heqnx - .:: go-fakessl: Cloning SSL/TLS Certificates ::.

.:: go-fakessl: Cloning SSL/TLS Certificates ::.

[ Introduction ]

go-fakessl is a Go tool for pentesters to clone SSL/TLS certificates from any
HTTPS server. It grabs key certificate details, creates a new RSA key pair, and
makes a self-signed certificate that looks like the original. It also lets you
run a local HTTPS server to test the cloned certificate. Get the source at
https://cgit.heqnx.com/go-fakessl.

The tool's source code is available at https://cgit.heqnx.com/go-fakessl
and can be cloned with git clone https://cgit.heqnx.com/go-fakessl.

[ Motivation and Objectives ]

go-fakessl was built to help security testers duplicate legitimate looking
SSL/TLS setups easily. The tool aims to:

- Clone certificates for red team ops deplyoments
- Let testers compare original and cloned certificates to spot issues
- Allow testing of cloned certificates with a local HTTPS server

[ Analysis ]

The core of go-fakessl lies in its cloneCertificate function, which performs
several critical steps:

- URL Parsing: The tool parses the input URL to extract the host and ensure it
  targets port 443 if unspecified
- TLS Connection: It establishes a TLS connection with InsecureSkipVerify: true
  to bypass certificate validation
- Certificate Cloning: The cloneCertificateTemplate function duplicates the
  original certificate's attributes, such as issuer, subject, and key usage,
  into a new template
- Key Generation: A 2048-bit RSA key pair is generated, and a new self-signed
  certificate is created using the cloned template
- Output: The tool saves the cloned certificate and private key as PEM files
  and provides commands to compare the original and cloned certificates using
  openssl

[ Output ]

Running go-fakessl against a target like https://google.com produces:

$ ./go-fakessl-linux-amd64 -url https://google.com
url             cloned cert             private key
google.com:443  google.com_clone.pem    google.com_clone.key

[inf] start an https server to test cloned certificate with:
$ ./go-fakessl-linux-amd64 -cert google.com_clone.pem -key google.com_clone.key -port 8000

[inf] manually inspect and diff the original certificate and cloned certificate with:
$ openssl s_client -connect google.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text > google.com_original.txt
$ openssl x509 -in google.com_clone.pem -noout -text > google.com_clone.pem_clone.txt
$ diff *.txt

The diff output will reveal differences, such as the self-signed nature of the
cloned certificate and the new private key, while core attributes like DNS
names and subject remain identical.

[ Testing with a Local HTTPS Server ]

To test the cloned certificate, go-fakessl provides a built-in HTTPS server:

$ ./go-fakessl-linux-amd64 -cert google.com_clone.pem -key google.com_clone.key -port 8000
[inf] starting https server on https://127.0.0.1:8000

This server responds with a simple "Hello, world!" message, allowing pentesters
to verify the certificate's behavior in a browser or via tools like curl. Since
the certificate is self-signed, browsers will display a warning unless the
certificate is manually trusted.