Brief Intro to Mallory

MiTM(Man in The Middle) is a good way analysing protocols, especially when there’s an SSL. http://en.wikipedia.org/wiki/Man-in-the-middle_attack
To analyse HTTP/HTTPS protocol, we have Charles Proxy. Posts on my blog can be found https://sskaje.me/tag/charles-proxy/ (there’s another MiTM proxy, ‘mitmproxy’, https://github.com/mitmproxy/mitmproxy and http://mitmproxy.org/, will try later.)
For others, mallory is recommended.

Mallory

Mallory is an extensible TCP/UDP man in the middle proxy that is designed to be run as a gateway. Unlike other tools of its kind, Mallory supports modifying non-standard protocols on the fly.

We have mallory from https://bitbucket.org/IntrepidusGroup/mallory and https://intrepidusgroup.com/insight/mallory/.

Install

I’m using a Ubuntu 13.10 x86_64 virtual machine.

Just do not use mallary_install.sh brought by mallory.
Let’s install it manually instead.

Open a terminal/shell:

Launch

Let’s run in GUI mode.
Here we need another terminal/shell (do not forget the desktop :P)

Terminal 1:

Terminal 2:

If you see this photo, just check if you are running as root
QQ20140119-1
see more below in the ‘Trouble Shooting’ section.

Here is what it likes:
QQ20140119-3

More

After these, set up a PPTP server following Notes: PPTP/L2TP Server on Ubuntu, as the PPTP is the ‘easiest’ way for our MiTM study, said by mallory:

The goal is to man in the middle traffic for testing purposes. The ideal
setup for Mallory is to have a “LAN” or “Victim” network that mallory
acts as the gateway for.

Option 1: PPTP:
The easiest and quickest way to get up and going is to setup a pptp
server and have victims log into it. This works great with mobile devices
as most of them support a PPTP VPN client.

I tried to analyse Xunlei’s iOS client, which I tried Charles Proxy, some requests were not recorded.
Then the mallory with default settings, requests are all recorded, only Application Layer packets of TCP are found in ‘Streams’ tab, and the HTTP POST body is not full recorded which makes the Send/Auto Send fails.
QQ20140119-4

Trouble Shooting

If you don’t have mallory.py running when trying to launch GUI, error like below will be raised.

If you don’t have mallory running under root, you may see these:

You may also see these messages:

as there’s a library = cdll.LoadLibrary(“libnetfilter_conntrack.so.1”) hardcoded in pynetfilter_conntrack-0.4.2-py2.7.egg/pynetfilter_conntrack/func.py
To fix this, do:

Brief Intro to Mallory by @sskaje: https://sskaje.me/2014/01/brief-intro-to-mallory/

Incoming search terms: