Skip to content

Instantly share code, notes, and snippets.

@avoidik

avoidik/README.md

Last active April 14, 2024 16:55
Show Gist options
  • Save avoidik/84ba17cc47987785cd7e5fe1b1aee603 to your computer and use it in GitHub Desktop.
Save avoidik/84ba17cc47987785cd7e5fe1b1aee603 to your computer and use it in GitHub Desktop.
Download ZIP
Run mitmproxy on Raspberry Pi
Raw
README.md

Run mitmproxy on Raspberry Pi as service

Steps

Install prerequisites

sudo apt-get update
sudo apt-get install python3-pip
sudo pip3 install --ignore-requires-python mitmproxy==6.0.2

The version constraint is due to Python, on Raspbian 10 (Buster) it is 3.7.3, version 6.0.2 is the latest supported version which supports Python 3.7.3

apt-cache madison python3
   python3 |    3.7.3-1 | http://raspbian.raspberrypi.org/raspbian buster/main armhf Packages
python3-defaults |    3.7.3-1 | http://raspbian.raspberrypi.org/raspbian buster/main Sources

Prepare system user

sudo mkdir /opt/mitmproxy
sudo addgroup --system mitmproxy
sudo adduser --system --home /opt/mitmproxy --shell /usr/sbin/nologin --no-create-home --gecos 'mitmproxy' --ingroup mitmproxy --disabled-login --disabled-password mitmproxy
sudo chown -R mitmproxy:mitmproxy /opt/mitmproxy

Tweak system configuration

tee -a /etc/sysctl.conf <<'EOF' >/dev/null
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.send_redirects = 0
EOF
sudo sysctl -p

Add iptables rules

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080

Replace -A with -D to delete, use iptables -L -v -n --list-numbers to list all rules available in NAT chain

Preserve iptables rules upon reboot

sudo iptables-save > /etc/iptables.up.rules
sudo sed -i '/^exit 0/i iptables-restore < /etc/iptables.up.rules' /etc/rc.local

Add systemd service

Create /etc/systemd/system/mitmproxy.service file (change ip-addresses accordingly)

[Unit]
Description=mitmweb service
After=network-online.target

[Service]
Type=simple
User=mitmproxy
Group=mitmproxy
ExecStart=/usr/bin/python3 /usr/local/bin/mitmweb --mode transparent --showhost --web-port 9090 --web-host 192.168.1.200 --no-web-open-browser --listen-host 192.168.1.200 --listen-port 8080
Restart=on-failure
RestartSec=10
LimitNOFILE=65535
LimitNPROC=4096
PrivateTmp=true
PrivateDevices=true
ProtectHome=true
ProtectSystem=strict
NoNewPrivileges=true
DevicePolicy=closed
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
WorkingDirectory=/opt/mitmproxy
ReadOnlyDirectories=/
ReadWriteDirectories=/opt/mitmproxy

[Install]
WantedBy=multi-user.target

Enable systemd service

sudo systemctl daemon-reload
sudo systemctl enable mitmproxy.service
sudo systemctl start mitmproxy.service
sudo systemctl status mitmproxy.service

Redirect traffic

On your router enable conditional routing (policy-based routing), then navigate to mitm.it, download self-signed certificate onto your device, and import it.

Navigate to http://192.168.1.200:9090 to see captured data.

References

https://docs.mitmproxy.org/stable/overview-installation/

https://docs.mitmproxy.org/stable/howto-transparent/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment