MiTM(Man in The Middle) is a good way analysing protocols, especially when there’s an SSL. http://en.wikipedia.org/wiki/Man-in-the-middle_attack
To analyse HTTP/HTTPS protocol, we have Charles Proxy. Posts on my blog can be found https://sskaje.me/tag/charles-proxy/ (there’s another MiTM proxy, ‘mitmproxy’, https://github.com/mitmproxy/mitmproxy and http://mitmproxy.org/, will try later.)
For others, mallory is recommended.
Mallory
Mallory is an extensible TCP/UDP man in the middle proxy that is designed to be run as a gateway. Unlike other tools of its kind, Mallory supports modifying non-standard protocols on the fly.
We have mallory from https://bitbucket.org/IntrepidusGroup/mallory and https://intrepidusgroup.com/insight/mallory/.
Install
I’m using a Ubuntu 13.10 x86_64 virtual machine.
Just do not use mallary_install.sh brought by mallory.
Let’s install it manually instead.
Open a terminal/shell:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
# clone repository to ~/mallory cd ~ sudo apt-get install mercurial hg clone https://bitbucket.org/IntrepidusGroup/mallory cd mallory # Install dependencies sudo apt-get install python-netfilter python-pyasn1 python-paramiko python-twisted-web \ sqlite3 build-essential libnetfilter-conntrack-dev libnetfilter-conntrack3 \ python-qt4 pyqt4-dev-tools python-qt4-sql libqt4-sql-sqlite pyro-gui # Install python packages sudo easy_install pip m2crypto pynetfilter_conntrack |
Launch
Let’s run in GUI mode.
Here we need another terminal/shell (do not forget the desktop :P)
Terminal 1:
1 2 |
cd ~/mallory/src/ sudo python mallory.py |
Terminal 2:
1 2 |
cd ~/mallory/src/ sudo python launchgui.py |
If you see this photo, just check if you are running as root
see more below in the ‘Trouble Shooting’ section.
More
After these, set up a PPTP server following Notes: PPTP/L2TP Server on Ubuntu, as the PPTP is the ‘easiest’ way for our MiTM study, said by mallory:
The goal is to man in the middle traffic for testing purposes. The ideal
setup for Mallory is to have a “LAN” or “Victim” network that mallory
acts as the gateway for.Option 1: PPTP:
The easiest and quickest way to get up and going is to setup a pptp
server and have victims log into it. This works great with mobile devices
as most of them support a PPTP VPN client.
…
I tried to analyse Xunlei’s iOS client, which I tried Charles Proxy, some requests were not recorded.
Then the mallory with default settings, requests are all recorded, only Application Layer packets of TCP are found in ‘Streams’ tab, and the HTTP POST body is not full recorded which makes the Send/Auto Send fails.
Trouble Shooting
If you don’t have mallory.py running when trying to launch GUI, error like below will be raised.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
sskaje@ubuntu:~/mallory/src$ python launchgui.py Traceback (most recent call last): File "launchgui.py", line 19, in <module> guimain.main() File "/home/sskaje/mallory/src/gui/guimain.py", line 442, in main window = MalloryGui() File "/home/sskaje/mallory/src/gui/guimain.py", line 63, in __init__ self.main.dbname = self.remote_debugger.getdatabase() File "/home/sskaje/mallory/src/Pyro/core.py", line 384, in __call__ return self.__send(self.__name, args, kwargs) File "/home/sskaje/mallory/src/Pyro/core.py", line 458, in _invokePYRO self.adapter.bindToURI(self.URI) File "/home/sskaje/mallory/src/Pyro/protocol.py", line 271, in bindToURI raise ProtocolError('connection failed') Pyro.errors.ProtocolError: connection failed |
If you don’t have mallory running under root, you may see these:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
/bin/sh: 1: cannot create /proc/sys/net/ipv4/ip_forward: Permission denied iptables v1.4.18: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.18: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.18: can't initialize iptables table `nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.18: can't initialize iptables table `nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.18: can't initialize iptables table `mangle': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.18: can't initialize iptables table `mangle': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.18: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.18: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.18: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.18: can't initialize iptables table `nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.18: can't initialize iptables table `nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. iptables v1.4.18: can't initialize iptables table `nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. ['echo 1 > /proc/sys/net/ipv4/ip_forward', 'iptables -F', 'iptables -X', 'iptables -t nat -F', 'iptables -t nat -X', 'iptables -t mangle -F', 'iptables -t mangle -X', 'iptables -P INPUT ACCEPT', 'iptables -P FORWARD ACCEPT', 'iptables -P OUTPUT ACCEPT', 'iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE', 'iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p tcp -m tcp --to-ports 20755', 'iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -p udp -m udp --to-ports 20755'] |
You may also see these messages:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
sskaje@ubuntu:~/mallory/src$ sudo python mallory.py Traceback (most recent call last): File "mallory.py", line 87, in <module> import netfilter File "/home/sskaje/mallory/src/netfilter.py", line 7, in <module> from pynetfilter_conntrack import Conntrack File "/usr/local/lib/python2.7/dist-packages/pynetfilter_conntrack-0.4.2-py2.7.egg/pynetfilter_conntrack/__init__.py", line 4, in <module> from pynetfilter_conntrack.func import * File "/usr/local/lib/python2.7/dist-packages/pynetfilter_conntrack-0.4.2-py2.7.egg/pynetfilter_conntrack/func.py", line 6, in <module> library = cdll.LoadLibrary("libnetfilter_conntrack.so.1") File "/usr/lib/python2.7/ctypes/__init__.py", line 443, in LoadLibrary return self._dlltype(name) File "/usr/lib/python2.7/ctypes/__init__.py", line 365, in __init__ self._handle = _dlopen(self._name, mode) OSError: libnetfilter_conntrack.so.1: cannot open shared object file: No such file or directory |
as there’s a library = cdll.LoadLibrary(“libnetfilter_conntrack.so.1”) hardcoded in pynetfilter_conntrack-0.4.2-py2.7.egg/pynetfilter_conntrack/func.py
To fix this, do:
1 2 |
cd /usr/lib/x86_64-linux-gnu; sudo ln -s libnetfilter_conntrack.so libnetfilter_conntrack.so.1 |