By @sskaje
Link: https://sskaje.me/2014/01/brief-intro-to-mallory/

MiTM(Man in The Middle) is a good way analysing protocols, especially when there’s an SSL. http://en.wikipedia.org/wiki/Man-in-the-middle_attack
To analyse HTTP/HTTPS protocol, we have Charles Proxy. Posts on my blog can be found https://sskaje.me/tag/charles-proxy/ (there’s another MiTM proxy, ‘mitmproxy’, https://github.com/mitmproxy/mitmproxy and http://mitmproxy.org/, will try later.)
For others, mallory is recommended.

Mallory

Mallory is an extensible TCP/UDP man in the middle proxy that is designed to be run as a gateway. Unlike other tools of its kind, Mallory supports modifying non-standard protocols on the fly.

We have mallory from https://bitbucket.org/IntrepidusGroup/mallory and https://intrepidusgroup.com/insight/mallory/.

Install

I’m using a Ubuntu 13.10 x86_64 virtual machine.

Just do not use mallary_install.sh brought by mallory.
Let’s install it manually instead.

Open a terminal/shell:

# clone repository to ~/mallory
cd ~
sudo apt-get install mercurial
hg clone https://bitbucket.org/IntrepidusGroup/mallory

cd mallory 
# Install dependencies
sudo apt-get install python-netfilter python-pyasn1 python-paramiko python-twisted-web \
  sqlite3 build-essential libnetfilter-conntrack-dev libnetfilter-conntrack3 \
  python-qt4 pyqt4-dev-tools python-qt4-sql libqt4-sql-sqlite pyro-gui 

# Install python packages
sudo easy_install pip m2crypto pynetfilter_conntrack

# clone repository to ~/mallory

cd ~

sudo apt-get install mercurial

hg clone https://bitbucket.org/IntrepidusGroup/mallory

cd mallory

# Install dependencies

sudo apt-get install python-netfilter python-pyasn1 python-paramiko python-twisted-web \

sqlite3 build-essential libnetfilter-conntrack-dev libnetfilter-conntrack3 \

python-qt4 pyqt4-dev-tools python-qt4-sql libqt4-sql-sqlite pyro-gui

# Install python packages

sudo easy_install pip m2crypto pynetfilter_conntrack

Launch

Let’s run in GUI mode.
Here we need another terminal/shell (do not forget the desktop :P)

Terminal 1:

cd ~/mallory/src/
sudo python mallory.py

1 2	cd ~/mallory/src/ sudo python mallory.py

Terminal 2:

cd ~/mallory/src/
sudo python launchgui.py

1 2	cd ~/mallory/src/ sudo python launchgui.py

If you see this photo, just check if you are running as root

see more below in the ‘Trouble Shooting’ section.

Here is what it likes:

After these, set up a PPTP server following Notes: PPTP/L2TP Server on Ubuntu, as the PPTP is the ‘easiest’ way for our MiTM study, said by mallory:

The goal is to man in the middle traffic for testing purposes. The ideal
setup for Mallory is to have a “LAN” or “Victim” network that mallory
acts as the gateway for.

Option 1: PPTP:
The easiest and quickest way to get up and going is to setup a pptp
server and have victims log into it. This works great with mobile devices
as most of them support a PPTP VPN client.
…

I tried to analyse Xunlei’s iOS client, which I tried Charles Proxy, some requests were not recorded.
Then the mallory with default settings, requests are all recorded, only Application Layer packets of TCP are found in ‘Streams’ tab, and the HTTP POST body is not full recorded which makes the Send/Auto Send fails.

Trouble Shooting

If you don’t have mallory.py running when trying to launch GUI, error like below will be raised.

sskaje@ubuntu:~/mallory/src$ python launchgui.py 
Traceback (most recent call last):
  File "launchgui.py", line 19, in <module>
    guimain.main()
  File "/home/sskaje/mallory/src/gui/guimain.py", line 442, in main
    window = MalloryGui()    
  File "/home/sskaje/mallory/src/gui/guimain.py", line 63, in __init__
    self.main.dbname = self.remote_debugger.getdatabase()
  File "/home/sskaje/mallory/src/Pyro/core.py", line 384, in __call__
    return self.__send(self.__name, args, kwargs)
  File "/home/sskaje/mallory/src/Pyro/core.py", line 458, in _invokePYRO
    self.adapter.bindToURI(self.URI)
  File "/home/sskaje/mallory/src/Pyro/protocol.py", line 271, in bindToURI
    raise ProtocolError('connection failed')
Pyro.errors.ProtocolError: connection failed

sskaje@ubuntu:~/mallory/src$ python launchgui.py

Traceback (most recent call last):

File "launchgui.py", line 19, in <module>

guimain.main()

File "/home/sskaje/mallory/src/gui/guimain.py", line 442, in main

window = MalloryGui()

File "/home/sskaje/mallory/src/gui/guimain.py", line 63, in __init__

self.main.dbname = self.remote_debugger.getdatabase()

File "/home/sskaje/mallory/src/Pyro/core.py", line 384, in __call__

return self.__send(self.__name, args, kwargs)

File "/home/sskaje/mallory/src/Pyro/core.py", line 458, in _invokePYRO

self.adapter.bindToURI(self.URI)

File "/home/sskaje/mallory/src/Pyro/protocol.py", line 271, in bindToURI

raise ProtocolError('connection failed')

Pyro.errors.ProtocolError: connection failed

If you don’t have mallory running under root, you may see these:

/bin/sh: 1: cannot create /proc/sys/net/ipv4/ip_forward: Permission denied
iptables v1.4.18: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.18: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.18: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.18: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.18: can't initialize iptables table `mangle': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.18: can't initialize iptables table `mangle': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.18: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.18: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.18: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.18: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.18: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.18: can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
['echo 1 > /proc/sys/net/ipv4/ip_forward', 'iptables -F', 'iptables -X', 'iptables -t nat -F', 'iptables -t nat -X', 'iptables -t mangle -F', 'iptables -t mangle -X', 'iptables -P INPUT ACCEPT', 'iptables -P FORWARD ACCEPT', 'iptables -P OUTPUT ACCEPT', 'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE', 'iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p tcp -m tcp --to-ports 20755', 'iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p udp -m udp --to-ports 20755']

/bin/sh: 1: cannot create /proc/sys/net/ipv4/ip_forward: Permission denied

iptables v1.4.18: can't initialize iptables table `filter': Permission denied (you must be root)