Toolkit for auditing "phone home" behavior on Mac OS X Yosemite.
Scala Shell
Switch branches/tags
Nothing to show
Clone or download
landonf Update sslsplit to point to upstream sources.
Now that all necessary changes have been upstreamed, a local fork is no
longer required.
Latest commit 438a368 Nov 24, 2014
Permalink
Failed to load latest commit information.
babelfish
bin
conf Update to latest upstream sslsplit sources. Nov 24, 2014
lib/sslsplit
README.md Update sslsplit to point to upstream sources. Nov 24, 2014
install.sh
sslsplit-create-standalone.sh Automated installation script for monitoring local traffic via sslsplit. Oct 19, 2014

README.md

Capture ALL The Things

Net-Monitor (NM) is toolkit for auditing "phone home" behavior of all user and system-level processes on Mac OS X Yosemite.

Example data extracted by Net-Monitor is provided for collaborative review and analysis via the Yosemite Phone Home project.

Features include:

  • Transparent plaintext logging of TCP/TLS/HTTPS traffic via pf(4) and a custom version of SSLSplit. No custom proxy configuration is required.
  • Automatic correlation of connections with initiating application, user, and group.
  • Logging of non-TCP traffic via pf(4), pflog(4), and tcpdump.
  • Automatic generation and trust of a local, per-machine MITM certificate authority.

By default, NM generates the following logs:

  • TCP/SSL: /var/log/sslsplit//--.log
  • UDP/other: /var/log/udp-monitor/*.pcap

NM relies on SSLsplit to provide TLS introspection; all of our previous local patches have been integrated upstream.

Additional contributions to improve accuracy/transparency of the collected data are always very welcome.

Caveats

  • NM is intended to be used on a dedicated VM or research installation; it overrides default configuration files and interposes itself in TLS network communications, and is not currently recommended for day-to-day use.
  • Correlation of sockets, processes, and file system executable paths is imperfect; there are cases where connections will be ascribed to the wrong application path.
  • TLS traffic using client certificates cannot be captured in plaintext by default. For example, NM captures the key exchange performed by apsd (Apple Push Services Daemon), that establishes a client certificate, but NM can't transparently sniff future communications protected by that certificate without the addition of apsd-specific protocol handling.

Developing

Installation is handled entirely by install.sh; the pf(4) and launchd configuration files may be found in conf/.

To update the embedded copy of SSLsplit:

  • Clone and build sslsplit locally.
  • Update NM's standalone sslsplit binary via sslsplit-create-standalone.sh, e.g., sslsplit-create-standalone.sh ~/sslsplit/sslsplit ~/net-monitor