Home  >  Article  >  Backend Development  >  mitmproxy - the artifact of man-in-the-middle attack_PHP tutorial

mitmproxy - the artifact of man-in-the-middle attack_PHP tutorial

WBOY
WBOYOriginal
2016-07-12 08:53:252760browse

mitmproxy - an artifact of man-in-the-middle attacks

1. Foreword

http proxy occupies a very important position in web penetration, and tools in this area are also very important There are many, such as burp suite, Fiddler, Charles, almost every must-have artifact for web development, as well as paros, webscarab, etc. which have a long history. In fact, every web vulnerability scanner has the function of http proxy.

The mitmproxy proxy tool I will introduce today is very good, especially the interception of https data and its scalability, bra bra...

The reason why I chose this tool is because Do communication analysis of mobile APP. We know that the basic condition for using http proxy is that the network must be interconnected. In many cases, the company's mobile network is isolated from the office network. Of course, you can use network sharing (or buy a Xiaodu WiFi or 360 WiFi) to solve the isolation . (I remember that when I was doing mobile communication analysis a few years ago, I encountered the embarrassing situation of network isolation and no wireless network card.)

My choice is to build an http proxy on a vps (I just bought a vps, and it works) It was a lot of trouble), then I needed a command line tool, so I chose mitmproxy (in fact, I also used nginx to build a proxy. At present, I mainly check the communication. When I become proficient, I may be able to use the nginx-lua module to write one. Intercept the rewritten module. Sadly, nginx does not support https, which is too far off topic).

2. Principle of mitmproxy

Mitmproxy is a proxy, a proxy with tampering function. It supports two modes, forward proxy and transparent proxy, supporting http communication and https communication.

(For popular science about forward proxy, reverse proxy, and transparent proxy, you can read this article http://z00w00.blog.51cto.com/515114/1031287, which is very easy to understand)

The mitmproxy official website also introduces the principles. Here is the translation by a kind person http://www.oschina.net/translate/how-mitmproxy-works

Students who know the proxy very well, take a look at the following four pictures. You'll know what's going on.

 1. http forward proxy

mitmproxy——中间人攻击的神器 - 碳基体 - 碳基体

 2. https forward proxy

mitmproxy——中间人攻击的神器 - 碳基体 - 碳基体

 3. http transparent proxy

mitmproxy——中间人攻击的神器 - 碳基体 - 碳基体

 4. https transparent proxy

mitmproxy——中间人攻击的神器 - 碳基体 - 碳基体

3. Mitmproxy installation

Next I will install mitmproxy on the vps. This tool is written in python. Now many tools are written in python, and there are special python hacker training institutions. It is said that programmers who do not know python are not good programmers.

Python is cross-platform, so mitmproxy is also cross-platform.

Next, take the installation on linux (debian 7) as an example. Other platforms are very similar (just use homebrew to install the package on mac)

1. First install the python environment. If you know python, you can No need to look at

 #python and python dependency package apt-get install build-essential python-dev python-setuptools#Install pip, a good python package manager, similar to aptitude, apt-getwget https:// pypi.python.org/packages/source/p/pip/pip-1.4.1.tar.gzpython setup.py install

 2. Install mitmproxy dependency package

sudo pip install netlib pyopenssl pyasn1 urwid pil lxml flask#The following is optional (for decoding) sudo pip install pyamf protobuf#The following is optional (for testing) sudo pip install nose pathod countershape

 3. Install mitmproxy

sudo pip install mitmproxy

After successful installation, two tools /usr/local/bin/mitmproxy and /usr/local/bin/mitmdump will be generated

I am an open source tool killer and will always encounter problems

Installation problem solving:

If pkg_resources.DistributionNotFound: appears when installing using pip (this problem occurred just after upgrading the osx Mavericks version), you can update pip first

sudo easy_install - -upgrade distributesudo easy_install --upgrade pip

4. Installation of CA certificate

To capture the https certificate, you have to solve the problem of certificate authentication, so you need to install the certificate on the client where the communication occurs. And set as a trusted root certification authority. The following describes 6 client installation methods.

When we run mitmproxy or mitmdump for the first time,

will generate the ~/.mitmproxy folder in the current directory, which contains 4 files. This is the certificate we want. .

mitmproxy-ca.pem private key

mitmproxy-ca-cert.pem for non-windows platforms

mitmproxy-ca-cert.p12 for windows

 mitmproxy-ca-cert.cer is the same as mitmproxy-ca-cert.pem, used on android

 1. Install on Firefox

preferences-Advanced-Encryption-View Certificates-Import ( mitmproxy-ca-cert.pem)-trust this CA to identify web sites

 2. Install on chrome

Settings-Advanced Settings-HTTPS/SSL-Manage Certificate-Trusted Root Certificate Authority-Import mitmproxy-ca-cert.pem

 2. Install on osx

Double-click mitmproxy-ca-cert.pem - always trust

3. Install on windows 7

Double-click mitmproxy-ca-cert.p12-next-next-put all certificates in The following storage - Trusted Root Certificate Issuing Authority

4. Install on iOS

Send mitmproxy-ca-cert.pem to the iphone mailbox and access it through the browser/email attachment

 I put the certificate on the vps for download

 http://tanjiti.com/crt/mitmproxy-ca-cert.pem mitmproxy iOS

 http:// tanjiti.com/crt/mitmproxy-ca-cert.cer mitmproxy android

 http://tanjiti.com/crt/mitmproxy-ca-cert.p12 windows

http://tanjiti .com/crt/PortSwigger.cer BurpSuite (burpsuite certificate, feel free to attach it)

5. Install on the iOS simulator

git clone https://github.com/ADVTOOLS/ADVTrustStore .gitcd ADVTrustStore/

 DANI-LEE-2:ADVTrustStore danqingdani$ python iosCertTrustManager.py -a ~/iostools/mitmproxy-ca-cert.pem

 subject= CN = mitmproxy, O = mitmproxyImport certificate to iPhone/iPadsimulator v5.1 [y/N] yImporting to /Users/danqingdani/Library/Application Support/iPhone Simulator/5.1/Library/Keychains/TrustStore.sqlite3 Certificate added

Actually the above The operation is to insert certificate data into the tsettings table in the ~/Library/Application Support/iPhone Simulator/5.1/Library/Keychains/TrustStore.sqlite3 database

6. Install mitmproxy on Android

-ca-cert.cer Place it in the sdcard root directory

Select Settings-Security and Privacy-Install certificate from storage device

5. Tool usage

Install the mitmproxy proxy on the vps, and also install the CA certificate on the client, and then you can use it.

Step one: Start mitmproxy on the vps

mitmproxy -b xxx.xxx.xxx (specify the listening interface) -p xxx (specify the port)

Sure enough, I It is an open source tool killer, and an error is reported when running.

Solving running error problems:

When running mitmproxy, an error message appears:

Error: mitmproxy requires a UTF console environment.

Set your LANG enviroment variable to something like en_US.UTF-8

You can run locale first to check the current locale. My vps is POSIX environment

root@www:/# locale

LANG=

LANGUAGE=

LC_CTYPE="POSIX"

LC_NUMERIC="POSIX"

LC_TIME="POSIX"

LC_COLLATE=" POSIX"

LC_MONETARY="POSIX"

LC_MESSAGES="POSIX"

LC_PAPER="POSIX"

LC_NAME="POSIX"

LC_ADDRESS="POSIX"

LC_TELEPHONE="POSIX"

LC_MEASUREMENT="POSIX"

LC_IDENTIFICATION="POSIX"

LC_ALL=

What we need now is to modify it to en_US.UTF-8

Method reference http://jrs-s.net/2010/11/18/setting-locale-to-utf -8-in-debian/

 vim /etc/default/localeLANG=en_US.UTF-8. locale-gen#Edit /etc/profile, and /etc/bash.bashrc, add export LANG=en_US .UTF-8echo "export LANG=en_US.UTF-8" >/etc/profileecho "export LANG=en_US.UTF-8" >/etc/bash.bashrc source /etc/profilesource /etc/bash.bashrc

Now run locale again, you can see that the language has been modified

root@www:/# locale

LANG=en_US.UTF-8

LANGUAGE=

LC_CTYPE="en_US.UTF-8"

LC_NUMERIC="en_US.UTF-8"

LC_TIME="en_US.UTF-8"

LC_COLLATE="en_US.UTF-8"

LC_MONETARY="en_US.UTF-8"

LC_MESSAGES="en_US.UTF-8"

LC_PAPER="en_US. UTF-8"

LC_NAME="en_US.UTF-8"

LC_ADDRESS="en_US.UTF-8"

LC_TELEPHONE="en_US.UTF-8"

LC_MEASUREMENT="en_US.UTF-8"

LC_IDENTIFICATION="en_US.UTF-8"

LC_ALL=

Then it can run normally!

Step 2: Choose to use the http proxy on your mobile phone or PC or browser

Step 3: Use the client Access, you can now operate the communication data

6. Common operations

1. mitmproxy

Let’s introduce the most commonly used modification requests and methods of playback requests

(1) Direction key positioning request

(2) When the yellow arrow >> locates the specified request, press enter to enter the request

mitmproxy——中间人攻击的神器 - 碳基体 - 碳基体

(3) Press e to enter the editing state, and then press the corresponding blue font to select the modified part

You can modify query, query string; path, path; url; header request header; form Form; raw body request body; method request method.

(4)a Add a line, tab to switch the editing field, press enter to start editing, esc to save, q to return to the previous level

(5) After modification, press r Replay the request and view the modification results

 2. mitmdump

Don’t forget, mitmproxy also has an introverted twin called mitmdump (much like tcpdump), which is a non-interactive version of mitmproxy. Communication packets can be processed in non-real time.

We can press w in mitmproxy to save the communication data to the specified file, and then use mitmdump to operate. Next, I will briefly introduce an example. From the data packets captured in mitmproxy, filter out the data packets from Weibo, and then replay the data packets (in fact, you can also modify and replay it)

 -n means not to enable the proxy, -r means to read the data packet from the file, -w means to store the data packet to the file, -c means to replay the client request packet

 mitmdump -nr all.data -w weibo.data "~u weibo"

mitmdump -nc weibo.data[replay] POST http://api.weibo.cn/2/client/addlog_batch?s=2edc0cfa7&gsid=4ubed3V0QehBa8KoNp4AA75J&c=android&wm=20005_0002&ua= Xiaomi-MI 2S__weibo__4.0.1__android__android4.1.1&oldwm=9975_0001&from=1040195010&skin=default&i=8764056d2&isgzip=&lang=zh_CN

 3. mitmproxy API

The best thing about the open source spirit is that Just like playing with building blocks when you were a child, you can use various exquisite tools provided by the experts to build your own suitable weapons.

Mitmproxy provides libmproxy for calling extensions.

We can check out the detailed description of libmproxy to understand the main API interface calls

pydoc libmproxy

The official website gives an example of writing a script by yourself to manipulate data packets. It’s very simple, everyone can understand it

As shown below, it is to add a custom header to the response package

def response(context, flow): flow.response.headers[" newheader"] = ["foo"]

We can use this script in mitmdump

-s means reading a custom script to process the data packet

mitmdump - ns examples/add_header.py -r infile -w outfile

 Okay, that’s all.

7. Hope to communicate

When I ran mitmdump to replay the http response function

mitmdump -S outfile

it got stuck. I haven’t found the reason yet. I hope anyone who knows can tell me, thank you very much

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/1124518.htmlTechArticlemitmproxy - an artifact of man-in-the-middle attacks 1. Introduction http proxy occupies a very important position in web penetration. There are also many tools, such as burp suite, Fiddler, Charles...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn