Skip to content
/ net-monitor Public

Toolkit for auditing "phone home" behavior on Mac OS X Yosemite.

290 stars 24 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fix-macosx/net-monitor

3 Branches0 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

landonflandonf
Update sslsplit to point to upstream sources.
Nov 24, 2014
438a368 · Nov 24, 2014

History

37 Commits
babelfish
babelfish
Oct 31, 2014
bin
bin
Nov 24, 2014
conf
conf
Nov 24, 2014
lib/sslsplit
lib/sslsplit
Oct 19, 2014
README.md
README.md
Nov 24, 2014
install.sh
install.sh
Oct 19, 2014
sslsplit-create-standalone.sh
sslsplit-create-standalone.sh
Oct 19, 2014

Repository files navigation

Capture ALL The Things

Net-Monitor (NM) is toolkit for auditing "phone home" behavior of all user and system-level processes on Mac OS X Yosemite.

Example data extracted by Net-Monitor is provided for collaborative review and analysis via the Yosemite Phone Home project.

Features include:

  • Transparent plaintext logging of TCP/TLS/HTTPS traffic via pf(4) and a custom version of SSLSplit. No custom proxy configuration is required.
  • Automatic correlation of connections with initiating application, user, and group.
  • Logging of non-TCP traffic via pf(4), pflog(4), and tcpdump.
  • Automatic generation and trust of a local, per-machine MITM certificate authority.

By default, NM generates the following logs:

  • TCP/SSL: /var/log/sslsplit//--.log
  • UDP/other: /var/log/udp-monitor/*.pcap

NM relies on SSLsplit to provide TLS introspection; all of our previous local patches have been integrated upstream.

Additional contributions to improve accuracy/transparency of the collected data are always very welcome.

Caveats

  • NM is intended to be used on a dedicated VM or research installation; it overrides default configuration files and interposes itself in TLS network communications, and is not currently recommended for day-to-day use.
  • Correlation of sockets, processes, and file system executable paths is imperfect; there are cases where connections will be ascribed to the wrong application path.
  • TLS traffic using client certificates cannot be captured in plaintext by default. For example, NM captures the key exchange performed by apsd (Apple Push Services Daemon), that establishes a client certificate, but NM can't transparently sniff future communications protected by that certificate without the addition of apsd-specific protocol handling.

Developing

Installation is handled entirely by install.sh; the pf(4) and launchd configuration files may be found in conf/.

To update the embedded copy of SSLsplit:

  • Clone and build sslsplit locally.
  • Update NM's standalone sslsplit binary via sslsplit-create-standalone.sh, e.g., sslsplit-create-standalone.sh ~/sslsplit/sslsplit ~/net-monitor

About

Toolkit for auditing "phone home" behavior on Mac OS X Yosemite.

Resources

Readme
Activity
Custom properties

Stars

290 stars

Watchers

23 watching

Forks

24 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages