MiTM Proxy Class Activity - derek-hash/SYS-265-02 GitHub Wiki

Objective: Intercept an Encrypted Session to understand how attacks against the human protocol can lead to breaches

Note: This is not an attack on the SSL/TLS protocols. It is an attack on the host (e.g. malicious code) or an attack against a user (e.g. social engineering, carelessness, etc.). Also, organizations may deploy SSL/TLS proxies to filter traffic, as well.

MITMProxyLinks to an external site. is a tool that is used to demonstrate MITM attacks, particularly with SSL/TLS. MITMProxyLinks to an external site. works by intercepting all HTTP and HTTPS requests, and makes the request on behalf of the client and returns the results.

Since it is able to intercept the HTTPS request, it has the ability to decrypt the communication channel and use its own SSL/TLS method to retrieve the website. The time after the decryption occurs leaves the data open to an attack, such as simply sniffing the data for sensitive information or even modifying the data in transit. MITMProxyLinks to an external site. is able to stop an SSL/TLS connection, allow inspection of the data and then modify it before it passes it on to the intended server.

Commercial Proxies work the exact same way. This allows the anti-virus and other intrusion detection software to drop malicious traffic before it gets back to the client within an organization.

Prerequisites Requires a Kali VM (Attacking) and a Windows 10 VM (Target)

Log in both, and confirm they have workable IP addresses Write down the Kali server IP address for later

Configure MitmProxy to intercept all web traffic. Configure IE/Chrome Web Browsers to use the attacking host as a proxy

1.Run the proxy with no options:

mitmproxy

You will see a screen which has no contents, but a [0] at the bottom left and "?:help [*:8080] at the bottom right on a blue bar.

NOTE: You can change the port if you want by checking the switches shown in the 'help' output from the command you ran earlier (./mitmproxy -h).

KALI - Notes: may need to update mitmproxy with: easy_install --upgrade pip and then pip install mitmproxy

New versions of mitmproxy use TLS 1.2 so Windows IE may need an update (IE - Tools - Internet Options - Advanced - check TLS 1.2)

  1. Configure Windows 10 to use Kali as a proxy

Open IE Click Tools Go to Internet Options Connections-LAN Settings Check "Use Proxy Server" Enter IP address of your Kali VM server and port 8080 NOTE: This process is being done manually for the purposes of demonstration of this lab. However, malicious software can modify the configuration files for Firefox and inject their own Proxies IP address. Also, keep in mind, that we’re only modifying the proxy for the web browser. Almost all applications support using proxies.

  1. In IE, browse to a site like http://burlingtoncityarts.org . Watch the MITMProxy screen in Kali. Notice how you can see all traffic. That is how a standard proxy works.

  2. Submit Screenshot of MitmProxy capturing the traffic Burlington City Arts GET Request

Intercept and View HTTPS Traffic

  1. In IE - Browse to https://login.comcast.net/loginLinks to an external site. - you should receive some certificate errors - and after last weeks lab you should know why!

Submit: Why is a certificate error displayed? (sentence or two)

  1. Malware can also add CA's to the certificate store - so:

Browse to http://mitm.itLinks to an external site. Click on the Windows icon Note: if the site doesn't link, then View Source to view the raw HTML & it's relative reference. Click on the .p12 file to install the MiTM Proxy CA cert Important: Make sure to change the Certificate Store during the certificate import. Select Trusted Root Certification Authorities. 3. Browse to https://wikipedia.org - You should not receive any certificate warnings

Submit: Why are was Wikipedia now able to load with no cert warnings?

View the Kali mitmproxy window. You can now see GET's and other traffic that would be encrypted in a traffic capture.

  1. Search for Champlain College in Wikipedia

  2. Review the MitmProxy output and find a request that shows the search for Champlain College.

Submit a screenshot of MITM Proxy Logs showing in clear text what would be encrypted in a normal traffic capture.

  1. Go Deeper: Can you capture a username and password? Go to any encrypted login page on the Windows VM. You should be able to find the POST packet in the MITM Proxy Window on Kali. Go into the details and you should see the user/pass. Post screenshot of the clear text password.

Configure MITMProxy to modify the Victim’s network traffic in real-time. By default MITMProxy is a "confidentiality" attack because the attacker is able to view information that is not intended for them to see.

An “availability” attack would be performed if the attacker shuts down the proxy - in this case stops MITMProxy. This prevents your partner from accessing the Internet because the proxy is no longer available.

A particularly dangerous type of attack is the modification (integrity) of data. MITMProxy supports modifying data on the fly. That means modifying data in transit. MITMProxy can stop a connection, allow you to view it, and then arbitrarily modify data. This is what SSL is supposed to protect you against, right?

  1. On Kali - type "q" and answer yes to quit mitmproxy

  2. Then restart mitmproxy with the command:

mitmproxy --map-remote "|https://champlain.edu|https://uvm.edu"

(those are two dashes in front of “map-remote”) and press "Enter."

This filter will attempt to replace any occurrence of "champlain" within any site you visit with the word "uvm" as you browse the web over an HTTP or HTTPS connection.

  1. From Wikipedia - enter "Champlain" into the search bar - the University of Vermont web page should be returned!

  2. Submit: a screen capture of the mitmproxy flow showing the Champlain query and UVM results.

  3. Perform your own "replacement" with terms and sites of your choosing:

Submit: Screenshot of your custom replacement

Submit: Identify one reason a malicious actor might use the MITM replacement?

Submission

Submit screenshots and answers to questions