Pablo Guides

# Course #363: mitmproxy for Penetration Testing

## Section 1: Introduction to mitmproxy

### Overview

In this section, we will delve into mitmproxy, a powerful tool for network traffic analysis and interception. It is widely used in penetration testing to inspect, modify, and replay HTTP/HTTPS traffic. This course aims to provide comprehensive knowledge about mitmproxy, including its installation on Kali Linux, configuration, usage, and real-world applications.

### What is mitmproxy?

Mitmproxy is an open-source man-in-the-middle (MITM) proxy that allows users to intercept and analyze network traffic. It supports HTTP/HTTPS protocols and provides a built-in web interface for easy inspection of the data being transmitted. This tool is particularly useful for ethical hackers and penetration testers, enabling them to understand how applications communicate over the network and identify potential vulnerabilities.

### Installation and Configuration on Kali Linux

To begin using mitmproxy on Kali Linux, follow these steps for installation and configuration:

#### Step 1: Update Your System

Before installing any new software, it is a good practice to ensure your system is up-to-date. Open a terminal and run the following commands:

"`bash
sudo apt update
sudo apt upgrade -y
"`

#### Step 2: Install mitmproxy

Mitmproxy is easily installable from the Kali repositories. Execute the following command to install it:

"`bash
sudo apt install mitmproxy -y
"`

#### Step 3: Verify Installation

Once the installation is complete, you can verify that mitmproxy was installed correctly by checking its version:

"`bash
mitmproxy –version
"`

You should see output displaying the version number, confirming that mitmproxy is successfully installed.

#### Step 4: Configure mitmproxy

Mitmproxy requires configuration to capture and analyze traffic. To do this, you should set up your system to use mitmproxy as a proxy server. Open the terminal and run the following command to start mitmproxy:

"`bash
mitmproxy
"`

By default, mitmproxy listens on port `8080`. Thus, you need to configure your applications or devices to route their network traffic through this port.

### Configuring Your Browser

1. **Google Chrome:**
– Open Chrome settings.
– Scroll down and click on "Advanced."
– In the "System" section, click on "Open your computer's proxy settings."
– For Windows, navigate to "Manual proxy setup" and enable "Use a proxy server." Set the address to `127.0.0.1` and port to `8080`.
– For Linux, set the same proxy settings in your network configuration.

2. **Mozilla Firefox:**
– Open Firefox settings.
– Scroll down to "Network Settings" and click on "Settings."
– Select "Manual proxy configuration" and input `127.0.0.1` for the HTTP Proxy and `8080` for the port.
– Ensure the "Use this proxy server for all protocols" checkbox is enabled.

3. **Mobile Devices:**
– For Android, go to Wi-Fi settings, press on your connected network, select "Modify network," and enter the proxy in the advanced options.
– For iOS, go to Wi-Fi settings, tap the "i" icon next to your network, scroll down to HTTP Proxy, and set it to "Manual" with the same IP and port.

### Step-by-Step Usage of mitmproxy

Once you have mitmproxy running and your applications configured to route through it, you can begin intercepting and analyzing traffic.

#### Step 1: Start mitmproxy

Open a terminal and execute:

"`bash
mitmproxy
"`

This will provide a console interface where you can view intercepted requests and responses.

#### Step 2: Intercept HTTP Requests

As you navigate through your configured browser, you will see HTTP requests appear in the mitmproxy interface. You can inspect request headers, response headers, and the body of both requests and responses.

**Example: Intercepting a Request**

Once you've intercepted a request, you can view details like this:

"`
<< GET http://example.com/api/data HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 ``` #### Step 3: Modify Requests and Responses You can also modify requests and responses directly in mitmproxy. For instance, if you want to change a JSON payload in a POST request, navigate to the request, press `e` to edit it, make your changes, and then press `Ctrl + Z` to send the modified request. **Example: Modifying a POST Request** Original request: ```json { "username": "user", "password": "pass" } ``` Modified request: ```json { "username": "attacker", "password": "attacker_password" } ``` #### Step 4: Replaying Requests Mitmproxy also allows you to replay requests to test how the server responds to different inputs. This is useful for exploring vulnerabilities. To replay a request, select the request in the mitmproxy interface and press `Ctrl + R`. This will send the selected request again, and you can make any necessary modifications before sending. #### Step 5: Saving and Exporting Traffic You can save intercepted traffic for later analysis. To save your sessions, use: ```bash mitmproxy -w outputfile ``` To read the saved session later: ```bash mitmproxy -r outputfile ``` ### Real-World Use Cases Mitmproxy can be utilized in various real-world scenarios, including: 1. **Security Testing of Web Applications:** Using mitmproxy to intercept and analyze API requests can help testers identify insecure endpoints and data leaks. 2. **Session Hijacking:** By manipulating session tokens in requests, ethical hackers can demonstrate security flaws in session management. 3. **SSL Stripping:** Mitmproxy can be used to downgrade HTTPS traffic to HTTP, allowing testers to demonstrate the risks of unencrypted traffic. 4. **Data Exfiltration:** By monitoring outgoing requests, pentesters can identify if sensitive data is being transmitted without encryption. ### Technical Explanations Mitmproxy operates as a transparent proxy, meaning it intercepts traffic without requiring any modifications to the client. It supports both HTTP and HTTPS, automatically handling SSL certificates to facilitate secure communications. **How SSL Interception Works:** 1. **Certificate Generation:** When a client connects to mitmproxy, it generates a CA certificate on-the-fly. 2. **Trust Configuration:** The CA certificate needs to be trusted by the client device to avoid SSL errors. 3. **Traffic Decryption:** Mitmproxy can then decrypt and log the HTTPS traffic as it passes through. Refer to the official documentation for more in-depth technical insights: [Mitmproxy Documentation](https://docs.mitmproxy.org/stable/). ### External References For further reading and resources, consider the following links: - [Mitmproxy GitHub Repository](https://github.com/mitmproxy/mitmproxy) - [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) - [Burp Suite vs. Mitmproxy Comparison](https://portswigger.net/burp/documentation/desktop/mitmproxy) ### Conclusion In this section, we covered the essential aspects of mitmproxy, including installation, configuration, and practical usage examples. As you continue your journey in penetration testing, mastering mitmproxy will enhance your ability to analyze and manipulate network traffic effectively. --- Made by pablo rotem / פבלו רותם