Select Page

Thwart Splunk Man In the Middle Attacks with Go

by | Feb 2, 2019 | Go, Programming, Splunk

Making API calls to Splunk? If you have digital certificate verification turned off your connection is susceptible to man in the middle attacks. Luckily you can thwart Splunk Man In the Middle attacks with Go.

Here’s What Everyone Does

They disable SSL certificate chain verification. That means any certificate instead of the public key by Splunk, can intercept traffic between Splunk and your application. This opens up your application to MITM attacks (man in the middle).

In one sentence: We are literally telling the client application to trust the Splunk server’s self-signed digital certificate by embedding it in the program.


In Python

This is the most common occurrence and upon discovery is usually met with a blank look from those who practice it. Nothing is being checked, because this line explicitly tells Python Interpreter not to check the certificate validity.

// DON'T!!
requests.get("https://google.com", verify=false)

Using Splunk Web with HTTPS enabled I am demonstrating the correct steps to take to embed an SSL certificate in a client-side application written in Go. When you install Splunk Free you automatically are using the Enterprise Trial, therefore it does expire. Before it expires we can use its API securely since it allows authentication.

What You Need

  1. Ubuntu Desktop 18.04 LTS with Spunk installed.
  2. Splunk Enterprise Trial License

Need help setting up? Read this guide to get started.

Turn on SSL in Splunk Web.

Settings > Server Settings > General Settings

Turn on SSL(HTTPS)

Then restart Splunk Web.

Get the Splunk Server’s Certificate

What happens when your web browser goes to https://splunk-virtualbox is

  • Web browser and Splunk server exchange a symmetric public key that is used to encrypt and decrypt traffic between the two.

This raises the concern that anyone could present your browser and/or Splunk server this public key, how do you know who is on the other side?

The answer is digital certificates. A Certificate Authority, Comodo for instance, has many certificates installed in your browser. It is this Authority that is telling you the public key being transferred is legitimate based on the details of the digital certificate.

In order to install this safety-check mechanism into our program that we will make further into this tutorial, we first need to get the certificate from Splunk and extract it into a string that we can use in a program.

Click on the “i” it’s next to the lock with the scary looking yellow warning icon.

Continued.

Choose “EXPORT” and save the certificate to disk.

Program A Secure Application

package main

import(
    "net/http"
    "fmt"
    "crypto/tls"
    "crypto/x509"
)

const splunkCert = `-----BEGIN CERTIFICATE-----
MIIDLDCCAhQCCQDy9iAOPgpB0DANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xOTAyMDIxNjUxMjBaFw0yMjAyMDExNjUx
MjBaMDExGjAYBgNVBAMMEXNwbHVuay1WaXJ0dWFsQm94MRMwEQYDVQQKDApTcGx1
bmtVc2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8AxSAsZUd+cf
/lIxe9lVM6sZeLOH6dyxPNGSjFKyKcs7kBD6NgNnK4tt8bqmfZ70HEjs8cIIFILk
V43DArvrL2K4sP3xF24sF/xvzzlc7fsjnaI8XipHNeiOKan6kbSrh2+b+AU05k+n
TQ5t9gHQ4v1KMLd4xguMGhj7TocF6+M3TJLBu5kBY4i+UWBlxmGSSq/objays1OQ
lTGO9v749A9BMfYcBC/O+H49uempdhYrB65hzYKaOjT97gISX1FFDAaEbZv6bJ
-----END CERTIFICATE-----`

First we define the package level name as main. Then define the imports that are needed. Next a constant variable is defined that holds the Splunk server’s certificate. The certificate will be a string that you 1) copy and paste from file into your code 2) add backticks before and after it.

Continuing…

func CustomHttp() *http.Client{
	
	tlsConf := &tls.Config{RootCAs: x509.NewCertPool()}
	trans := &http.Transport{TLSClientConfig: tlsConf}
	client := &http.Client{Transport: trans}

	certBytes := []byte(splunkCert)
	check := tlsConf.RootCAs.AppendCertsFromPEM(certBytes)
	if !check {
		panic("Could not parse x509 certificate!")
	}
	return client
}
func main() {
	httpClient := CustomHttp()
        // this is the URL for SSL-enabled Splunk Web
	resp, err := httpClient.Get("https://splunk-virtualbox:8000")
	if err != nil {
		fmt.Printf("error! %v/n", err)
	}
	fmt.Println(resp)
}

We define a method to create a customized HTTP client class and name it CustomHttp(). If the loading of the certificate fails the program will scream and die. We return the new client and then initialize it in a new main function. We then print the resulting server response.

Run the Program

Note that my VirtualBox is setup to use NAT as its networking setup. I recommend doing the same until you are comfortable setting up another scenario.

If you were using a Bridged Adapter for example the ip address of the NIC, the ip address of the network name you are using in VirtualBox would be the URL to use in your code. Therefore that URL would be in place of https://splunk-virtualbox, as in https://10.0.0.11:8000

Success!

error: