Skip to content

Instantly share code, notes, and snippets.

@iddoeldor

iddoeldor/mitmproxy.md

Last active December 30, 2019 00:08
Show Gist options
  • Save iddoeldor/f21ae4a44d3db4d4a65e17e1a460e241 to your computer and use it in GitHub Desktop.
Save iddoeldor/f21ae4a44d3db4d4a65e17e1a460e241 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
mitmproxy.md
TODO make install (pip install mitmproxy)

1 install cert from 'http://mitm.it' on the device

1.1 (iOS) Go to Settings > General > About > Certificate Trust Settings. Under “Enable full trust for root certificates”, turn on trust for the mitmproxy certificate.e

2 configure the right interface and execute $ sudo transparent_proxy.sh

# 1. Enable IP forwarding.
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
# 2. disable ICMP redirects
sysctl -w net.ipv4.conf.all.send_redirects=0
# 3. Create an iptables ruleset that redirects the desired traffic to mitmproxy.
# ifconfig | grep ... NET_ADAPTER
NET_ADAPTER='wlp..'; 
iptables  -t nat -A PREROUTING -i $NET_ADAPTER -p tcp --dport 80  -j REDIRECT --to-port 8080
iptables  -t nat -A PREROUTING -i $NET_ADAPTER -p tcp --dport 443 -j REDIRECT --to-port 8080
ip6tables -t nat -A PREROUTING -i $NET_ADAPTER -p tcp --dport 80  -j REDIRECT --to-port 8080
ip6tables -t nat -A PREROUTING -i $NET_ADAPTER -p tcp --dport 443 -j REDIRECT --to-port 8080

to reset

 $ sudo iptables -t nat -L
 $ sudo iptables -t nat -F
 $ sudo iptables -t nat -L

sometimes you will need to configure manually DNS ( 8.8.8.8 will work )

3 $ touch SSLKEYLOGFILE.txt && truncate -s0 SSLKEYLOGFILE && SSLKEYLOGFILE="/tmp/SSLKEYLOGFILE.txt" ./mitmproxy --mode transparent --showhost -v

4 (iOS) > Configure IPv4 > Manual

  • IP Address - ( if needed, scan valid IPs in local network nmap -sP 192.168.1.* )
  • Subnet Mask - same as localhost ( ifconfig )
  • Router - computer's IP

############################################################################

read mitm dump

To save entire flow from mitmproxy flow click 'w' > "save.file @shown" enter path '/tmp/mitm_flow_dump'

import json, sys
from mitmproxy import io

c = 0
with open(sys.argv[1], 'rb') as logfile:
    freader = io.FlowReader(logfile)
    for f in freader.stream():
        c += 1
        print('*'*50, c, '*'*50)
        req = f.request
        print('>>', req)
        for k in req.headers:
            print('\t>>', k, '=', req.headers[k])
        print('>>', req.content)
        resp = f.response
        print('<<', resp)
        if resp:
            for k in resp.headers:
                print('\t<<', k, '=', resp.headers[k])
            if len(resp.content) and 'Content-Type' in resp.headers and 'json' in resp.headers['Content-Type']:
                print(json.dumps(json.loads(resp.content), indent=4, sort_keys=True))

sniff websocket

-s ws.py

ws.py:

#!mitmdump -s

import mitmproxy

f = open('/tmp/ws.log', 'w')
class SniffWebSocket:
    def __init__(self):
        pass

    def websocket_message(self, flow: mitmproxy.websocket.WebSocketFlow):
        """
            Called when a WebSocket message is received from the client or server.
            The most recent message will be flow.messages[-1].
            The message is user-modifiable.
            Currently there are two types of messages, corresponding to the BINARY and TEXT frame types.
        """
        for flow_msg in flow.messages:
            packet = flow_msg.content
            f.write(packet + '\n')

addons = [
    SniffWebSocket()
]

pretty print json frames

$ F='/tmp/ws.log';END=`cat $F | wc -l`; for i in $(seq 1 $END); do echo '- - - '$i' - - - '; sed -n "$i"p $F | jq; done

Intercept

To intercept click "i" To intercept URL by regex ~u google\.com https://mitmproxy.readthedocs.io/en/v2.0.2/mitmproxy.html#set-an-interception-pattern https://mitmproxy.readthedocs.io/en/v2.0.2/features/filters.html#filters

filter wireshark by websocket frame content

data-text-lines contains "STRING"

sniff iOS device

Get UDID -> iTunes -> "m's iPhone" -> Summary -> Click on "Serial Number" underneath "Phone Number", until it switch to "UDID"

UDID fa314c0ad3d0a4e983473cdaa75ff6718fe823c3
 Users-Mac-mini:keychaindump user$ ifconfig -l
 lo0 gif0 stf0 XHC20 en2 en3 en0 en1 p2p0 awdl0 bridge0 utun0 utun1 utun2
 Users-Mac-mini:keychaindump user$ rvictl -s fa314c0ad3d0a4e98347
 
 Starting device fa314c0ad3d0a4e983473 [SUCCEEDED] with interface rvi0

 Users-Mac-mini:keychaindump user$ ifconfig -l
 lo0 gif0 stf0 XHC20 en2 en3 en0 en1 p2p0 awdl0 bridge0 utun0 utun1 utun2 rvi0

new interface added: rvi0

 Users-Mac-mini:keychaindump user$ sudo tcpdump -i rvi0 -w /tmp/output.pcap
 Password:
 tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode
 (BIOCPROMISC: Operation not supported on socket)
 tcpdump: listening on rvi0, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes

from other terminal

 Users-Mac-mini:~ user$ rvictl -x fa314c0ad3d0a4e98
 
 Stopping device fa314c0ad3d0a4e9 [SUCCEEDED]

back to main terminal

 tcpdump: pcap_loop: The interface went down
 562 packets captured
 566 packets received by filter
 0 packets dropped by kernel

 Users-Mac-mini:~ user$ wc -l /tmp/output.pcap
 1752 /tmp/output.pcap
 
 Users-Mac-mini:~ user$ tcpdump -qns 0 -X -r /tmp/output.pcap | head -n20
 reading from PCAP-NG file /tmp/output.pcap
 14:08:34.905734 IP 1.1.92.36.63650 > 17.252.92.70.443: tcp 0
 0x0000:  4500 0040 76ae 4000 4006 ef71 0a32 5c24  E..@v.@.@..q.2\$
 0x0010:  11fc 5c46 f8a2 01bb f5da 1eae 0000 0000  ..\F............
 0x0020:  b002 ffff 803a 0000 0204 05b4 0103 0305  .....:..........
 0x0030:  0101 080a 490b 8a38 0000 0000 0402 0000  ....I..8........
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment