When developing software, sometime it’s necessary to sniff the traffic that is transmitted between two computer systems. For that purpose tools like wireshark or tcpdump may be useful. Wireshark is a great tool, but when handling encrypted connections it is not possible to decrypt the traffic without having the key used for encryption. When sniffing http traffic the private key of the certificate is required to decrypt the information. But when talking to a foreign server, without having its private key another approach is necessary.
How to get all the information
In order to get the information from an encrypted connection, one way is to run a man-in-the-middle (mitm) attack to the encrypted connection. When connecting to a host, the identity is checked via a certificate. In case the identity check fails maybe a man in the middle tries to hack the connection. Every software with basic features concerning security prohibits this. In order to run the man-in-the-middle attack a proxy server that redirects all the traffic might be useful. As the proxy server is the component redirects all the traffic, it is the component that is capable of running an attack to dump all the traffic unencryptedly.
Redirecting the traffic via a proxy server
As the first step the traffic must be delegated via the proxy server. For http traffic this quite easy, as normally every application provides setting a proxy server, to run all the traffic with the proxy in between. Simply tell the software, that all the http/s traffic must run via the proxy server. As this is how to setup and run mitmproxy please refer to your applications documentation. In future post there will be described how to configure the client.
Running a man-in-the-middle attack
So what’s the way to run a man-in-the-middle attack? There are two options:
- The result of the identity checks may be ignored
- The identity check thinks the wrong certificate is valid
Ignoring the result requires, that the software that calls the host doesn’t care about the identity of the host. So it is possible for the man-in-the-middle to decrypt the traffic, as he knows the private key of the certificate. It’s its own. Then the man-in-the-middle acts as client by redirecting the traffic to the destination. The other way is something like adding the certificate of the man-in-the-middle to the trusted certificates. In this case the client thinks everything is ok, as the identity check is ok.
Tools
A neat tool for acting as proxy is mitmproxy. In my technical setup Debian Linux is used. The tool is provided by the mitmproxy package in Debian 8. This package also installs mitmdump. This tool mitmdump offers similar functionality like tcpdump. But this tool dumps all the information that runs over the mitmproxy. For other operating systems please have a look at the documentation.
Using mitmproxy
Per default mitproxy runs on port 8080. In case it’s necessary, there is a way to run the tool with another proxy port.
For that simply use the parameter -p PORT for changing the port mitmproxy runs on.
mitmproxy -p {PORT}
# running mitmproxy on port 8888
mitmproxy -p 8888
In case your network is already behind a proxy, all the traffic can be redirected to the other proxy as well. The option -F PROXY is available for that purpose.
mitmproxy -F https://{HOST}:{PORT}
# running against a proxy on localhost with port 8080
mitmproxy -F https://localhost:8080
Even running it as reverse proxy is possible with -R HOST
mitmproxy -R https://{HOST}:{PORT}
# running against a webserver on localhost with port 80
mitmproxy -R https://localhost:80
The certificate for mitmdump is stored in the folder ~/.mitmproxy. The file mitmproxy-ca-cert.pem contains the public part of the certificate. In mitmproxy-ca.pem the private key is stored. With those information the illegal certificate can be imported to a certificate store to make an application think that everything is ok.
Using mitmdump
As well as mitmproxy per default port 8080 is used. The option -p PORT adds the port mitmdump runs with. The option -w FILE dumps all the traffic into a file. Those information may be read via mitmproxy.
mitmdump -p 8888 -w mitmdump.dump
In order to get some help simply run
mitmdump --help
as there is no man page available.
Tracking information
Tracking Requests
Tracking is possible with mitmproxy. All the requests and responses via http/s can be seen in an overview. Furthermore all the details are available for each request/response.
The overview that shows all the flows
Dumping data
Within mitmproxy it’s possible to save all the flows to a file using w. Otherwise streaming all the data to file is possible by using W.
Intercepting data
Furthermore it’s possible to intercept the communication and change its information by using the shortcut i. As the tool is based on python a regular expression in the syntax of the python language is available. E.g. .*EXPRESSION.* intercepts urls that contain EXPRESSION. In case some traffic is intercepted, you can manipulate it or simply accept it. Intercepted traffic is stopped until it is accepted. This is done by the key a.
Editing a flow
The data can be edited by pressing e and selecting the part to be edited is possible. Simply choose which part of the traffic you want to edit.
It is even possible to intercept headers, bodies, http codes, etc… For that please refer to the help or the manual.
The help for editing headers
Some useful commands
| Command | Description |
|---|---|
| d | Delete a row |
| ? | Get the help |
| Enter | View a flow |
| e | Edit a request/response |
| i | Define a regular expression for intercepting traffic |
| w | Save the current flow |
| W | Stream the flows to a file |
| a | Accept a flow |
| L | Load saved flows |
Pros & Cons
Pros
- Decrypting http + https traffic
- Manipulating http + https traffic
- Works as proxy
- Open Source Software
- Works on every machine that supports a shell
Cons
- Tricky certificate handling
- Awful user interface
- Working without keyboard based shortcuts not possible
Further Tools
If you don’t like a tool like mitmproxy, don’t be disappointed. There are some other tools available, that do the same and have a graphical user interface.
Both of them are commercial tools. Both offer a graphical user interface as well as a documentation.
Sources
- wireshark
- mitmproxy debian package
man mitmproxymitmdump --help- tcpdump
man tcpdump- mitmproxy – home
- mitmproxy documentation