When developing software, sometime it’s necessary to sniff the traffic that is transmitted between two computer systems. For that purpose tools like wireshark or tcpdump may be useful. Wireshark is a great tool, but when handling encrypted connections it is not possible to decrypt the traffic without having the key used for encryption. When sniffing http traffic the private key of the certificate is required to decrypt the information. But when talking to a foreign server, without having its private key another approach is necessary.

How to get all the information

In order to get the information from an encrypted connection, one way is to run a man-in-the-middle (mitm) attack to the encrypted connection. When connecting to a host, the identity is checked via a certificate. In case the identity check fails maybe a man in the middle tries to hack the connection. Every software with basic features concerning security prohibits this. In order to run the man-in-the-middle attack a proxy server that redirects all the traffic might be useful. As the proxy server is the component redirects all the traffic, it is the component that is capable of running an attack to dump all the traffic unencryptedly.

Redirecting the traffic via a proxy server

As the first step the traffic must be delegated via the proxy server. For http traffic this quite easy, as normally every application provides setting a proxy server, to run all the traffic with the proxy in between. Simply tell the software, that all the http/s traffic must run via the proxy server. As this is how to setup and run mitmproxy please refer to your applications documentation. In future post there will be described how to configure the client.

Running a man-in-the-middle attack

So what’s the way to run a man-in-the-middle attack? There are two options:

• The result of the identity checks may be ignored
• The identity check thinks the wrong certificate is valid

Ignoring the result requires, that the software that calls the host doesn’t care about the identity of the host. So it is possible for the man-in-the-middle to decrypt the traffic, as he knows the private key of the certificate. It’s its own. Then the man-in-the-middle acts as client by redirecting the traffic to the destination. The other way is something like adding the certificate of the man-in-the-middle to the trusted certificates. In this case the client thinks everything is ok, as the identity check is ok.

Tools

A neat tool for acting as proxy is mitmproxy. In my technical setup Debian Linux is used. The tool is provided by the mitmproxy package in Debian 8. This package also installs mitmdump. This tool mitmdump offers similar functionality like tcpdump. But this tool dumps all the information that runs over the mitmproxy. For other operating systems please have a look at the documentation.

Using mitmproxy

Per default mitproxy runs on port 8080. In case it’s necessary, there is a way to run the tool with another proxy port.

For that simply use the parameter -p PORT for changing the port mitmproxy runs on.

In case your network is already behind a proxy, all the traffic can be redirected to the other proxy as well. The option -F PROXY is available for that purpose.

Even running it as reverse proxy is possible with -R HOST

The certificate for mitmdump is stored in the folder ~/.mitmproxy. The file mitmproxy-ca-cert.pem contains the public part of the certificate. In mitmproxy-ca.pem the private key is stored. With those information the illegal certificate can be imported to a certificate store to make an application think that everything is ok.

Using mitmdump

As well as mitmproxy per default port 8080 is used. The option -p PORT adds the port mitmdump runs with. The option -w FILE dumps all the traffic into a file. Those information may be read via mitmproxy.

In order to get some help simply run

as there is no man page available.

Tracking information

Tracking Requests

Tracking is possible with mitmproxy. All the requests and responses via http/s can be seen in an overview. Furthermore all the details are available for each request/response.

Dumping data

Within mitmproxy it’s possible to save all the flows to a file using w. Otherwise streaming all the data to file is possible by using W.

Intercepting data

Furthermore it’s possible to intercept the communication and change its information by using the shortcut i. As the tool is based on python a regular expression in the syntax of the python language is available. E.g. .*EXPRESSION.* intercepts urls that contain EXPRESSION. In case some traffic is intercepted, you can manipulate it or simply accept it. Intercepted traffic is stopped until it is accepted. This is done by the key a.

The data can be edited by pressing e and selecting the part to be edited is possible. Simply choose which part of the traffic you want to edit.
It is even possible to intercept headers, bodies, http codes, etc… For that please refer to the help or the manual.

Some useful commands

Command	Description
d	Delete a row
?	Get the help
Enter	View a flow
e	Edit a request/response
i	Define a regular expression for intercepting traffic
w	Save the current flow
W	Stream the flows to a file
a	Accept a flow
L	Load saved flows

Pros & Cons

Pros

• Decrypting http + https traffic
• Manipulating http + https traffic
• Works as proxy
• Open Source Software
• Works on every machine that supports a shell

Cons

• Tricky certificate handling
• Awful user interface
• Working without keyboard based shortcuts not possible

Further Tools

If you don’t like a tool like mitmproxy, don’t be disappointed. There are some other tools available, that do the same and have a graphical user interface.

• Fiddler2 (Runs only on Windows)
• Charles (Linux, MacOs and Windows)

Both of them are commercial tools. Both offer a graphical user interface as well as a documentation.

Sources

• wireshark
• mitmproxy debian package
• man mitmproxy
• mitmdump --help
• tcpdump
• man tcpdump
• mitmproxy – home
• mitmproxy documentation