
fi
|
|
|
|
echo ""
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo " Step 1: Setup mitmproxy certificate"
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo ""
|
|
|
|
# Generate mitmproxy certificate if not exists
|
|
if [ ! -f "$HOME/.mitmproxy/mitmproxy-ca-cert.pem" ]; then
|
|
echo "Generating mitmproxy certificate..."
|
|
mitmproxy --version > /dev/null 2>&1
|
|
sleep 2
|
|
if [ ! -f "$HOME/.mitmproxy/mitmproxy-ca-cert.pem" ]; then
|
|
echo "Running mitmproxy briefly to generate certificate..."
|
|
timeout 3 mitmproxy 2>/dev/null || true
|
|
fi
|
|
fi
|
|
|
|
# Install certificate to system trust store
|
|
if [ -f "$HOME/.mitmproxy/mitmproxy-ca-cert.pem" ]; then
|
|
echo "Installing mitmproxy certificate to system trust store..."
|
|
sudo cp "$HOME/.mitmproxy/mitmproxy-ca-cert.pem" /etc/ca-certificates/trust-source/anchors/mitmproxy.crt 2>/dev/null || true
|
|
sudo trust extract-compat 2>/dev/null || true
|
|
sudo update-ca-trust 2>/dev/null || true
|
|
echo "✓ Certificate installed"
|
|
else
|
|
echo "WARNING: Could not generate mitmproxy certificate."
|
|
echo "Interception may not work properly."
|
|
fi
|
|
|
|
echo ""
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo " Step 2: Start mitmproxy web interface"
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo ""
|
|
|
|
MITM_LOG="$OUTPUT_DIR/nuke_traffic_$TIMESTAMP.mitm"
|
|
|
|
echo "Starting mitmweb on http://127.0.0.1:8081"
|
|
echo "Log file: $MITM_LOG"
|
|
echo ""
|
|
|
|
# Start mitmweb in background
|
|
mitmweb --mode transparent --showhost --set block_global=false -w "$MITM_LOG" > "$OUTPUT_DIR/mitmproxy_$TIMESTAMP.log" 2>&1 &
|
|
MITMPROXY_PID=$!
|
|
|
|
echo "mitmproxy PID: $MITMPROXY_PID"
|
|
sleep 3
|
|
|
|
# Check if mitmproxy started successfully
|
|
if ! kill -0 $MITMPROXY_PID 2>/dev/null; then
|
|
echo "ERROR: mitmproxy failed to start."
|
|
echo "Check log: $OUTPUT_DIR/mitmproxy_$TIMESTAMP.log"
|
|
exit 1
|
|
fi
|
|
|
|
echo "✓ mitmproxy started successfully"
|
|
echo ""
|
|
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo " Step 3: Setup iptables traffic redirection"
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo ""
|
|
|
|
# Save current iptables rules for restoration
|
|
sudo iptables-save > "$OUTPUT_DIR/iptables_backup_$TIMESTAMP.rules"
|
|
|
|
echo "Redirecting Foundry traffic through mitmproxy..."
|
|
|
|
# Redirect Honeycomb traffic
|
|
sudo iptables -t nat -A OUTPUT -p tcp -d 52.205.16.9 --dport 443 -j REDIRECT --to-port 8080
|
|
|
|
# Redirect learn.foundry.com
|
|
sudo iptables -t nat -A OUTPUT -p tcp -d 52.50.232.31 --dport 443 -j REDIRECT --to-port 8080
|
|
sudo iptables -t nat -A OUTPUT -p tcp -d 52.50.232.31 --dport 80 -j REDIRECT --to-port 8080
|
|
|
|
# Redirect any other foundry.com domains (by name - requires DNS)
|
|
# Note: This might not work for direct IP connections
|
|
echo "✓ iptables rules applied"
|
|
echo ""
|
|
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo " Step 4: Launch Nuke and capture traffic"
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo ""
|
|
echo "INSTRUCTIONS:"
|
|
echo ""
|
|
echo "1. Open your browser to: http://127.0.0.1:8081"
|
|
echo " (mitmproxy web interface)"
|
|
echo ""
|
|
echo "2. Launch Nuke now and use it normally"
|
|
echo ""
|
|
echo "3. Watch the mitmproxy interface for captured requests"
|
|
echo " Look for requests to:"
|
|
echo " - api.honeycomb.io"
|
|
echo " - learn.foundry.com"
|
|
echo " - sentry.foundry.com"
|
|
echo ""
|
|
echo "4. Click on any request to see:"
|
|
echo " - Full HTTP headers"
|
|
echo " - Complete request/response body (JSON)"
|
|
echo " - Timing information"
|
|
echo ""
|
|
echo "5. When done capturing, return to this terminal and press Enter"
|
|
echo ""
|
|
echo "═══════════════════════════════════════════════════════"
|
|
|
|
read -p "Press Enter after you're done capturing traffic..."
|
|
|
|
echo ""
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo " Step 5: Cleanup"
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo ""
|
|
|
|
echo "Stopping mitmproxy..."
|
|
kill $MITMPROXY_PID 2>/dev/null
|
|
wait $MITMPROXY_PID 2>/dev/null
|
|
|
|
echo "Restoring iptables rules..."
|
|
sudo iptables -t nat -F OUTPUT 2>/dev/null
|
|
|
|
echo "✓ Cleanup complete"
|
|
echo ""
|
|
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo " Results"
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo ""
|
|
|
|
if [ -f "$MITM_LOG" ]; then
|
|
CAPTURE_SIZE=$(du -h "$MITM_LOG" | cut -f1)
|
|
echo "Capture saved to: $MITM_LOG"
|
|
echo "Capture size: $CAPTURE_SIZE"
|
|
echo ""
|
|
echo "To replay and analyze:"
|
|
echo " mitmproxy -r $MITM_LOG"
|
|
echo ""
|
|
echo "To export to JSON:"
|
|
echo " mitmdump -r $MITM_LOG -w $OUTPUT_DIR/nuke_traffic_$TIMESTAMP.json"
|
|
echo ""
|
|
echo "To view in web interface again:"
|
|
echo " mitmweb -r $MITM_LOG"
|
|
echo ""
|
|
else
|
|
echo "WARNING: No capture file created."
|
|
echo "This could mean:"
|
|
echo " 1. No traffic was captured (Nuke didn't connect)"
|
|
echo " 2. Nuke rejected the mitmproxy certificate (certificate pinning)"
|
|
echo " 3. Traffic went around the proxy"
|
|
echo ""
|
|
echo "TROUBLESHOOTING:"
|
|
echo ""
|
|
echo "If Nuke showed SSL/certificate errors:"
|
|
echo " → Nuke likely uses certificate pinning"
|
|
echo " → Try Method 3 (frida) instead"
|
|
echo " → See INTERCEPTING-HTTPS.md for instructions"
|
|
echo ""
|
|
echo "If no errors but no traffic captured:"
|
|
echo " → Check that Foundry IPs are correct"
|
|
echo " → Try capturing during Nuke startup"
|
|
echo " → Monitor /tmp/mitmproxy_*.log for errors"
|
|
fi
|
|
|
|
echo ""
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo " Next Steps"
|
|
echo "═══════════════════════════════════════════════════════"
|
|
echo ""
|
|
|
|
if [ -f "$MITM_LOG" ] && [ -s "$MITM_LOG" ]; then
|
|
echo "✓ SUCCESS! Traffic was captured and decrypted."
|
|
echo ""
|
|
echo "Review the capture to find:"
|
|
echo " - Email domain transmission"
|
|
echo " - Geographic location data"
|
|
echo " - System information collected"
|
|
echo " - Usage profiling details"
|
|
echo " - Any sensitive data (file paths, project names)"
|
|
echo ""
|
|
echo "Document findings in:"
|
|
echo " $OUTPUT_DIR/analysis_$TIMESTAMP.txt"
|
|
echo ""
|
|
echo "Update the master document:"
|
|
echo " Foudry-Nuke-Monitoring.md"
|
|
else
|
|
echo "✗ No traffic captured."
|
|
echo ""
|
|
echo "OPTION 1: Try again with different approach"
|
|
echo " ./decrypt_nuke_traffic.sh"
|
|
echo ""
|
|
echo "OPTION 2: Use frida method (more reliable)"
|
|
echo " See: INTERCEPTING-HTTPS.md - Method 3"
|
|
echo ""
|
|
echo "OPTION 3: Check if telemetry is already blocked"
|
|
echo " cat /etc/hosts | grep foundry"
|
|
fi
|
|
|
|
echo ""
|
|
echo "For detailed instructions and alternative methods:"
|
|
echo " See: INTERCEPTING-HTTPS.md"
|
|
echo ""
|