commit 11458fe98c200bdbacd5960043762542a0c470d0 Author: superwhiskers Date: Wed Jun 3 04:08:31 2020 -0500 initial commit diff --git a/client-certificates/account.nintendo.net.pem b/client-certificates/account.nintendo.net.pem new file mode 120000 index 0000000..86892e7 --- /dev/null +++ b/client-certificates/account.nintendo.net.pem @@ -0,0 +1 @@ +ctr-common-1.pem \ No newline at end of file diff --git a/client-certificates/ccs.c.shop.nintendowifi.net.pem b/client-certificates/ccs.c.shop.nintendowifi.net.pem new file mode 120000 index 0000000..86892e7 --- /dev/null +++ b/client-certificates/ccs.c.shop.nintendowifi.net.pem @@ -0,0 +1 @@ +ctr-common-1.pem \ No newline at end of file diff --git a/client-certificates/ctr-common-1.pem b/client-certificates/ctr-common-1.pem new file mode 100644 index 0000000..43bcf7c --- /dev/null +++ b/client-certificates/ctr-common-1.pem @@ -0,0 +1,55 @@ +-----BEGIN CERTIFICATE----- +MIIEwzCCA6ugAwIBAgIBBjANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKV2FzaGluZ3RvbjEhMB8GA1UEChMYTmludGVuZG8gb2YgQW1lcmlj +YSBJbmMuMQswCQYDVQQLEwJJUzEZMBcGA1UEAxMQTmludGVuZG8gQ0EgLSBHMzAe +Fw0xMDA1MTMxOTE5NDZaFw0zNzEyMjIxOTE5NDZaMIGlMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEiMCAGA1UEChMZ +TmludGVuZG8gb2YgQW1lcmljYSwgSW5jLjELMAkGA1UECxMCSVMxGjAYBgNVBAMT +EUNUUiBDb21tb24gUHJvZCAxMSIwIAYJKoZIhvcNAQkBFhNjYUBub2EubmludGVu +ZG8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA81Vzs324jZwc +NpbFESgDNooVTRP1TlxvYwz8bbHnJHhImjEJNO29YSTpjmF7wonczooeKXfE/Ry2 ++ey9mk92UhzSnvuSHQ6P2zFBbcPnE8eBi73oDnErgixiWe1TKP1G5LvwOqrEkVmX +LN/qnLrsfFp4QNyFc+PLvJ9IAfRSBwdRJHAiSgE9nB9eI7AGcM6DCw7+p9zEz6rN +RHUVRc5I132wJpQa8aoWaqPW7LE8exEC3VSfDHRVPjZUMRhfoBVSi2NfiA3xYsqk +v+Ct3E+bzW8y1aAQ7wIshQ/RGcLtVZE+tkoAznXewVLdKtcC67Vy4awhJ/BqK1tv +c26qV3zIJwIDAQABo4IBMzCCAS8wCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd +T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIzG7XO5Ojx2 +G45r5dTszWF1rcFtMIGXBgNVHSMEgY8wgYyAFATT3tP98MjrwlmSh/sf1z5y+O35 +oXGkbzBtMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEhMB8GA1UE +ChMYTmludGVuZG8gb2YgQW1lcmljYSBJbmMuMQswCQYDVQQLEwJJUzEZMBcGA1UE +AxMQTmludGVuZG8gQ0EgLSBHM4IBATA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8v +Y3JsLm5pbnRlbmRvLmNvbS9uaW50ZW5kby1jYS1nMy5jcmwwDQYJKoZIhvcNAQEL +BQADggEBAEOXZ/3IkNuFUfdxHpP0vrcSCTnDqMk8gsLVbN39BJT8Wqm8e3MFNhS/ +Y1YOWgoIPtJp4cd2tXM3cXWzUZgm3SKd1XX/B81PFLEYlk+metUqB4jpF0ApCZs6 +RNoXDBTx6XzsC07CA3uaxEdeWjC5Nl29AHuZ1YC/Z+7Da57TwBaa+/APj4y5mGUa +ahbvwpe1t3GSNOS5nBDSeCHAKLmzfnXpliA5qQZxo94RSXIVWK8hilXoFDQCL904 +OGpgZnAhz4p3rcJYTq9ub8n6NYr9OJKKbWXfJY1QK4pXFVcIuAph0o/EyzDIEXuT +J4Q4b2km8uI0H4yxsQwUX9Epw6Vbujc= +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEA81Vzs324jZwcNpbFESgDNooVTRP1TlxvYwz8bbHnJHhImjEJ +NO29YSTpjmF7wonczooeKXfE/Ry2+ey9mk92UhzSnvuSHQ6P2zFBbcPnE8eBi73o +DnErgixiWe1TKP1G5LvwOqrEkVmXLN/qnLrsfFp4QNyFc+PLvJ9IAfRSBwdRJHAi +SgE9nB9eI7AGcM6DCw7+p9zEz6rNRHUVRc5I132wJpQa8aoWaqPW7LE8exEC3VSf +DHRVPjZUMRhfoBVSi2NfiA3xYsqkv+Ct3E+bzW8y1aAQ7wIshQ/RGcLtVZE+tkoA +znXewVLdKtcC67Vy4awhJ/BqK1tvc26qV3zIJwIDAQABAoIBAQDBTk4m9iYJoU2s +dCPDmFTNG+8GF2fVw4rdVjCmeCDWkROkInZc7Mx4gtljub+WcOzPy1tgt/vu08Ps +UYziLGQjoTAVCmct3CaeC8gdifZleSVJvSi/aFoXBGlxZR6ePm72QPL7uDOGAHUf +OhboQXqi40AKzuTZhsqQYrzSiKQtXa8M0jMj3XWb7q+wLEyCtGJvUsFjfXiuxdrg +ZMwJ3jroDkxAIatmZzzAcjbY6U78P574DQAeFJM/6KJrZXgmsPdkqEpUJWBs1Zro +b7eEKjkM0tVfk6GrlIZgD5lhBxdyCci9UomO1JjJakKBhVeiB+HMC4sJtcJPyBdb +ZH70dIJhAoGBAP74UyWJ/xnd12NrZrybOab5pCSYDcaoLpzghWcaxsX+AS70BpEZ +wZU+DMxWtSfGTbVOlTlW0LEu3A9JHtisr+a3bf+ytv2zXRuDnJ3fhnFqRLRfopNs +BEAePBUL2EkJ/8OTSsiZcmDoVyhnt14U4sleawsIi30T/KcQDtMS81YXAoGBAPRR +F/oZcWHYNm1X8foHiPbltAji4u5M3McZT4wb3RZbWLJbUjSz/tATah36dxuT1v1z +EwHWZ0vdN94MuIy1OnwIHvBXJy8m4Rq6VTQpzGPgy0clbZbtX3Cih+fQSvxJUe2m +psaicsNSTtmd+btudZyG5qzILOU8afGmeB1wr3hxAoGBANZkcm3XSoUyj8FOdxXS +pDiuI4KNxM+tbXyGIkZfMpMbkV0s3jS2ZpuakGJl6m/mhEMXL80GHfdOwsWro19o +XYRv6vOeD9bmMj1HfrMVWFQXmmvdGrRBmJVdlwHPcu9/k+uc974ToSSxWVBlXb+j +aksOtI2Tgs8KtmC31O9ROQHDAoGBAI0OnPdK5UmGmbX7xruCyjMyYAWZaUgInJdf +J6xPEhCsYMNpMkc3fPEJpIT2bPpBGylt3RV8glsst+q+EXc70y51SdedmgQBQIo7 +9qGNWHJ6ASNsmp8/IZFYZXsTqZeLhX/ebf/VHsliph/Cs8LhfYoH4Pr0/+bCQLDC +Wis1OjohAoGBAJSivkSk2MKrg/t4CqNYLBiPp0fegm9ZL3187I/leVJGXIXsNqTq +oa6qT5JxiJRQnkw2IzfI6icl+BJYydRU3oH4X0nvl0eyjiIfG/nfn4H7ckSKdzP/ +wVBdRbcC+/PX/1WpGiJM+kXrf/vLQN1B6iihrYEkS/ZIkzFWMuuKQRvQ +-----END RSA PRIVATE KEY----- diff --git a/client-certificates/ecs.c.shop.nintendowifi.net.pem b/client-certificates/ecs.c.shop.nintendowifi.net.pem new file mode 120000 index 0000000..86892e7 --- /dev/null +++ b/client-certificates/ecs.c.shop.nintendowifi.net.pem @@ -0,0 +1 @@ +ctr-common-1.pem \ No newline at end of file diff --git a/client-certificates/nasc.nintendowifi.net.pem b/client-certificates/nasc.nintendowifi.net.pem new file mode 120000 index 0000000..86892e7 --- /dev/null +++ b/client-certificates/nasc.nintendowifi.net.pem @@ -0,0 +1 @@ +ctr-common-1.pem \ No newline at end of file diff --git a/client-certificates/ninja.ctr.shop.nintendo.net.pem b/client-certificates/ninja.ctr.shop.nintendo.net.pem new file mode 120000 index 0000000..86892e7 --- /dev/null +++ b/client-certificates/ninja.ctr.shop.nintendo.net.pem @@ -0,0 +1 @@ +ctr-common-1.pem \ No newline at end of file diff --git a/client-certificates/nppl.c.app.nintendowifi.net.pem b/client-certificates/nppl.c.app.nintendowifi.net.pem new file mode 120000 index 0000000..86892e7 --- /dev/null +++ b/client-certificates/nppl.c.app.nintendowifi.net.pem @@ -0,0 +1 @@ +ctr-common-1.pem \ No newline at end of file diff --git a/client-certificates/nus.c.shop.nintendowifi.net.pem b/client-certificates/nus.c.shop.nintendowifi.net.pem new file mode 120000 index 0000000..86892e7 --- /dev/null +++ b/client-certificates/nus.c.shop.nintendowifi.net.pem @@ -0,0 +1 @@ +ctr-common-1.pem \ No newline at end of file diff --git a/configuration/.gitignore b/configuration/.gitignore new file mode 100644 index 0000000..2336356 --- /dev/null +++ b/configuration/.gitignore @@ -0,0 +1,7 @@ +# .gitignore +mitmproxy-ca-cert.p12 +mitmproxy-ca.p12 +mitmproxy-dhparam.pem +mitmproxy-ca-cert.cer +mitmproxy-ca-cert.pem +mitmproxy-ca.pem diff --git a/configuration/config.yaml b/configuration/config.yaml new file mode 100644 index 0000000..ebef0d6 --- /dev/null +++ b/configuration/config.yaml @@ -0,0 +1,292 @@ + +# Add all certificates of the upstream server to the certificate chain +# that will be served to the proxy client, as extras. Type bool. +add_upstream_certs_to_client_chain: false + +# Opposite of --ignore-hosts. Type sequence of str. +allow_hosts: [] + +# Strip out request headers that might cause the server to return +# 304-not-modified. Type bool. +anticache: false + +# Try to convince servers to send us un-compressed data. Type bool. +anticomp: false + +# Block connections from globally reachable networks, as defined in the +# IANA special purpose registries. Type bool. +block_global: true + +# Block connections from private networks, as defined in the IANA +# special purpose registries. This option does not affect loopback +# addresses. Type bool. +block_private: false + +# Byte size limit of HTTP request and response bodies. Understands k/m/g +# suffixes, i.e. 3m for 3 megabytes. Type optional str. +body_size_limit: + +# SSL certificates of the form "[domain=]path". The domain may include a +# wildcard, and is equal to "*" if not specified. The file at path is a +# certificate in PEM format. If a private key is included in the PEM, it +# is used, else the default key in the conf dir is used. The PEM file +# should contain the full certificate chain, with the leaf certificate +# as the first entry. Type sequence of str. +certs: [] + +# Set supported ciphers for client connections using OpenSSL syntax. +# Type optional str. +ciphers_client: + +# Set supported ciphers for server connections using OpenSSL syntax. +# Type optional str. +ciphers_server: + +# Client certificate file or directory. Type optional str. +client_certs: "./client-certificates" + +# Replay client requests from a saved file. Type sequence of str. +client_replay: [] + +# Persist command history between mitmproxy invocations. Type bool. +command_history: true + +# Location of the default mitmproxy configuration files. Type str. +confdir: ./confdir + +# The default content view mode. Valid values are 'auto', 'raw', 'hex', +# 'json', 'xml/html', 'wbxml', 'javascript', 'css', 'url-encoded', +# 'multipart form', 'image', 'query', 'protocol buffer'. +console_default_contentview: auto + +# EventLog verbosity. Valid values are 'error', 'warn', 'info', 'alert', +# 'debug'. +console_eventlog_verbosity: info + +# Set the flowlist layout Valid values are 'default', 'list', 'table'. +console_flowlist_layout: default + +# Focus follows new flows. Type bool. +console_focus_follow: false + +# Console layout. Valid values are 'horizontal', 'single', 'vertical'. +console_layout: single + +# Show layout component headers Type bool. +console_layout_headers: true + +# Console mouse interaction. Type bool. +console_mouse: true + +# Color palette. Valid values are 'dark', 'light', 'lowdark', +# 'lowlight', 'solarized_dark', 'solarized_light'. +console_palette: solarized_dark + +# Set transparent background for palette. Type bool. +console_palette_transparent: false + +# Flow content view lines limit. Limit is enabled by default to speedup +# flows browsing. Type int. +content_view_lines_cutoff: 512 + +# Enable/disable HTTP/2 support. HTTP/2 support is enabled by default. +# Type bool. +http2: true + +# PRIORITY forwarding for HTTP/2 connections. Disabled by default to +# ensure compatibility with misbehaving servers. Type bool. +http2_priority: false + +# Ignore host and forward all traffic without processing it. In +# transparent mode, it is recommended to use an IP address (range), not +# the hostname. In regular mode, only SSL traffic is ignored and the +# hostname should be used. The supplied value is interpreted as a +# regular expression and matched on the ip or the hostname. Type +# sequence of str. +ignore_hosts: [] + +# Intercept filter expression. Type optional str. +intercept: + +# Intercept toggle Type bool. +intercept_active: false + +# Reverse Proxy: Keep the original host header instead of rewriting it +# to the reverse proxy target. Type bool. +keep_host_header: false + +# TLS key size for certificates and CA. Type int. +key_size: 2048 + +# Address to bind proxy to. Type str. +listen_host: '' + +# Proxy service port. Type int. +listen_port: 8080 + +# Mode can be "regular", "transparent", "socks5", "reverse:SPEC", or +# "upstream:SPEC". For reverse and upstream proxy modes, SPEC is host +# specification in the form of "http[s]://host[:port]". Type str. +mode: regular + +# Toggle the mitmproxy onboarding app. Type bool. +onboarding: true + +# Onboarding app domain. For transparent mode, use an IP when a DNS +# entry for the app domain is not present. Type str. +onboarding_host: mitm.it + +# Port to serve the onboarding app from. Type int. +onboarding_port: 80 + +# Require proxy authentication. Format: "username:pass", "any" to accept +# any user/pass combination, "@path" to use an Apache htpasswd file, or +# "ldap[s]:url_server_ldap:dn_auth:password:dn_subtree" for LDAP +# authentication. Type optional str. +proxyauth: + +# Enable/disable experimental raw TCP support. TCP connections starting +# with non-ascii bytes are treated as if they would match tcp_hosts. The +# heuristic is very rough, use with caution. Disabled by default. Type +# bool. +rawtcp: false + +# Read only matching flows. Type optional str. +readfile_filter: + +# Replacement patterns of the form "/pattern/regex/replacement", where +# the separator can be any character. Type sequence of str. +replacements: [] + +# Read flows from file. Type optional str. +rfile: + +# Stream flows to file as they arrive. Prefix path with + to append. +# Type optional str. +save_stream_file: + +# Filter which flows are written to file. Type optional str. +save_stream_filter: + +# Execute a script. Type sequence of str. +scripts: [] + +# Start a proxy server. Enabled by default. Type bool. +server: true + +# Replay server responses from a saved file. Type sequence of str. +server_replay: [] + +# Ignore request's content while searching for a saved flow to replay. +# Type bool. +server_replay_ignore_content: false + +# Ignore request's destination host while searching for a saved flow to +# replay. Type bool. +server_replay_ignore_host: false + +# Request's parameters to be ignored while searching for a saved flow to +# replay. Type sequence of str. +server_replay_ignore_params: [] + +# Request's payload parameters (application/x-www-form-urlencoded or +# multipart/form-data) to be ignored while searching for a saved flow to +# replay. Type sequence of str. +server_replay_ignore_payload_params: [] + +# Ignore request's destination port while searching for a saved flow to +# replay. Type bool. +server_replay_ignore_port: false + +# Kill extra requests during replay. Type bool. +server_replay_kill_extra: false + +# Don't remove flows from server replay state after use. This makes it +# possible to replay same response multiple times. Type bool. +server_replay_nopop: false + +# Refresh server replay responses by adjusting date, expires and last- +# modified headers, as well as adjusting cookie expiration. Type bool. +server_replay_refresh: true + +# Request headers to be considered during replay. Type sequence of str. +server_replay_use_headers: [] + +# Header set pattern of the form "/pattern/header/value", where the +# separator can be any character. Type sequence of str. +setheaders: [] + +# Use the Host header to construct URLs for display. Type bool. +showhost: false + +# Use the client's IP for server-side connections. Combine with +# --upstream-bind-address to spoof a fixed source address. Type bool. +spoof_source_address: false + +# Do not verify upstream server SSL/TLS certificates. Type bool. +ssl_insecure: true + +# Path to a PEM formatted trusted CA certificate. Type optional str. +ssl_verify_upstream_trusted_ca: + +# Path to a directory of trusted CA certificates for upstream server +# verification prepared using the c_rehash tool. Type optional str. +ssl_verify_upstream_trusted_confdir: + +# Set supported SSL/TLS versions for client connections. SSLv2, SSLv3 +# and 'all' are INSECURE. Defaults to secure, which is TLS1.0+. Valid +# values are 'all', 'secure', 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1', +# 'TLSv1_2'. +ssl_version_client: secure + +# Set supported SSL/TLS versions for server connections. SSLv2, SSLv3 +# and 'all' are INSECURE. Defaults to secure, which is TLS1.0+. Valid +# values are 'all', 'secure', 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1', +# 'TLSv1_2'. +ssl_version_server: secure + +# Set sticky auth filter. Matched against requests. Type optional str. +stickyauth: + +# Set sticky cookie filter. Matched against requests. Type optional str. +stickycookie: + +# Stream data to the client if response body exceeds the given +# threshold. If streamed, the body will not be stored in any way. +# Understands k/m/g suffixes, i.e. 3m for 3 megabytes. Type optional +# str. +stream_large_bodies: + +# Stream WebSocket messages between client and server. Messages are +# captured and cannot be modified. Type bool. +stream_websockets: false + +# Generic TCP SSL proxy mode for all hosts that match the pattern. +# Similar to --ignore, but SSL connections are intercepted. The +# communication contents are printed to the log in verbose mode. Type +# sequence of str. +tcp_hosts: [] + +# Add HTTP Basic authentication to upstream proxy and reverse proxy +# requests. Format: username:password. Type optional str. +upstream_auth: + +# Address to bind upstream requests to. Type str. +upstream_bind_address: '' + +# Connect to upstream server to look up certificate details. Type bool. +upstream_cert: false + +# Limit the view to matching flows. Type optional str. +view_filter: + +# Flow sort order. Valid values are 'time', 'method', 'url', 'size'. +view_order: time + +# Reverse the sorting order. Type bool. +view_order_reversed: false + +# Enable/disable WebSocket support. WebSocket support is enabled by +# default. Type bool. +websocket: true + diff --git a/launch b/launch new file mode 100755 index 0000000..262f76c --- /dev/null +++ b/launch @@ -0,0 +1,4 @@ +#!/bin/bash + +cd $(realpath --no-symlinks $(dirname $0)) +$(basename $0) --set confdir="./configuration" $* diff --git a/mitmdump b/mitmdump new file mode 120000 index 0000000..a5bc098 --- /dev/null +++ b/mitmdump @@ -0,0 +1 @@ +launch \ No newline at end of file diff --git a/mitmproxy b/mitmproxy new file mode 120000 index 0000000..a5bc098 --- /dev/null +++ b/mitmproxy @@ -0,0 +1 @@ +launch \ No newline at end of file diff --git a/mitmweb b/mitmweb new file mode 120000 index 0000000..a5bc098 --- /dev/null +++ b/mitmweb @@ -0,0 +1 @@ +launch \ No newline at end of file diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..83f0d94 --- /dev/null +++ b/readme.md @@ -0,0 +1,26 @@ +# mitmproxy-nintedo + +a package for intercepting traffic from nintendo consoles (currently only the 3ds) + +## prerequisites + +- a working mitmproxy install +- the nintendo console to intercept traffic from +- a *nix computer (macos, linux, maybe bsd) + +## usage + +- clone (or download) this repo to your computer +- run one of the launcher scripts to launch a proxy server +- configure your console to connect to the proxy +- hope that it works + +## troubleshooting + +### my console says that it cannot do x! + +check the logs. does the proxy say that it is having a certificate issue? +if so, go into the `client-certificate` directory of this repository and +create a symbolic link to the `ctr-common-1.pem` file named +`.pem` and try again. if this +does not work, file an issue diff --git a/unlicense.txt b/unlicense.txt new file mode 100644 index 0000000..68a49da --- /dev/null +++ b/unlicense.txt @@ -0,0 +1,24 @@ +This is free and unencumbered software released into the public domain. + +Anyone is free to copy, modify, publish, use, compile, sell, or +distribute this software, either in source code form or as a compiled +binary, for any purpose, commercial or non-commercial, and by any +means. + +In jurisdictions that recognize copyright laws, the author or authors +of this software dedicate any and all copyright interest in the +software to the public domain. We make this dedication for the benefit +of the public at large and to the detriment of our heirs and +successors. We intend this dedication to be an overt act of +relinquishment in perpetuity of all present and future rights to this +software under copyright law. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR +OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, +ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR +OTHER DEALINGS IN THE SOFTWARE. + +For more information, please refer to