No description
Find a file
David Stotijn c01f190fc8 Use Go instead of C for regexp sqlite func
While less performant, this (for now) simplifies
compiling and building the project.
2020-10-31 15:19:17 +01:00
.github Link to discussions via issue templates 2020-10-04 14:08:08 +02:00
admin Add scope support 2020-10-29 20:55:22 +01:00
cmd/hetty Add scope support 2020-10-29 20:55:22 +01:00
pkg Use Go instead of C for regexp sqlite func 2020-10-31 15:19:17 +01:00
.dockerignore Embed static admin resources on build, add goreleaser config 2020-09-25 02:53:41 +02:00
.gitignore Add .release-env and .vscode to .gitignore 2020-10-29 21:21:47 +01:00
.goreleaser.yml Use Go instead of C for regexp sqlite func 2020-10-31 15:19:17 +01:00
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 2020-10-04 12:33:53 +02:00
CONTRIBUTING.md Add contributing guidelines 2020-10-04 13:21:43 +02:00
Dockerfile Use Go instead of C for regexp sqlite func 2020-10-31 15:19:17 +01:00
go.mod Add project management 2020-10-11 17:09:39 +02:00
go.sum Add project management 2020-10-11 17:09:39 +02:00
gqlgen.yml Replace Cayley with SQLite3 2020-10-04 11:50:03 +02:00
LICENSE Add README and LICENSE 2020-09-27 20:38:30 +02:00
Makefile Use Go instead of C for regexp sqlite func 2020-10-31 15:19:17 +01:00
modd.conf Add scope support 2020-10-29 20:55:22 +01:00
README.md Add scope support 2020-10-29 20:55:22 +01:00

Hetty is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community.

Features/to do

  • HTTP man-in-the-middle (MITM) proxy and GraphQL server.
  • Web interface (Next.js) with proxy log viewer.
  • Add scope support to the proxy.
  • Full text search (with regex) in proxy log viewer.
  • Project management.
  • Sender module for sending manual HTTP requests, either from scratch or based off requests from the proxy log.
  • Attacker module for automated sending of HTTP requests. Leverage the concurrency features of Go and its net/http package to make it blazingly fast.

Installation

Hetty is packaged on GitHub as a single binary, with the web interface resources embedded.

👉 You can find downloads for Linux, macOS and Windows on the releases page.

Alternatives:

Build from source

$ GO111MODULE=auto go get -u -v github.com/dstotijn/hetty/cmd/hetty

Then export the Next.js frontend app:

$ cd admin
$ yarn install
$ yarn export

This will ensure a folder ./admin/dist exists. Then, you can bundle the frontend app using rice. The easiest way to do this is via a supplied Makefile command in the root of the project:

make build

Docker

Alternatively, you can run Hetty via Docker. See: dstotijn/hetty on Docker Hub.

$ docker run -v $HOME/.hetty:/root/.hetty -p 127.0.0.1:8080:8080 dstotijn/hetty

Usage

Hetty is packaged as a single binary, with the web interface resources embedded. When the program is run, it listens by default on :8080 and is accessible via http://localhost:8080. Depending on incoming HTTP requests, it either acts as a MITM proxy, or it serves the GraphQL API and web interface (Next.js).

$ hetty -h
Usage of ./hetty:
  -addr string
        TCP address to listen on, in the form "host:port" (default ":8080")
  -adminPath string
        File path to admin build
  -cert string
        CA certificate filepath. Creates a new CA certificate is file doesn't exist (default "~/.hetty/hetty_cert.pem")
  -key string
        CA private key filepath. Creates a new CA private key if file doesn't exist (default "~/.hetty/hetty_key.pem")
  -projects string
        Projects directory path (default "~/.hetty/projects")

Certificate Setup and Installation

In order for Hetty to proxy requests going to HTTPS endpoints, a root CA certificate for Hetty will need to be set up. Furthermore, the CA certificate may need to be installed to the host for them to be trusted by your browser. The following steps will cover how you can generate your certificate, provide them to hetty, and how you can install them in your local CA store.

⚠️ This process was done on a Linux machine but should provide guidance on Windows and macOS as well.

Generating CA certificates

You can generate a CA keypair two different ways. The first is bundled directly with Hetty, and simplifies the process immensely. The alternative is using OpenSSL to generate them, which provides more control over expiration time and cryptography used, but requires you install the OpenSSL tooling. The first is suggested for any beginners trying to get started.

Generating CA certificates with hetty

Hetty will generate the default key and certificate on its own if none are supplied or found in ~/.hetty/ when first running the CLI. To generate a default key and certificate with hetty, simply run the command with no arguments

hetty

You should now have a key and certificate located at ~/.hetty/hetty_key.pem and ~/.hetty/hetty_cert.pem respectively.

Generating CA certificates with OpenSSL

You can start off by generating a new key and CA certificate which will both expire after a month.

mkdir ~/.hetty
openssl req -newkey rsa:2048 -new -nodes -x509 -days 31 -keyout ~/.hetty/hetty_key.pem -out ~/.hetty/hetty_cert.pem

The default location which hetty will check for the key and CA certificate is under ~/.hetty/, at hetty_key.pem and hetty_cert.pem respectively. You can move them here and hetty will detect them automatically. Otherwise, you can specify the location of these as arguments to hetty.

hetty -key key.pem -cert cert.pem

Trusting the CA certificate

In order for your browser to allow traffic to the local Hetty proxy, you may need to install these certificates to your local CA store.

On Ubuntu, you can update your local CA store with the certificate by running the following commands:

sudo cp ~/.hetty/hetty_cert.pem /usr/local/share/ca-certificates/hetty.crt
sudo update-ca-certificates

On Windows, you would add your certificate by using the Certificate Manager. You can launch that by running the command:

certmgr.msc

On macOS, you can add your certificate by using the Keychain Access program. This can be found under Application/Utilities/Keychain Access.app. After opening this, drag the certificate into the app. Next, open the certificate in the app, enter the Trust section, and under When using this certificate select Always Trust.

Note: Various Linux distributions may require other steps or commands for updating their certificate authority. See the documentation relevant to your distribution for more information on how to update the system to trust your self-signed certificate.

Vision and roadmap

The project has just gotten underway, and as such I havent had time yet to do a write-up on its mission and roadmap. A short summary/braindump:

  • Fast core/engine, built with Go, with a minimal memory footprint.
  • GraphQL server to interact with the backend.
  • Easy to use web interface, built with Next.js and Material UI.
  • Extensibility is top of mind. All modules are written as Go packages, to be used by the main hetty program, but also usable as libraries for other software. Aside from the GraphQL server, it should (eventually) be possible to also use it as a CLI tool.
  • Pluggable architecture for the MITM proxy and future modules, making it possible for hook into the core engine.
  • Talk to the community, and focus on the features that the majority. Less features means less code to maintain.

Status

The project is currently under active development. Please star/follow and check back soon. 🤗

Contributing

Please see the Contribution Guidelines for details.

Acknowledgements

Thanks to the Hacker101 community on Discord for all the encouragement to actually start building this thing!

License

MIT


© 2020 David Stotijn — Twitter, Email