Thursday, 3 November 2016

Logging https traffic using Raspbian

In order to intercept https traffic, it is necessary to run software on a router or access point that provides its own certificates to clients. Using Mirko Dölle's beautiful instructions, today I set up mitmproxy on a Raspberry Pi 2 running Raspbian based on Debian Jessie. I have an RT5572 based dual band wifi dongle that works very well with Raspbian which I am going to use for clients to connect while the Raspberry Pi 2 itself is connected to the internet via ethernet.

First, I set up Raspbian in the usual way. Then I modified the dhcpcd configuration to assign a static IP address to the wifi adaptor which is going to be my access point. I added the following lines to the end of /etc/dhcpcd.conf.

interface wlan0
static ip_address=192.168.6.1/24

Next, I added the hostapd package and created a configuration file for it:

# apt-get install hostapd
# cat >/etc/hostapd/hostapd.conf <<EOF
interface=wlan0
driver=nl80211
country_code=GB
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0

ssid=rpi-mitm

# 802.11g on #8
hw_mode=g
channel=8

# encryption
wpa=2
wpa_passphrase=pleasehackme
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

# gobbledigook
beacon_int=100
auth_algs=1
wmm_enabled=1
EOF

Before activating, one line in /etc/default/hostapd has to be adjusted:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

In order to assign IP addresses to clients and handle DNS forwarding, I then installed dnsmasq, again creating a configuration for it.

# apt-get install dnsmasq
# cat >>/etc/dnsmasq.conf <<EOF
interface=wlan0
dhcp-range=192.168.6.50,192.168.6.100,12h
EOF

Next, I activated package forwarding by uncommenting the following lines in /etc/sysctl.conf:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

I then set up network address translation by adding a POSTROUTING rule for my WAN interface to the NAT iptables. This setting needs to be persisted by installing the iptables-persistent package.

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# apt-get install iptables-persistent

Then I restart all the services involved. I disable legacy Debian networking because it takes the wlan0 interface up which prevents hostapd from starting. This completes the setup of the access point.

# systemctl disable networking
# systemctl start hostapd
# systemctl start dnsmasq
# systemctl restart procps

In order to inspect client traffic through the access point, I installed mitmproxy. The version 0.10.1-2 installed by apt-get (on Jessie) is too old, so I install the current version 0.18.2 manually. Since Jessie only provides Python 3.4, I went with Python 2.7.

# apt-get install python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev g++
# pip install mitmproxy

To run it, I add a couple of redirections to the inbound interface.

# iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080
# iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 8080
# mitmproxy -T --host

Install mitmproxy's certificate on the device by browsing to http://mitm.it/.

To deactivate the capture, it suffices to remove the iptables rules.

# iptables -t nat -F PREROUTING

Wednesday, 2 November 2016

Logging mobile apps using DD-WRT

Today, I wanted to log the transmissions of a mobile app. I logged into my DD-WRT router and ran the following command.

# tcpdump -i br0 -w moto.pcap host 192.168.5.119

The IP address shown is the address of my mobile phone in my local network.

I then copied the captured file moto.pcap to my desktop computer and opened it in Wireshark which provides a very nice visual way to inspect the transmitted data.