Dilettante
Maven central doesn't do SSL when serving you JARs. Dilettante is a MiTM proxy for exploiting that.
Install / Use
/learn @mveytsman/DilettanteREADME
Dilettante
More information on my blog here
It turns out that Maven Central only lets you use SSL if you purchase an authentication token for a donation of $10. They claim this $10 will go to the Apache project, but that's besides the point.
SSL encryption requires a separate authentication token. To see what I mean, try opening http://central.maven.org/maven2/org/springframework/ and https://central.maven.org/maven2/org/springframework/ in your browser. This means that package managers like Clojure's lein, Scala's sbt, and maven itself when not specially configured will download JARs without any SSL.
Dilettante is a man in the middle proxy that injects malicious codes into JARs served by Maven Central.
Usage
-
Get in a position where you can man-in-the-middle HTTP traffic. Some hints:
- Buy a wifi router, call it "Starbucks Wifi"
- Install ettercap
- Happen to be an ISP
- Something something
-
Run
dilettante.py -
Proxy your target's http traffic through
localhost:8080- You can do an easy PoC of this by setting the
<proxy>setting in~/.m2/settings.xml
- You can do an easy PoC of this by setting the
Results
Your victims will get a friendly image when they execute any Java code that uses a JAR that passed through dilettante.
You can see a video here
Related Skills
node-connect
337.4kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
83.2kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
openai-whisper-api
337.4kTranscribe audio via OpenAI Audio Transcriptions API (Whisper).
commit-push-pr
83.2kCommit, push, and open a PR
