PMA 230: Insecure Notepad++ Update (20 pts extra)

What you need

A Mac computer. I used a Mac M1 running OS 15.6.1.
BurpSuite should be installed on your Mac.
A Windows 11 virtual machine running in VMware Fusion

Purpose

Some Windows apps don't properly implement SSL/TLS. In this project the Mac computer is used to perform a man-in-the-middle attack using pf, unbound, and BurpSuite. Any app on the Windows virtual machine can easily be tested to see if it uses insecure networking.

Use the Windows Machine with Tools

Use the machine from this project, or any other Windows virtual machine:

PMA 41: Windows 11 with Analysis Tools

Testing Networking on the Windows Virtual Machine

In the Windows virtual machine, in a Terminal, execute this command:

tracert 1.1.1.1

You should see several hops leading to the Internet, as shown below.

Downloading a Vulnerable Version of Notepad++

On your Windows machine, in a Web browser, go to

https://notepad-plus-plus.org/downloads/ Download "Notepad++ v 8.8.5" and install it.

You need to click the version number, and then scroll down past a lot of deceptive fake download buttons, to find the real download button with a green animal on it, as shown below.

DON'T INSTALL IT YET.

Configuring Host-only Networking on the Virtual Machine

At the top of the Windows VMware Fusion window, click the network icon. Change the networking to Host-only, as shown below.

as shown below.

After a few seconds, the networking adjusts in the virtual machine.

In the Windows virtual machine, in a Terminal, execute these commands:

tracert 1.1.1.1 ipconfig

The tracert fails, but the ipconfig succeeds, showing the network address for host-only networking, as shown below.

Notice this IP address. In the image below, it was 192.168.252.128.

Finding the Host-only Interface

On your Mac, in the Terminal window, execute this command:

ifconfig

Find the interface with an IP address in the same network as the Windows virtual machine.

In my case, it was bridge100, as shown below.

Notice its IP address. In the image below, it was 192.168.252.1.

Configuring a Manual IP Address

In your Windows machine, at the bottom, search for NETWORK.

Click "View network connections".

Right-click Ethernet and click Properties.

Double-click "Internet Protocol Version 4 (TCP/IPv4)".

Configure these values, as shown below.

IP address: the value you got from IPCONFIG on Windows
Subnet mask: the value you got from IPCONFIG on Windows
Default gateway: the address of the host-only interface on the Mac, which you got with "ifconfig"
Preferred DNS server: 1.1.1.1

Click OK. Click OK again.

Starting a Burp Transparent Proxy

Launch Burp.

Burp opens a page saying "Temporary Project". Click Next.

Burp opens a page saying "Use Burp defaults". Click "Start Burp".

In Burp, click the Proxy tab.

If the Intercept button reads "Intercept is on", click it, so the message reads "Intercept is off".

At the top right, click "Proxy settings".

At the top, in the "Proxy Listeners" section, see if there are any entries on the box shown to the right.

If there are, click each entry to highlight it, and then click Remove to remove them all, as shown below.

In Burp, at the top, in the "Proxy Listeners" section, click the Add button.

On the Binding tab, enter a "Bind to port" of 8080

Click the "All interfaces" button, as shown below.

Click the "Request handling" tab.

Click the "Support invisible proxying" box, as shown below.

At the lower right of the box, click OK. A box pops up, asking "Are you sure...?". Click Yes.

Burp should now show a Listener on "*:8080" with the Invisible box checked, and the Running box checked, as shown below.

Forward Traffic to the Proxy with pf

Burp is now ready to gather traffic on port 8080 and forward it to the Internet.

We'll use the Mac firewall "pf" to send all traffic from the Windows virtual machine through the proxy.

To use the "pf" firewall, we need to create two files: "pf.rules" and "pf.conf". For our purposes these files can be very simple.

First, we need to enable IP forwarding on the Mac, so it can act as a router.

On your Mac, in the Terminal window, execute this command:

sudo sysctl -w net.inet.ip.forwarding=1

Enter your password when you are prompted to.

On your Mac, in the Terminal window, execute this command:

nano pf.rules

The "nano" text editor opens. In nano, type this line, as shown below. If your interface was named something other than "bridge100", edit this line to use the correct interface name.

This rule redirects all TCP traffic from the USB connection to Burp, at 127.0.0.1:8080.

rdr pass on bridge100 inet proto tcp from any to any port 1:65535 -> 127.0.0.1 port 8080

Press Ctrl+X, Y, Enter to save the file.

In the Terminal window, execute these commands.

cd pwd

The "pwd" command shows the current working directory. Make a note of it--you will need it later.

In my case, the directory was /Users/sambowne

Your directory will be different.

In the Terminal window, execute this command:

nano pf.conf

The "nano" text editor opens. In nano, type the two lines shown below.

In the second line, change /Users/sambowne to the correct directory you found above.

This configuration file tells pf where to find the rules file.

rdr-anchor "forwarding" load anchor "forwarding" from "/Users/sambowne/pf.rules"

Press Ctrl+X, Y, Enter to save the file.

The next step is to test the files.

In the Terminal window, execute this command:

sudo pfctl -vnf pf.conf

Enter your password when you are prompted to.

If your files are correct, you'll see a "Loading anchor forwarding..." message, followed by the line beginning with "rdr pass on bridge", as shown below.

If there are errors in your files, you'll see error messages here. If that happens, use nano to edit the files and correct the errors.

When your files pass this test without errors, execute this command to start pf:

sudo pfctl -evf pf.conf

You should see several messages but no errors, as shown below.

Testing the Proxy

On your mobile device, in the Web browser, go to http://1.1.1.1

The browser should redirect to a secure page, and display a warning, as shown below.

You should see the request and response in Burp, on the "HTTP history" tab, as shown below.

Observing DNS Resolution

In your Windows virtual machine, in a Web browser, go to https://yahoo.com

The browser times out, as shown below.

Although HTTP connections are forwarded through the proxy, DNS (which uses UDP) fails.

Installing a Local Name Server

Install Homebrew: If you don't have it, install Homebrew from brew.sh

On your Mac, in a Terminal, execute these commands:

brew install unbound sudo mkdir -p /usr/local/etc/unbound sudo nano /usr/local/etc/unbound/unbound.conf

Paste in this code, as shown below:

server: # disable user privilege protection username: "" # Listen on all interfaces interface: 0.0.0.0 port: 53 # Allow queries from anywhere access-control: 0.0.0.0/0 allow

Save the file with Ctrl+x, y, Enter.

For some ungodly reason, we need to manually adjust the path. I'm used to this on Windows, but not on the Mac.

On your Mac, in a Terminal, execute this command:

nano ~/.zshrc

Add the path to homebres/sbin as shown in the second line below:

Save the file with Ctrl+x, y, Enter.

On your Mac, in a Terminal, execute this command:

source ~/.zshrc

Now execute this command to start the local DNS server:

sudo unbound -d -c /usr/local/etc/unbound/unbound.conf -v -v

The service should start, as shown below.

Leave this window open.

Adjusting the DNS Server on the Windows Virtual Machine

In your Windows machine, at the bottom, search for NETWORK.

Click "View network connections".

Right-click Ethernet and click Properties.

Double-click "Internet Protocol Version 4 (TCP/IPv4)".

Adjust the DNS server to be the same as the Default gateway, as shown below.

Click OK. Click OK again.

Opening an Insecure Page

In your Windows machine, in a Web browser, go to

http://ad.samsclass.info

PMA 230.1: Server (10 pts)
On your Mac, in Burp, click the "HTTP History" sub-tab.
You should see traffic to http://ad.samsclass.info, as shown below.
Im the top pane, click the GET request that loaded http://ad.samsclass.info.
In the lower pane, click the Response tab.
The flag is covered by a green box in the image above.

Testing HTTPS Connections

In your Windows machine, in a Web browser, go to

https://samsclass.info

You should see a warning that the certificate is not trusted, as shown below.

This is good--the browser correctly determines that Burp is performing an adversary-in-the-middle attack.

Installing Notepad++

Run the installer you downloaded previously.

Microsoft will warn you that it cannot reach SmartScreen. Run it anyway.

After installing Notepad++, it opens.

From the top menu, click ? and click "Update Notepad++".

PMA 230.2: User-Agent (10 pts)
On your Mac, in Burp, on the "HTTP History" sub-tab.
You should see traffic to http://notepad-plus-plus.org, as shown below.
Im the top pane, click the GET request to http://notepad-plus-plus.org.
In the lower pane, click the Request tab.
The flag is covered by a green box in the image above.

Understanding the Vulnerability

This early version of Notepad++ was self-signed, with a certificate stored on Github.

Since the certificate was downloaded via HTTP rather than HTTPS, it could be tampered with via an adversary-in-the-middle attack.

This allowed attackers to insert a malicious update into a few user's versions, as detailed in this write-up:

Small numbers of Notepad++ users reporting security woes

Sources

Posted 12-9-25
Description updated 12-17-25