Login/Register
Windows Filtering Platform to filter HTTPS from managed code
Asked Answered
Solved c#c++tcphttpswfp
E

2

4

I want to develop a host-based firewall for Windows mainly to filter URLs starting with HTTPS ! I know that Microsoft is presenting WFP as a substitution to the deprecated old techniques such as firewall/filter hooks, NDIS, TDI, WSA and Winsock 2 (LSP). But WFP does not currently support filters with hostname or URL. Also, WFP is only in C/C++ and there is no available C# wrappers in .NET.

I tried @basil 's WinDivert demo app webfilter which parses packets in outbound traffic for IPv4 on TCP port 80 (default HTTP), reset server connection (TCP RST) and send a HTML response to the client (browser) followed by a TCP FIN in case the URL matches any of the blacklisted entries given in a text file as command line argument and re inject them otherwise...

 handle = WinDivertOpen(
        "outbound && "              // Outbound traffic only
        "ip && "                    // Only IPv4 supported
        "tcp.DstPort == 80 && "     // HTTP (port 80) only
        "tcp.PayloadLength > 0",    // TCP data packets only
        WINDIVERT_LAYER_NETWORK, priority, 0
    );

My question is : can I change this code to support HTTPS (change port to default 443) and also IPv6 ? If so, I'm willing to write a P\Invoke wrapper class to call it from managed C# code.

Extra : This solution can be bypassed using SSH tunneling, is there another way to bypass it ?

Eberhardt answered 18/4, 2014 at 9:20 Comment(1)
What are you actually trying to achieve? It seems rather daft to filter on protocol, since many useful sites use HTTPS (for example, at work, we have webmail through an external portal that is only available through HTTPS - and many of our internal sites are also HTTPS)Jaime
A
6

HTTPS uses encryption to stop third parties intercepting and modifying the HTTP stream. So the short answer is "no".

In principle you could use WinDivert to launch a man-in-the-middle attack to gain access to the unencrypted HTTP stream. However, this will be detected, and the web browser will sternly warn the user that they are under attack and not to continue.

Arias answered 20/4, 2014 at 2:12 Comment(4)
Thank you for your answer. I found a solution to my problem, I changed the code of webfilter to intercept DNS queries (udp.DstPort == 53) and I'm still working on what the answer should be for the blacklisted URLs. Do you think a DNS host-based application firewall is a good idea ? What changes to WinDivert do I need to perform to make it work for Windows Vista, 7 and 8 (both x64 and x86 platforms) at the same time ?Eberhardt
Yes, you can do domain-level filtering by intercepting DNS. To make WinDivert applications that run on both 32/64-bit Windows, see reqrypt.org/windivert-doc.html#installingArias
Actually you can safely do mitm interception undetected in all browsers except firefox, by generating and removing new CA certs to the LOCAL_MACHINE cert store every time your program runs. So long as you have admin rights, you can do this without user interaction (without them knowing). I do not use this knowledge for malicious purposes and wish that birds poop on anyone who does.Rechabite
@JohnTube: If you are intercepting DNS queries, the workaround could be if the user enters direct IP address of the website, it won't send the DNS query out for resolution.Trackandfield
R
0

You would need to produce

  1. a proxy service like you find on GitHub, then be a "man-in-the-middle" and capture https handshakes and replay them with your own to decrypt all https traffic, usually done using a certificate that

  2. you need to install on the server/pc so that the browser can (be tried into) trust(ing) it.

Then you can sit between two parties and record, block, allow communication between any 2 endpoints on the device.

Have a look at: https://github.com/matt-dot-net/HttpProxy

And the implementation: https://www.codeproject.com/Messages/3952869/Which-Options-do-I-need-to-use-to-make-the-certifi

Reverent answered 12/1, 2023 at 4:50 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.