Home > Article > Backend Development > mitmproxy - the artifact of man-in-the-middle attack_PHP tutorial
1. Foreword
http proxy occupies a very important position in web penetration, and tools in this area are also very important There are many, such as burp suite, Fiddler, Charles, almost every must-have artifact for web development, as well as paros, webscarab, etc. which have a long history. In fact, every web vulnerability scanner has the function of http proxy.
The mitmproxy proxy tool I will introduce today is very good, especially the interception of https data and its scalability, bra bra...
The reason why I chose this tool is because Do communication analysis of mobile APP. We know that the basic condition for using http proxy is that the network must be interconnected. In many cases, the company's mobile network is isolated from the office network. Of course, you can use network sharing (or buy a Xiaodu WiFi or 360 WiFi) to solve the isolation . (I remember that when I was doing mobile communication analysis a few years ago, I encountered the embarrassing situation of network isolation and no wireless network card.)
My choice is to build an http proxy on a vps (I just bought a vps, and it works) It was a lot of trouble), then I needed a command line tool, so I chose mitmproxy (in fact, I also used nginx to build a proxy. At present, I mainly check the communication. When I become proficient, I may be able to use the nginx-lua module to write one. Intercept the rewritten module. Sadly, nginx does not support https, which is too far off topic).
2. Principle of mitmproxy
Mitmproxy is a proxy, a proxy with tampering function. It supports two modes, forward proxy and transparent proxy, supporting http communication and https communication.
(For popular science about forward proxy, reverse proxy, and transparent proxy, you can read this article http://z00w00.blog.51cto.com/515114/1031287, which is very easy to understand)
The mitmproxy official website also introduces the principles. Here is the translation by a kind person http://www.oschina.net/translate/how-mitmproxy-works
Students who know the proxy very well, take a look at the following four pictures. You'll know what's going on.
1. http forward proxy
2. https forward proxy
3. http transparent proxy
4. https transparent proxy
3. Mitmproxy installation
Next I will install mitmproxy on the vps. This tool is written in python. Now many tools are written in python, and there are special python hacker training institutions. It is said that programmers who do not know python are not good programmers.
Python is cross-platform, so mitmproxy is also cross-platform.
Next, take the installation on linux (debian 7) as an example. Other platforms are very similar (just use homebrew to install the package on mac)
1. First install the python environment. If you know python, you can No need to look at
#python and python dependency package apt-get install build-essential python-dev python-setuptools#Install pip, a good python package manager, similar to aptitude, apt-getwget https:// pypi.python.org/packages/source/p/pip/pip-1.4.1.tar.gzpython setup.py install
2. Install mitmproxy dependency package
sudo pip install netlib pyopenssl pyasn1 urwid pil lxml flask#The following is optional (for decoding) sudo pip install pyamf protobuf#The following is optional (for testing) sudo pip install nose pathod countershape
3. Install mitmproxy
sudo pip install mitmproxy
After successful installation, two tools /usr/local/bin/mitmproxy and /usr/local/bin/mitmdump will be generated
I am an open source tool killer and will always encounter problems
Installation problem solving:
If pkg_resources.DistributionNotFound: appears when installing using pip (this problem occurred just after upgrading the osx Mavericks version), you can update pip first
sudo easy_install - -upgrade distributesudo easy_install --upgrade pip
4. Installation of CA certificate
To capture the https certificate, you have to solve the problem of certificate authentication, so you need to install the certificate on the client where the communication occurs. And set as a trusted root certification authority. The following describes 6 client installation methods.
When we run mitmproxy or mitmdump for the first time,
will generate the ~/.mitmproxy folder in the current directory, which contains 4 files. This is the certificate we want. .
mitmproxy-ca.pem private key
mitmproxy-ca-cert.pem for non-windows platforms
mitmproxy-ca-cert.p12 for windows
mitmproxy-ca-cert.cer is the same as mitmproxy-ca-cert.pem, used on android
1. Install on Firefox
preferences-Advanced-Encryption-View Certificates-Import ( mitmproxy-ca-cert.pem)-trust this CA to identify web sites
2. Install on chrome
Settings-Advanced Settings-HTTPS/SSL-Manage Certificate-Trusted Root Certificate Authority-Import mitmproxy-ca-cert.pem
2. Install on osx
Double-click mitmproxy-ca-cert.pem - always trust
3. Install on windows 7
Double-click mitmproxy-ca-cert.p12-next-next-put all certificates in The following storage - Trusted Root Certificate Issuing Authority
4. Install on iOS
Send mitmproxy-ca-cert.pem to the iphone mailbox and access it through the browser/email attachment
I put the certificate on the vps for download
http://tanjiti.com/crt/mitmproxy-ca-cert.pem mitmproxy iOS
http:// tanjiti.com/crt/mitmproxy-ca-cert.cer mitmproxy android
http://tanjiti.com/crt/mitmproxy-ca-cert.p12 windows
http://tanjiti .com/crt/PortSwigger.cer BurpSuite (burpsuite certificate, feel free to attach it)
5. Install on the iOS simulator
git clone https://github.com/ADVTOOLS/ADVTrustStore .gitcd ADVTrustStore/
DANI-LEE-2:ADVTrustStore danqingdani$ python iosCertTrustManager.py -a ~/iostools/mitmproxy-ca-cert.pem
subject= CN = mitmproxy, O = mitmproxyImport certificate to iPhone/iPadsimulator v5.1 [y/N] yImporting to /Users/danqingdani/Library/Application Support/iPhone Simulator/5.1/Library/Keychains/TrustStore.sqlite3 Certificate added
Actually the above The operation is to insert certificate data into the tsettings table in the ~/Library/Application Support/iPhone Simulator/5.1/Library/Keychains/TrustStore.sqlite3 database
6. Install mitmproxy on Android
-ca-cert.cer Place it in the sdcard root directory
Select Settings-Security and Privacy-Install certificate from storage device
5. Tool usage
Install the mitmproxy proxy on the vps, and also install the CA certificate on the client, and then you can use it.
Step one: Start mitmproxy on the vps
mitmproxy -b xxx.xxx.xxx (specify the listening interface) -p xxx (specify the port)
Sure enough, I It is an open source tool killer, and an error is reported when running.
Solving running error problems:
When running mitmproxy, an error message appears:
Error: mitmproxy requires a UTF console environment.
Set your LANG enviroment variable to something like en_US.UTF-8
You can run locale first to check the current locale. My vps is POSIX environment
root@www:/# locale
LANG=
LANGUAGE=
LC_CTYPE="POSIX"
LC_NUMERIC="POSIX"
LC_TIME="POSIX"
LC_COLLATE=" POSIX"
LC_MONETARY="POSIX"
LC_MESSAGES="POSIX"
LC_PAPER="POSIX"
LC_NAME="POSIX"
LC_ADDRESS="POSIX"
LC_TELEPHONE="POSIX"
LC_MEASUREMENT="POSIX"
LC_IDENTIFICATION="POSIX"
LC_ALL=
What we need now is to modify it to en_US.UTF-8
Method reference http://jrs-s.net/2010/11/18/setting-locale-to-utf -8-in-debian/
vim /etc/default/localeLANG=en_US.UTF-8. locale-gen#Edit /etc/profile, and /etc/bash.bashrc, add export LANG=en_US .UTF-8echo "export LANG=en_US.UTF-8" >/etc/profileecho "export LANG=en_US.UTF-8" >/etc/bash.bashrc source /etc/profilesource /etc/bash.bashrc
Now run locale again, you can see that the language has been modified
root@www:/# locale
LANG=en_US.UTF-8
LANGUAGE=
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US. UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=
Then it can run normally!
Step 2: Choose to use the http proxy on your mobile phone or PC or browser
Step 3: Use the client Access, you can now operate the communication data
6. Common operations
1. mitmproxy
Let’s introduce the most commonly used modification requests and methods of playback requests
(1) Direction key positioning request
(2) When the yellow arrow >> locates the specified request, press enter to enter the request
(3) Press e to enter the editing state, and then press the corresponding blue font to select the modified part
You can modify query, query string; path, path; url; header request header; form Form; raw body request body; method request method.
(4)a Add a line, tab to switch the editing field, press enter to start editing, esc to save, q to return to the previous level
(5) After modification, press r Replay the request and view the modification results
2. mitmdump
Don’t forget, mitmproxy also has an introverted twin called mitmdump (much like tcpdump), which is a non-interactive version of mitmproxy. Communication packets can be processed in non-real time.
We can press w in mitmproxy to save the communication data to the specified file, and then use mitmdump to operate. Next, I will briefly introduce an example. From the data packets captured in mitmproxy, filter out the data packets from Weibo, and then replay the data packets (in fact, you can also modify and replay it)
-n means not to enable the proxy, -r means to read the data packet from the file, -w means to store the data packet to the file, -c means to replay the client request packet
mitmdump -nr all.data -w weibo.data "~u weibo"
mitmdump -nc weibo.data[replay] POST http://api.weibo.cn/2/client/addlog_batch?s=2edc0cfa7&gsid=4ubed3V0QehBa8KoNp4AA75J&c=android&wm=20005_0002&ua= Xiaomi-MI 2S__weibo__4.0.1__android__android4.1.1&oldwm=9975_0001&from=1040195010&skin=default&i=8764056d2&isgzip=&lang=zh_CN
3. mitmproxy API
The best thing about the open source spirit is that Just like playing with building blocks when you were a child, you can use various exquisite tools provided by the experts to build your own suitable weapons.
Mitmproxy provides libmproxy for calling extensions.
We can check out the detailed description of libmproxy to understand the main API interface calls
pydoc libmproxy
The official website gives an example of writing a script by yourself to manipulate data packets. It’s very simple, everyone can understand it
As shown below, it is to add a custom header to the response package
def response(context, flow): flow.response.headers[" newheader"] = ["foo"]
We can use this script in mitmdump
-s means reading a custom script to process the data packet
mitmdump - ns examples/add_header.py -r infile -w outfile
Okay, that’s all.
7. Hope to communicate
When I ran mitmdump to replay the http response function
mitmdump -S outfile
it got stuck. I haven’t found the reason yet. I hope anyone who knows can tell me, thank you very much