Tuesday, February 7, 2017

I wonder if i helped a friend with this research...they track you, (of course in TOR) because they add a mdf. file written in visual studio (of course) on your tables database (I'm not sure if its really temporary) ...so...wherever they are search them in here:

Compare MySQL databases & automatically create schema & data change scripts/migrations rapidly (up & down SQL supported) for database version control. Supports *most* migration tools.https://github.com/DBDiff/DBDiff

Download Symantec Root Certificates

Root 01 - SHA1 - RSA 1024 bits

Name: VeriSign Class 3 Public Primary CA - G2
Serial Number: 7d d9 fe 07 cf a8 1e b7 10 79 67 fb a7 89 34 c6
Valid From: Sunday, May 17, 1998 4:00:00 PM
Valid to: Tuesday, August 01, 2028 3:59:59 PM
Certificate SHA1 Fingerprint: 85 37 1c a6 e5 50 14 3d ce 28 03 47 1b de 3a 09 e8 f8 77 0f
-----BEGIN CERTIFICATE-----
MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg
UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4
pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0
13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID
AQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk
U01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i
F6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY
oJ2daZH9
-----END CERTIFICATE-----

Root 02 - SHA1 - RSA 1024 bits

Name: VeriSign Class 3 Public Primary CA
Serial Number: 3c 91 31 cb 1f f6 d0 1b 0e 9a b8 d0 44 bf 12 be
Valid From: Sunday, January 28, 1996 4:00:00 PM
Valid to: Wednesday, August 02, 2028 3:59:59 PM
Certificate SHA1 Thumbprint: a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i
2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ
2HUw19JlYD1n1khVdWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ
-----END CERTIFICATE-----

Root 03 - SHA1 - RSA 2048 bits

Name: VeriSign Class 3 Primary CA - G5
Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
Operational Period: Tue, November 07, 2006 to Wed, July 16, 2036
Certificate SHA1 Fingerprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
-----END CERTIFICATE-----

Root 04 - SHA1 - RSA 2048 bits

Name: VeriSign Class 3 Public Primary CA - G3
Serial Number: 00 9b 7e 06 49 a3 3e 62 b9 d5 ee 90 48 71 29 ef 57
Valid From: Thursday, September 30, 1999 4:00:00 PM
Valid to: Wednesday, July 16, 2036 3:59:59 PM
Certificate SHA1 Fingerprint: 13 2d 0d 45 53 4b 69 97 cd b2 d5 c3 39 e2 55 76 60 9b 5c c6
-----BEGIN CERTIFICATE-----
MIIEGjCCAwICEQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAMIHKMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
IENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMu6nFL8eB8aHm8b
N3O9+MlrlBIwT/A2R/XQkQr1F8ilYcEWQE37imGQ5XYgwREGfassbqb1EUGO+i2t
KmFZpGcmTNDovFJbcCAEWNF6yaRpvIMXZK0Fi7zQWM6NjPXr8EJJC52XJ2cybuGu
kxUccLwgTS8Y3pKI6GyFVxEa6X7jJhFUokWWVYPKMIno3Nij7SqAP395ZVc+FSBm
CC+Vk7+qRy+oRpfwEuL+wgorUeZ25rdGt+INpsyow0xZVYnm6FNcHOqd8GIWC6fJ
Xwzw3sJ2zq/3avL6QaaiMxTJ5Xpj055iN9WFZZ4O5lMkdBteHRJTW8cs54NJOxWu
imi5V5cCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAERSWwauSCPc/L8my/uRan2Te
2yFPhpk0djZX3dAVL8WtfxUfN2JzPtTnX84XA9s1+ivbrmAJXx5fj267Cz3qWhMe
DGBvtcC1IyIuBwvLqXTLR7sdwdela8wv0kL9Sd2nic9TutoAWii/gt/4uhMdUIaC
/Y4wjylGsB49Ndo4YhYYSq3mtlFs3q9i6wHQHiT+eo8SGhJouPtmmRQURVyu565p
F4ErWjfJXir0xuKhXFSbplQAz/DxwceYMBo7Nhbbo27q/a2ywtrvAkcTisDxszGt
TxzhT5yvDwyd93gN2PQ1VoDat20Xj50egWTh/sVFuq1ruQp6Tk9LhO5L8X3dEQ==
-----END CERTIFICATE-----

Root 05 - SHA384 - ECC 384 bits

Name: VeriSign Class 3 Public Primary CA - G4
Serial Number: 2f 80 fe 23 8c 0e 22 0f 48 67 12 28 91 87 ac b3
Valid From: Sunday, November 04, 2007 4:00:00 PM
Valid to: Monday, January 18, 2038 3:59:59 PM
Certificate SHA1 Fingerprint: 22 d5 d8 df 8f 02 31 d1 8d f7 9d b7 cf 8a 2d 64 c9 3f 6c 3a
-----BEGIN CERTIFICATE-----
MIIDhDCCAwqgAwIBAgIQL4D+I4wOIg9IZxIokYesszAKBggqhkjOPQQDAzCByjEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2ln
biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
aXR5IC0gRzQwHhcNMDcxMTA1MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCByjELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJp
U2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNyBWZXJpU2lnbiwg
SW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2ln
biBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
IC0gRzQwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASnVnp8Utpkmw4tXNherJI9/gHm
GUo9FANL+mAnINmDiWn6VMaaGF5VKmTeBvaNSjutEDxlPZCIBIngMGGzrl0Bp3ve
fLK+ymVhAIau2o970ImtTR1ZmkGxvEeA3J5iw/mjgbIwga8wDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJ
aW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYj
aHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFLMW
kf3upm7ktS5Jj4d4gYDs5bG1MAoGCCqGSM49BAMDA2gAMGUCMGYhDBgmYFo4e1ZC
4Kf8NoRRkSAsdk1DPcQdhCPQrNZ8NQbOzWm9kA3bbEhCHQ6qQgIxAJw9SDkjOVga
FRJZap7v1VmyHVIsmXHNxynfGyphe3HR3vPA5Q06Sqotp9iGKt0uEA==
-----END CERTIFICATE-----

Root 06 - SHA1 - RSA 2048 bits

Name: VeriSign Class 2 Public Primary CA - G3
Serial Number: 61 70 cb 49 8c 5f 98 45 29 e7 b0 a6 d9 50 5b 7a
Valid From: Thursday, September 30, 1999 4:00:00 PM
Valid to: Wednesday, July 16, 2036 3:59:59 PM
Certificate SHA1 Fingerprint: 61 ef 43 d7 7f ca d4 61 51 bc 98 e0 c3 59 12 af 9f eb 63 11
-----BEGIN CERTIFICATE-----
MIIEGTCCAwECEGFwy0mMX5hFKeewptlQW3owDQYJKoZIhvcNAQEFBQAwgcoxCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy
aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24s
IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNp
Z24gQ2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eSAtIEczMB4XDTk5MTAwMTAwMDAwMFoXDTM2MDcxNjIzNTk1OVowgcoxCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNp
Z24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIElu
Yy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24g
Q2xhc3MgMiBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAt
IEczMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArwoNwtUs22e5LeWU
J92lvuCwTY+zYVY81nzD9M0+hsuiiOLh2KRpxbXiv8GmR1BeRjmL1Za6tW8UvxDO
JxOeBUebMXoT2B/Z0wI3i60sR/COgQanDTAM6/c8DyAd3HJG7qUCyFvDyVZpTMUY
wZF7C9UTAJu878NIPkZgIIUq1ZC2zYugzDLdt/1AVbJQHFauzI13TccgTacxdu9o
koqQHgiBVrKtaaNS0MscxCM9H5n+TOgWY47GCI72MfbS+uV23bUckqNJzc0BzWjN
qWm6o+sdDZykIKbBoMXRRkwXbdKsZj+WjOCE1Db/IlnF+RFgqF8EffIa9iVCYQ/E
Srg+iQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA0JhU8wI1NQ0kdvekhktdmnLfe
xbjQ5F1fdiLAJvmEOjr5jLX77GDx6M4EsMjdpwOPMPOY36TmpDHf0xwLRtxyID+u
7gU8pDM/CzmscHhzS5kr3zDCVLCoO1Wh/hYozUK9dG6A2ydEp85EXdQbkJgNHkKU
sQAsBNB0owIFImNjzYO1+8FtYmtpdf1dcEG59b98377BMnMiIYtYgXsVkXq642RI
sH/7NiXaldDxJBQX3RiAa0YjOVT1jmIJBB2UkKab5iXiQkWquJCtvgiPqQtCGJTP
cjnhsUPgKM+351psE2tJs//jGHyJizNdrDPXp/naOlXJWBD5qu9ats9LS98q
-----END CERTIFICATE-----

Root 07 - SHA1 - RSA 2048 bits

Name: VeriSign Class 2 Public Primary CA - G2
Serial Number: 00 b9 2f 60 cc 88 9f a1 7a 46 09 b8 5b 70 6c 8a af
Valid From: Sunday, May 17, 1998 5:00:00 PM
Valid to: Tuesday, August 01, 2028 4:59:59 PM
Certificate SHA1 Fingerprint: b3 ea c4 47 76 c9 c8 1c ea f2 9d 95 b6 cc a0 08 1b 67 ec 9d
-----BEGIN CERTIFICATE-----
MIIDAzCCAmwCEQC5L2DMiJ+hekYJuFtwbIqvMA0GCSqGSIb3DQEBBQUAMIHBMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0Ns
YXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH
MjE6MDgGA1UECxMxKGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9y
aXplZCB1c2Ugb25seTEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazAe
Fw05ODA1MTgwMDAwMDBaFw0yODA4MDEyMzU5NTlaMIHBMQswCQYDVQQGEwJVUzEX
MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0NsYXNzIDIgUHVibGlj
IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjE6MDgGA1UECxMx
KGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s
eTEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAp4gBIXQs5xoD8JjhlzwPIQjxnNuX6Zr8wgQGE75fUsjM
HiwSViy4AWkszJkfrbCWrnkE8hM5wXuYuggs6MKEEyyqaekJ9MepAqRCwiNPStjw
DqL7MWzJ5m+ZJwf15vRMeJ5t60aG+rmGyVTyssSv1EYcWskVMP8NbPUtDm3Of3cC
AwEAATANBgkqhkiG9w0BAQUFAAOBgQByLvl/0fFx+8Se9sVeUYpAmLho+Jscg9ji
nb3/7aHmZuovCfTK1+qlK5X2JGCGTUQug6XELaDTrnhpb3LabK4I8GOSN+a7xDAX
rXfMSTWqz9iP0b63GJZHc2pUIjRkLbYWm1lbtFFZOrMLFPQS32eg9K0yZF6xRnIn
jBJ7xUS0rg==
-----END CERTIFICATE-----

Root 10 - SHA256 - RSA 2048 bits

Name: VeriSign Universal Root CA
Serial Number: 40 1a c4 64 21 b3 13 21 03 0e bb e4 12 1a c5 1d
Valid From: Tuesday, April 01, 2008 4:00:00 PM
Valid to: Tuesday, December 01, 2037 3:59:59 PM
Certificate SHA1 Fingerprint: 36 79 ca 35 66 87 72 30 4d 30 a5 fb 87 3b 0f a7 7b b7 0d 54
-----BEGIN CERTIFICATE-----
MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCB
vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W
ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
Fw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJVUzEX
MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0
IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9y
IGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNh
bCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj1mCOkdeQmIN65lgZOIzF
9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGPMiJhgsWH
H26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+H
LL729fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN
/BMReYTtXlT2NJ8IAfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPT
rJ9VAMf2CGqUuV/c4DPxhGD5WycRtPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFsw
WTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgs
exkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud
DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4
sAPmLGd75JR3Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+
seQxIcaBlVZaDrHC1LGmWazxY8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz
4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTxP/jgdFcrGJ2BtMQo2pSXpXDrrB2+
BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+PwGZsY6rp2aQW9IHR
lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3
7M2CYfE45k+XmCpajQ==
-----END CERTIFICATE-----

Root 11 - SHA1 - RSA 1024 bits

Name: VeriSign Class 4 Public Primary CA - G3
Serial Number: 00 ec a0 a7 8b 6e 75 6a 01 cf c4 7c cc 2f 94 5e d7
Valid From: Thursday, September 30, 1999 4:00:00 PM
Valid to: Wednesday, July 16, 2036 3:59:59 PM
Certificate SHA1 Fingerprint: c8 ec 8c 87 92 69 cb 4b ab 39 e9 8d 7e 57 67 f3 14 95 73 9d
-----BEGIN CERTIFICATE-----
MIIEGjCCAwICEQDsoKeLbnVqAc/EfMwvlF7XMA0GCSqGSIb3DQEBBQUAMIHKMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
aWduIENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dHkgLSBHMzAeFw05OTEwMDEwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMIHKMQswCQYD
VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT
aWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWduLCBJ
bmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlTaWdu
IENsYXNzIDQgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkg
LSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK3LpRFpxlmr8Y+1
GQ9Wzsy1HyDkniYlS+BzZYlZ3tCD5PUPtbut8XzoIfzk6AzufEUiGXaStBO3IFsJ
+mGuqPKljYXCKtbeZjbSmwL0qJJgfJxptI8kHtCGUvYynEFYHiK9zUVilQhu0Gbd
U6LM8BDcVHOLBKFGMzNcF0C5nk3T875Vg+ixiY5afJqWIpA7iCXy0lOIAgwLePLm
NxdLMEYH5IBtptiWLugs+BGzOA1mppvqySNb247i8xOOGlktqgLw7KSHZtzBP/XY
ufTsgsbSPZUd5cBPhMnZo0QoBmrXRazwa2rvTl/4EYIeOGM0ZlDUPpNz+jDDZq3/
ky2X7wMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAj/ola09b5KROJ1WrIhVZPMq1
CtRK26vdoV9TxaBXOcLORyu+OshWv8LZJxA6sQU8wHcxuzrTBXttmhwwjIDLk5Mq
g6sFUYICABFna/OIYUdfA5PVWw3g8dShMjWFsjrbsIKr0csKvE+MW8VLADsfKoKm
fjaF3H48ZwC15DtS4KjrXRX5xm3wrR0OhbepmnMUWluPQSjA1egtTaRezarZ7c7c
2NU8Qh0XwRJdRTjDOPP8hS6DRkiy1yBfkjaP53kPmF6Z6PDQpLv1U70qzlmwr25/
bLvSHgCwIe34QWKCudiyxLtGUPMxxY8BqHTr9Xgn2uf3ZkPznoM+IKrDNWCRzg==
-----END CERTIFICATE-----

Root 12 - SHA256 - RSA 2048 bits

Name: Symantec Class 1 Public Primary Certification Authority - G6
Serial Number: 24 32 75 f2 1d 2f d2 09 33 f7 b4 6a ca d0 f3 98
Valid From: Monday, October 17, 2011 5:00:00 PM
Valid to: Tuesday, December 01, 2037 4:59:59 PM
Certificate SHA1 Thumbprint: 51 7f 61 1e 29 91 6b 53 82 fb 72 e7 44 d9 8d c3 cc 53 6d 64
-----BEGIN CERTIFICATE-----
MIID9jCCAt6gAwIBAgIQJDJ18h0v0gkz97RqytDzmDANBgkqhkiG9w0BAQsFADCB
lDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8w
HQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRl
YyBDbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
IC0gRzYwHhcNMTExMDE4MDAwMDAwWhcNMzcxMjAxMjM1OTU5WjCBlDELMAkGA1UE
BhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZT
eW1hbnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRlYyBDbGFzcyAx
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzYwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHOddJZKmZgiJM6kXZBxbje/SD
6Jlz+muxNuCad6BAwoGNAcfMjL2Pffd543pMA03Z+/2HOCgs3ZqLVAjbZ/sbjP4o
ki++t7JIp4Gh2F6Iw8w5QEFa0dzl2hCfL9oBTf0uRnz5LicKaTfukaMbasxEvxvH
w9QRslBglwm9LiL1QYRmn81ApqkAgMEflZKf3vNI79sdd2H8f9/ulqRy0LY+/3gn
r8uSFWkI22MQ4uaXrG7crPaizh5HmbmJtxLmodTNWRFnw2+F2EJOKL5ZVVkElauP
N4C/DfD8HzpkMViBeNfiNfYgPym4jxZuPkjctUwH4fIa6n4KedaovetdhitNAgMB
AAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBQzQejIORIVk0jyljIuWvXalF9TYDANBgkqhkiG9w0BAQsFAAOCAQEAFeNzV7EX
tl9JaUSm9l56Z6zS3nVJq/4lVcc6yUQVEG6/MWvL2QeTfxyFYwDjMhLgzMv7OWyP
4lPiPEAz2aSMR+atWPuJr+PehilWNCxFuBL6RIluLRQlKCQBZdbqUqwFblYSCT3Q
dPTXvQbKqDqNVkL6jXI+dPEDct+HG14OelWWLDi3mIXNTTNEyZSPWjEwN0ujOhKz
5zbRIWhLLTjmU64cJVYIVgNnhJ3Gw84kYsdMNs+wBkS39V8C3dlU6S+QTnrIToNA
DJqXPDe/v+z28LSFdyjBC8hnghAXOKK3Buqbvzr46SMHv3TgmDgVVXjucgBcGaP0
0jPg/73RVDkpDw==
-----END CERTIFICATE-----

Root 13 - SHA256 - RSA 2048 bits

Name: Symantec Class 2 Public Primary Certification Authority - G6
Serial Number: 64 82 9e fc 37 1e 74 5d fc 97 ff 97 c8 b1 ff 41
Valid From: Monday, October 17, 2011 5:00:00 PM
Valid to: Tuesday, December 01, 2037 4:59:59 PM
Certificate SHA1 Thumbprint: 40 b3 31 a0 e9 bf e8 55 bc 39 93 ca 70 4f 4e c2 51 d4 1d 8f
-----BEGIN CERTIFICATE-----
MIID9jCCAt6gAwIBAgIQZIKe/DcedF38l/+XyLH/QTANBgkqhkiG9w0BAQsFADCB
lDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8w
HQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRl
YyBDbGFzcyAyIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5
IC0gRzYwHhcNMTExMDE4MDAwMDAwWhcNMzcxMjAxMjM1OTU5WjCBlDELMAkGA1UE
BhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZT
eW1hbnRlYyBUcnVzdCBOZXR3b3JrMUUwQwYDVQQDEzxTeW1hbnRlYyBDbGFzcyAy
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzYwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNzOkFyGOFyz9AYxe9GPo15gRn
V2WYKaRPyVyPDzTS+NqoE2KquB5QZ3iwFkygOakVeq7t0qLA8JA3KRgmXOgNPLZs
ST/B4NzZS7YUGQum05bh1gnjGSYc+R9lS/kaQxwAg9bQqkmi1NvmYji6UBRDbfkx
+FYW2TgCkc/rbN27OU6Z4TBnRfHU8I3D3/7yOAchfQBeVkSz5GC9kSucq1sEcg+y
KNlyqwUgQiWpWwNqIBDMMfAr2jUs0Pual07wgksr2F82owstr2MNHSV/oW5cYqGN
KD6h/Bwg+AEvulWaEbAZ0shQeWsOagXXqgQ2sqPy4V93p3ec5R7c6d9qwWVdAgMB
AAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
BBSHjCCVyJhK0daABkqQNETfHE2/sDANBgkqhkiG9w0BAQsFAAOCAQEAgY6ypWaW
tyGltu9vI1pf24HFQqV4wWn99DzX+VxrcHIa/FqXTQCAiIiCisNxDY7FiZss7Y0L
0nJU9X3UXENX6fOupQIR9nYrgVfdfdp0MP1UR/bgFm6mtApI5ud1Bw8pGTnOefS2
bMVfmdUfS/rfbSw8DVSAcPCIC4DPxmiiuB1w2XaM/O6lyc+tHc+ZJVdaYkXLFmu9
Sc2lo4xpeSWuuExsi0BmSxY/zwIa3eFsawdhanYVKZl/G92IgMG/tY9zxaaWI4Sm
KIYkM2oBLldzJbZev4/mHWGoQClnHYebHX+bn5nNMdZUvmK7OaxoEkiRIKXLsd3+
b/xa5IJVWa8xqQ==
-----END CERTIFICATE-----

doc/TorBOX/Dev




v1239v1240 
109109}}}
110110 * (proper) Open question: How to sign a certificate if you have no access to the private key and CSR (certificate signing request)? Therefore created [https://lists.torproject.org/pipermail/tor-talk/2012-July/024701.html tor-talk How to pin the SSL certificate for torproject.org?]. Some suggestions, no suitable solution for TorBOX.
111  * (proper) [http://www.mail-archive.com/openssl-users@openssl.org/msg67962.html OpenSSL users Sign public key without having CSR or private key?]
 111 * (proper) [http://www.mail-archive.com/openssl-users@openssl.org/msg67962.html OpenSSL users Sign public key without having CSR or private key?]; [http://www.mail-archive.com/openssl-users@openssl.org/msg67968.html might work] - didn't test, not sure if it could work.
112112
113113== [0.2] [SHELLSCRIPTS] Scroll wheel in VM [OPEN] ==

1. As gnupg is failing to download the public key it can be done manually by this command: curl "https://pgp.mit.edu/pks/lookup?op=get&search=0x4E2C6E8793298290" -o - | gpg --import 2. Gpg key verification can be skipped by replacing a pkgbuild line which is not recommended as tor is a very crucial piece of software. The line is: validpgpkeys=('EF6E286DDA85EA2A4BA7DE684E2C6E8793298290' 'SKIP') Process 1 is safe, 2 is risky and totally your choice. Peace!

AND THEN MODIFY THE REQUEST AND RESPONSE

mitmproxy has a powerful scripting API that allows you to modify flows on-the-fly or rewrite previously saved flows locally.
The mitmproxy scripting API is event driven - a script is simply a Python module that exposes a set of event methods. Here's a complete mitmproxy script that adds a new header to every HTTP response before it is returned to the client:
def response(context, flow):
    flow.response.headers["newheader"] = ["foo"]
(examples/add_header.py)
The first argument to each event method is an instance of ScriptContext that lets the script interact with the global mitmproxy state. The response event also gets an instance of Flow, which we can use to manipulate the response itself.
We can now run this script using mitmdump or mitmproxy as follows:
> mitmdump -s add_header.py
The new header will be added to all responses passing through the proxy.

Example Scripts

mitmproxy comes with a variety of example inline scripts, which demonstrate many basic tasks. We encourage you to either browse them locally or in our GitHub repo.

Events

start(ScriptContext, argv)

Called once on startup, before any other events.

clientconnect(ScriptContext, ConnectionHandler)

Called when a client initiates a connection to the proxy. Note that a connection can correspond to multiple HTTP requests.

serverconnect(ScriptContext, ConnectionHandler)

Called when the proxy initiates a connection to the target server. Note that a connection can correspond to multiple HTTP requests.

request(ScriptContext, HTTPFlow)

Called when a client request has been received. The HTTPFlow object is guaranteed to have a non-None request attribute.

responseheaders(ScriptContext, HTTPFlow)

Called when the headers of a server response have been received. This will always be called before the response hook. The HTTPFlow object is guaranteed to have non-None request and response attributes. response.content will be None, as the response body has not been read yet.

response(ScriptContext, HTTPFlow)

Called when a server response has been received. The HTTPFlow object is guaranteed to have non-None request and response attributes. Note that if response streaming is enabled for this response, response.content will not contain the response body.

error(ScriptContext, HTTPFlow)

Called when a flow error has occurred, e.g. invalid server responses, or interrupted connections. This is distinct from a valid server HTTP error response, which is simply a response with an HTTP error code. The HTTPFlow object is guaranteed to have non-None request and error attributes.

clientdisconnect(ScriptContext, ConnectionHandler)

Called when a client disconnects from the proxy.

done(ScriptContext)

Called once on script shutdown, after any other events.

API

The main classes you will deal with in writing mitmproxy scripts are:
libmproxy.proxy.server.ConnectionHandlerDescribes a proxy client connection session. Always has a client_conn attribute, might have a server_conn attribute.
libmproxy.proxy.connection.ClientConnectionDescribes a client connection.
libmproxy.proxy.connection.ServerConnectionDescribes a server connection.
libmproxy.protocol.http.HTTPFlowA collection of objects representing a single HTTP transaction.
libmproxy.protocol.http.HTTPResponseAn HTTP response.
libmproxy.protocol.http.HTTPRequestAn HTTP request.
libmproxy.protocol.primitives.ErrorA communications error.
libmproxy.script.ScriptContextA handle for interacting with mitmproxy's from within scripts.
netlib.odict.ODictA dictionary-like object for managing sets of key/value data. There is also a variant called ODictCaseless that ignores key case for some calls (used mainly for headers).
netlib.certutils.SSLCertExposes information SSL certificates.
The canonical API documentation is the code, which you can browse locally or in our GitHub repo. You can view the API documentation using pydoc (which is installed with Python by default), like this:
> pydoc libmproxy.protocol.http.HTTPRequest

Running scripts in parallel

We have a single flow primitive, so when a script is handling something, other requests block. While that's a very desirable behaviour under some circumstances, scripts can be run threaded by using the libmproxy.script.concurrent decorator.
import time
from libmproxy.script import concurrent


@concurrent  # Remove this and see what happens
def request(context, flow):
    print "handle request: %s%s" % (flow.request.host, flow.request.path)
    time.sleep(5)
    print "start  request: %s%s" % (flow.request.host, flow.request.path)
(examples/nonblocking.py)

Make scripts configurable with arguments

Sometimes, you want to pass runtime arguments to the inline script. This can be simply done by surrounding the script call with quotes, e.g. mitmdump -s "script.py --foo 42". The arguments are then exposed in the start event:
# Usage: mitmdump -s "modify_response_body.py mitmproxy bananas"
# (this script works best with --anticache)
from libmproxy.protocol.http import decoded


def start(context, argv):
    if len(argv) != 3:
        raise ValueError('Usage: -s "modify-response-body.py old new"')
    # You may want to use Python's argparse for more sophisticated argument parsing.
    context.old, context.new = argv[1], argv[2]


def response(context, flow):
    with decoded(flow.response):  # automatically decode gzipped responses.
        flow.response.content = flow.response.content.replace(context.old, context.new)
(examples/modify_response_body.py)

Running scripts on saved flows

Sometimes, we want to run a script on Flow objects that are already complete. This happens when you start a script, and then load a saved set of flows from a file (see the "scripted data transformation" example on the mitmdump page). It also happens when you run a one-shot script on a single flow through the | (pipe) shortcut in mitmproxy.
In this case, there are no client connections, and the events are run in the following order: startrequestresponseheadersresponseerrordone. If the flow doesn't have a response or error associated with it, the matching events will be skipped.

Spaces in the script path

By default, spaces are interpreted as separator between the inline script and its arguments (e.g. -s "foo.py 42"). Consequently, the script path needs to be wrapped in a separate pair of quotes if it contains spaces: -s "'./foo bar/baz.py' 42".

Setting up a man-in-the-middle device with Raspberry Pi, Part 1

I recently purchased that most marvelous of devices the Raspberry Pi and naturally my thoughts turned to the nefarious given its cheap price and small package. I decided to attempt to create a man-in-the-middle device that could be discreetly attached to a remote network and could redirect and sniff traffic. I’m only a very novice Linux user so it took a bit of learning to wrangle man pages as well as some intrepid Google-fu, but I’m going to document how I was able to turn this tiny device into an evil packet-sniffing machine.
For those who don’t know, a man-in-the-middle attack involves secretly becoming an intermediary between the communication between two parties; each thinks they are talking to the other when in fact they are both talking to the attacker. The attacker can choose to pass the information along unmodified (simply observing the communication) or may choose to modify parts of the communication for the own evil ends. The Wikipedia article gives examples and also proposes counter-measures. The most widely used counter-measure currently in place is the use of SSL/TLS to verify the other party in a communication. TLS however relies on a public key infrastructure, and there have already been examples of hackers breaking into certificate authorities and issuing fraudulent certificates so as to perform man-in-the-middle attacks on HTTPS sessions. Hacking a CA is beyond the scope of this article and we will restrict ourselves to performing a MITM attack on HTTP traffic :).
The Raspberry Pi comes in two flavors, Model A and Model B. For the purposes of this article I’ll be using a Model B since it has an Ethernet port; the Model A, while $15 cheaper, doesn’t have any built-in networking. Since our plan is to surreptitiously plug our Pi into our victim network, we’ll need a physical Ethernet port. We’ll also need an SD card of at least 4 GB (these are pretty cheap).
The regular install on a Raspberry Pi is NOOBS (new out-of-box software) and contains several pre-packaged operating systems. However for the purpose of our MITM device we’ll be using a different Linux distro for our Pi: PwnPi. PwnPi is a distribution of the Raspbian OS that contains many pre-installed packages for security and penetration testing which is naturally right up our alley. So, go ahead and download PwnPi. Once it’s downloaded we’ll need to load it onto our SD card. First, format your SD card using the SD card formatter from the SD association. If the “size” value shown in the formatter is less than the size of your card, be sure to choose “format size adjustment” in the card.
formatter
Once your card is formatted and you’ve downloaded PwnPi, extract it using a tool like 7-Zip. The result should be a .img file. We can now use a tool like Win32DiskImager to write the PwnPi image onto our SD card. For some reason Win32DiskImager always crashes on me when I click the folder icon to search for a file, so I had to manually type in the path to my PwnPi image. Once you’ve selected the image, go ahead and write it to your SD card.
image
Now, you would expect that we could plug this SD card in to our Pi and boot. But, attempting this will lead only frustration. This is because PwnPi doesn’t support Model B Pis. This is because the firmware for booting in the PwnPi is extremely out of date, but we can download the latest Pi firmware and replace the necessary files on our SD card to get the boot to work. These files can be found here. I’ve cached them all and you can download them directly from this site. The PwnPi image contains two partitions: a FAT partiton used to boot and a Linux-formatted partition that contains the OS. Thankfully Windows supports reading the FAT partition we need to modify; if you navigate to the SD card after writing the PwnPi image it should look merely like a 55.9 MB FAT partition with a few files in it.
fat
Replace the files on the card with the files from the latest Pi firmware. Once you’ve done this your Pi Model B should successfully boot PwnPi.
IMG_20140201_060417
A note about the Raspberry Pi: if you have a keyboard and mouse plugged in (which you should) the Pi often takes more power than a standard AC adapter can provide. I’m using a powered USB hub to ensure that all of my peripherals work. However, the default PwnPi image is pretty out of date and may not support your USB mouse/keyboard (it didn’t support mine, for example). Even if it does, it’s a good idea to update our Pi to the latest versions of software. Before we can do this however, we need to expand the file system to encompass our entire SD card. The .img we wrote to our SD card constituted a bit-by-bit image of the file system; unfortunately this included a minimally sized data partition. We need to expand this partition. To do this, start the Raspberry Pi Software Configuration Tool by entering the following at console:
The first choice should be “Expand filesystem”, which is what we want. Press enter and follow the prompts. Reboot when asked to. When the Pi has rebooted, we can now begin the process of updating its software. Enter Aptitude, the package management system on the Pi by entering the following:
Once in Aptitude, press the ‘u’ key to get the list of latest updates available. The Pi will update the latest list of packages from the Raspbian sources. When it’s finally finished updating there should be a large amount of packages available for update (as of this writing 371 were available from a fresh install of PwnPi). Select “Upgradable Packages” and press the ‘+’ key. This will select all upgradable packages for installation. Press the ‘g’ key to view what packages will be installed and press ‘g’ again to begin downloading and installing. Wait a bit (for various definitions of bit) for all packages to finish download and install. When it’s all said and done you will be prompted to press return to continue. This will bring you back into aptitude, from which pressing ‘q’ will quit. The updates we installed included a new kernel which requires a reboot, so go ahead and do this at the console.
We’ve almost finished getting our Pi into a workable state. If you’re like me though and reside in the United States you will soon notice that the keyboard layout of the Pi doesn’t match what you would expect. This is because the Pi is setup by default to use the British keyboard layout. To change this, we first need to configure our locale. Do this by entering the following.
Use the arrow keys to scroll down to “en_GB.UTF-8 UTF-8”. Press space to deselect this. Then, scroll down and select “en_US.UTF-8 UTF-8”. Press tab to select OK and press enter. You will then be asked to select the default locale for the system. Change the selection from “None” to “en_US.UTF-8 UTF-8”, and then press tab to select OK and press enter. A new locale will be generated on exit. Now we need to change our keyboard layout. Enter the following:
Press enter on “Generic 105-key (Intl) PC”. On the next screen scroll all the way down to “Other” and press enter. Then, select “English (US)” and press enter. On the next screen scroll all the way to the top and select “English (US)” again. Select “The default for the keyboard layout”, “No compose key”, and “No” on the subsequent screens. Finally, do a reboot for everything to take full effect.
Once the Pi has rebooted we can finally start being evil! Start up the graphical user interface by entering the following:
We can confirm that our keyboard layout is correct by right-clicking and going to Applications->accessories->Notepad. If Shift-2 produces an ‘@’ then everything is good! If you’re feeling adventurous, explore the “PwnPi” menu to see all of the tools available to us.
We’ll be using a tool called mitmproxy to perform the actual man-in-the-middle attack. mitmproxy is a powerful tool that can capture and display all HTTP traffic when performing a MITM. It also has Python library named libmproxy which we can use to script our attack. Unfortunately mitmproxy isn’t pre-installed on PwnPi but we can fix this! First we need to install pip, which is a tool for installing and managing Python packages. We can do this by right-clicking, opening a Terminal, and executing the following:
Once pip is installed we need to install a few prerequisites before mitmproxy will work.
These packages are needed because we will be compiling mitmproxy as well as its dependent packages from source. Once they’ve been installed we can download, compile, and install mitmproxy.
Note: this may take a very long (30 minutes+) time. Specifically, compiling libxml2 from source on a Raspberry Pi is quite a taxing task. Eventually pip and mitmproxy will be ready to be used! First though we need to insert our Pi between our victim computer and the rest of the internet. To do this we’ll need to know the victim’s IP address on the network and the IP address of the default gateway it uses to talk to the rest of the world (this is usually the local router). Once we have these, we’ll use a technique called ARP spoofing to fool the victim into thinking our Pi actually holds the IP address of the gateway. Likewise we’ll fool the gateway into thinking the Pi holds the IP address of the victim. In this manner we can insert ourselves between the victim and the gateway and intercept and modify all traffic.
For demonstration purposes I’ll be attacking a laptop running Windows 7 on my home network. For those who don’t know, ARP is the protocol used to resolve MAC addresses (the unique physical address every Ethernet controller has) to logical IP addresses. When a device first enters an Ethernet network, it has no idea how to talk to any given IP address. So, it sends broadcast messages asking which MAC address owns which IP addresses. We’ll be sending fraudulent ARP responses to make our victims think we have IP addresses we really do not. To see the current values in our local ARP table, we run the following in a command prompt on Windows
arp
The IP address of my laptop is 192.168.0.106 with a default gateway of 192.168.0.1. The left column shows the logical IP address and the right column shows the MAC address that each IP corresponds to. Now, on our Pi let’s trick the victim into thinking we hold 192.168.0.1. Open a terminal on the Pi and enter
Obviously you’ll need to replace the brackets with whatever IPs you’re attacking. You’ll need to run each of the above commands in a seperate terminal and keep them running — we need to constantly keep the charade up lest the victim revert back to the correct MAC->IP mapping. Let’s recheck the ARP table on our target now.
arp2

We see now that the victim thinks that the gateway has the MAC address as our Raspberry Pi. Consequently, any requests that would go to the gateway will actually get sent to our Pi. As of now though our victim has no internet connectivity — all requests are being forwarded to the Pi but the Pi is not doing anything with them. So, we need to set up our Pi to transparently forward (and perhaps modify) these requests.
mitmproxy has two modes of operation: a regular proxy mode where it acts like a regular HTTP proxy. Unfortunately for this to work we need to configure the proxy on the victim computer. However, it also has a “transparent” mode which is what we’ll use. In transparent mode, it fakes an HTTP server on port 8080 (by default). But, all of our traffic from our victim is coming into the Pi on the default HTTP port (80). To fix this, we need to tell Linux to route all traffic from port 80 to port 8080. To do this, enter the following:
Incoming HTTP traffic should now be forwarded to mitmproxy. Now all we have to do is actually start mitmproxy. This is done simply by executing
Now let’s go to a website on our victim computer, say cnn.com. If all goes well the page should load. We should also see some interesting output on mitmproxy.
mitm1
mitmproxy is showing us all of the HTTP traffic as it passes through the proxy. Our victim asks what it thinks is the router (but is really the Pi) for http://cnn.com. Our Pi then connects to cnn.com, fetches the result, and returns it to the victim. Let’s tell mitmproxy to intercept the response from cnn.com. When mitmproxy intercepts a request or response it does not immediately forward it but gives us a chance to edit it. Press the ‘i’ key to set an intercept filter and then type
This tells mitmproxy to intercept all responses from cnn.com that are the result of the “/” (root) page. Now, if we navigate to http://cnn.com on our victim computer, we’ll notice that the page won’t load. If we look at mitmproxy we’ll see there’s an orange-highlighted response. This has been intercepted and is awaiting our approval to send on.
mitm4

We can use the arrow keys to scroll down and select this intercepted response. By pressing enter on it we can inspect it closer. Press tab to switch to the response (it currently is showing us the request).
mitm3
This response is an HTTP/200 OK response (the normal response when a web server returns a page). We’re going to modify this into an HTTP/302 Found response, which will redirect the user to a different page. Now, press ‘e’ to edit this response. Then, press ‘c’ to change the code, and change it to 302. Then, press ‘e’ again to edit and press ‘h’ to edit the HTTP headers. Scroll all the way to the bottom and press enter on the “Content-Encoding” header. Change this to “Location”. Press the right arrow to select the value of the header and change it to “http://abc.com”
mitm2
Press ‘q’ to go back to the main inspection screen. Now, by pressing ‘a’ we can send the response on its way. If we look over at our attack computer we can see that it’s being redirected to abc.com!
As we’ve seen, Raspberry Pi with mitmproxy and arpspoof can be a powerful tool to intercept and modify traffic on a local area network on the fly. mitmproxy also supports logging traffic, which could then later be retrieved and inspected for passwords or any other sensitive information.
Next post I’ll cover how we can use libmproxy to script the modification of the HTTP requests and responses.

Cielo e terra (duet with Dante Thomas)