ratched – Transparent Man-in-the-Middle TLS Proxy

ratched is a Man-in-the-Middle (MitM) proxy that specifically intercepts TLS connections. It is intended to be used in conjunction with the Linux iptables REDIRECT target; all connections that should be intercepted can be redirected to the local ratched port. Through the SO_ORIGINAL_DST sockopt, ratched can determine the intended destination (before iptables packet mangling) and tries to establish a connection to the original target.

The thing that sets it apart from other MitM software is the following:

  1. ratched does not intercept traffic indiscriminately. In particular, it first waits for the TLS client to send its ClientHello so that ratched can parse it and decide by the Server Name Indication TLS extension (SNI) if the target should be intercepted or not. This is particularly useful when you have virtual hosting, but only want to intercept connections to a specific hostname.
  2. ratched is not intended to sniff passwords, but only dumps the traffic into a PCAPNG file. The PCAPNG file format was chosen because it allows for annotation of connections with comments (in particular, which hostname was indicated in the SNI extension) and also allows name resolution information to be embedded in the capture file (again, to map the target IP address to the SNI extension’s hostname)



Once ratched is listening on the routing machine (in the example, on port 9999), simply add an iptables entry that specifies what traffic you want to capture. For example, to intercept everything from that tries to reach port 443, use:

iptables -t nat -A PREROUTING -p tcp -s --dport 443 -j REDIRECT --to-ports 9999

In order to intercept everything that goes to 443, simply do:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 9999



ratches requires at least OpenSSL v1.1.

usage: ratched [-c path] [-f hostname:port] [--single-shot] [--dump-certs]
               [--keyspec keyspec] [--initial-read-timeout secs]
               [--reject-unknown-traffic] [--default-no-intercept]
               [--default-client-cert certfile:keyfile[:cafile]]
               [--mark-forged-certificates] [--no-recalculate-keyids]
               [--daemonize] [--logfile file] [--flush-logs] [--crl-uri uri]
               [--ocsp-uri uri] [--write-memdumps-into-files]
               [-l hostname:port] [-i hostname[,key=value,...]]
               [--pcap-comment comment] [-o filename] [-v]

ratched - TLS connection router that performs a man-in-the-middle attack

Download ratched 

About the author

Mazen Elzanaty

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: