Mahatma Gandhi’s quote “Distrust is a sign of weakness” may be true in the real world, but certainly not in the cyber world of networks and Zero Trust. There are simply too many ways in which your communications can be recorded or even modified, and privacy and security are no longer guaranteed. Today we will look at one such scenario, how a third party can infiltrate the communication. With “Certificate Pinning” and “QUIC”, technologies and protocols are being introduced to the market that make such an attack massively more difficult, if not impossible. But this is far from the norm.
Preparation
For a Man in the Middle (MitM) attack, we first need a system to simulate the attacker. In this example we are using a Kali 2023.1, but this will work with other Linux systems, even Windows too. The Kali system already has the necessary tool “mitmproxy” preinstalled, and this is exactly what we will be using. After installing Kali, let’s first make the system accessible via SSH.
sudo systemctl enable ssh
sudo service ssh startNow we should be able to connect using an SSH client. I use the tool “Bitvise” and can highly recommend it. However, you can use whatever tool suits you best. Let’s update the system, this may take a while.
sudo apt update && sudo apt upgradeBefore we can start, we need to tell Kali to forward all the packets it receives to the proxy. We will limit this to ports 443 & 80.
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080Mitmproxy
Once this is done, we are ready to begin our attack. If you do not have mitmproxy installed on your Linux system, you can find it on GitHub. The mitmproxy itself consists of three components.
- mitmproxy – a intercepting proxy with a console interface
- mitmdump – a command-line version of mitmproxy
- mitmweb – a web-based interface for mitmproxy
Here we go, we will focus on the “mitmweb” in this blog as it has a nice graphical representation. However, it has no other features than the other two, so feel free to use the others. We start the proxy with the following command, the attribute “–web-host 0.0.0.0” creates an instance that is accessible from anywhere on the network. By default this is only 127.0.0.1, so on the system itself.
mitmweb --web-host 0.0.0.0The output then shows us two important pieces of information. Firstly, the port on which the proxy is listening (*:8080) and secondly, the port on which the web interface is accessible (http://0.0.0.0:8081/).
Well done, we now have our man in the middle ready to go and just need to reconfigure the system we want to record. There are HTTP and Socks(5) proxies. The difference is that an HTTP proxy only works in the context of the browser, whereas a Socks proxy can be used for all system traffic. Of course we want to use the mitmproxy as a socks proxy.
Proxy under Linux
Under Linux, it is quite simple to set up the proxy as follows
# turn on
export http_proxy=http://[MITM IP]:8080
export https_proxy=http://[MITM IP]:8080
# turn off
unset http_proxy
unset https_proxyProxy under Windows
The proxy can also be set up very quickly in Windows. The easiest way to do this is to search for “Proxy” in the “Start” menu and then go to “Proxy Settings”. Here you will need to enable proxy use and enter the proxy details.
Traffic recording
The first thing you will notice when you visit a website in your browser is that the certificate is not valid for all websites. This is because your traffic is now going through a proxy. To allow the proxy to see encrypted traffic, you no longer make a direct SSL connection to the website itself. Your SSL connection only goes to the proxy, which establishes its own SSL session between itself and the web server, allowing the decrypted traffic to be captured.
The proxy will issue a suitable SSL certificate for this connection on the fly for you, so that the browser does not complain. Currently your system does not trust the mitmproxy root certificate and this is causing the error message.
We need to install this root certificate on our system. To do this, simply visit the website (with an active proxy) “http://mitm.it/”. There you can download the necessary certificates for all systems. For our Windows system, despite the other instructions, we will take the Android certificate, so the .cer file, and download it. Then we can easily install it in the right place with the following Powershell command.
powershell.exe "Import-Certificate -FilePath [PATH]\mitmproxy-ca-cert.p12 -CertStoreLocation cert:\LocalMachine\Root"Now you just have to close all instances of the browser and the next time you start the browser, the error message should disappear. On the mitmproxy web interface “http://[MITM IP]:8081” all your web traffic should now be visible.
It is also possible to view the connection data such as the header or payload of a request and a response.
This method is also called “SSL inspection” and is used by most firewalls or proxies in the business environment to protect you. Have fun analysing traffic π
Conclusion
You might ask, “Why do I need all this? I can already see all this in the browser’s DEV tools“. This is true for browser traffic. But what if you want to analyse an application like Teams or Outlook, but you don’t have enough experience with WireShark, or it’s just too much work? This is where the whole thing can make your life pretty easy.
But be careful, NEVER install a certificate that you have not issued and managed yourself! This will allow someone to read all your traffic and steal passwords or even your JWT. Finally, don’t forget to disable the proxy if you don’t want to use it explicitly.
That’s it so far, stay tuned and see you soon!
** midjourney string βThe cyber police, βar 1:2β
