MiTM Proxy Class Activity - Hsanokklis/2023-2024-Tech-journal GitHub Wiki

Objective: Intercept an Encrypted Session to understand how attacks against the human protocol can lead to breaches

Note: This is not an attack on the SSL/TLS protocols. It is an attack on the host (e.g. malicious code) or an attack against a user (e.g. social engineering, carelessness, etc.). Also, organizations may deploy SSL/TLS proxies to filter traffic, as well.

MITMProxy is a tool that is used to demonstrate MITM attacks, particularly with SSL/TLS. MITMProxy works by intercepting all HTTP and HTTPS requests and makes the request on behalf of the client and returns the results.

Since it is able to intercept the HTTPS request, it has the ability to decrypt the communication channel and use its own SSL/TLS method to retrieve the website. The time after the decryption occurs leaves the data open to an attack, such as simply sniffing the data for sensitive information or even modifying the data in transit. MITMProxy is able to stop an SSL/TLS connection, allow inspection of the data and then modify it before it passes it on to the intended server.

Commercial Proxies work the exact same way. This allows the anti-virus and other intrusion detection software to drop malicious traffic before it gets back to the client within an organization.

Configure MitmProxy to intercept all web traffic. Configure Chrome Web Browser to use the attacking host as a proxy

Run the Proxy with no options in Kali VM

• mitmproxy

You will see a screen which has no contents, but a [0] at the bottom left and "?:help [*:8080] at the bottom right on a blue bar.

NOTE: You can change the port if you want by checking the switches shown in the 'help' output from the command you ran earlier (./mitmproxy -h).

KALI - Notes: may need to update mitmproxy with: easy_install --upgrade pip and then pip install mitmproxy

Configure Windows 10 to use Kali as the proxy

• Start chrome with security options disabled
  • Create a .bat file and start chrome using this file

• Go to settings
• Type Proxy
• Choose change proxy settings
• Check "Use Proxy Server"
• Enter IP address of your Kali VM and port 8080

NOTE: This process is being done manually for the purposes of demonstration of this lab. However, malicious software can modify the configuration files for Firefox etc. and inject their own Proxies IP address.

In Chrome, browse to a site like http://burlingtoncityarts.org . Watch the MITMProxy screen in Kali. Notice how you can see all traffic. That is how a standard proxy works.

Intercept and View HTTPS Traffic

• In Chrome - Browse to https://login.comcast.net/login - you should receive some certificate errors - and after last weeks lab you should know why!

Why is a certificate error displayed? (sentence or two)

• The browser doesn't recognize the Certificate Authority of the Certificate since its the mitmproxy that we are using, so it says that the certificate is invalid.

Malware can also add CA's to the certificate store - so:

• Browse to http://mitm.itLinks to an external site.
• Click on the Windows icon (read the instructions first)

Note: if the site doesn't link, then View Source to view the raw HTML & it's relative reference.

• Click on the .p12 file to install the MiTM Proxy CA cert

• Important: Make sure to change the Certificate Store during the certificate import. Select Trusted Root Certification Authorities.

Browse to https://wikipedia.org - You should not receive any certificate warnings

Why are was Wikipedia now able to load with no cert warnings?

• Wikipedia was able to run with no cert warning because we added the mitmproxy to Trust Root Certification Authorities so now the browser recognizes the CA and says that the certificate is valid.

View the Kali mitmproxy window. You can now see GET's and other traffic that would be encrypted in a traffic capture. (You can now continue with secure Chrome - instead of the one you have started with .bat file)

Search for Champlain College in Wikipedia

Review the MitmProxy output and find a request that shows the search for Champlain College.

Capture a username and password

Go to any encrypted login page on the Windows VM. You should be able to find the POST packet in the MITM Proxy Window on Kali. Go into the details and you should see the user/pass. Post screenshot of the clear text password.

Configure MITMProxy to modify the Victim’s network traffic in real-time.

By default MITMProxy is a "confidentiality" attack because the attacker is able to view information that is not intended for them to see.

An “availability” attack would be performed if the attacker shuts down the proxy - in this case stops MITMProxy. This prevents your partner from accessing the Internet because the proxy is no longer available.

A particularly dangerous type of attack is the modification (integrity) of data. MITMProxy supports modifying data on the fly. That means modifying data in transit. MITMProxy can stop a connection, allow you to view it, and then arbitrarily modify data. This is what SSL is supposed to protect you against, right?

• on KALI type type q and answer yes to quit mitmproxy
• Restart mitmproxy with command
  • `sudo mitmproxy --map-remote "|https://champlain.edu|https://uvm.edu"
• type https://champlain.edu in your web browser

Champlain.edu query

uvm.edu results

Perform your own site replacement with terms and sites of your choosing!

whitehouse.gov query

Identify one reason a malicious actor might use the MITM replacement?

A malicious actor might use the MITM replacement to attempt to gain credentials. They might send a link to a target that looks similar to a trusted URL they use regularly such as their bank. The attacker might change the URL slightly and create a fake web interface. The user might then input their credentials and the malicious actors would be able to see them via the MITM Proxy.