MiTM Proxy Class Activity - savannahc502/SavC-TechJournal-SEC260 GitHub Wiki

Lab Introduction

Objective: Intercept an Encrypted Session to understand how attacks against the human protocol can lead to breaches

Note: This is not an attack on the SSL/TLS protocols. It is an attack on the host (e.g. malicious code) or an attack against a user (e.g. social engineering, carelessness, etc.). Also, organizations may deploy SSL/TLS proxies to filter traffic, as well.

Lab Procedure

Goal: Configure MitmProxy to intercept all web traffic. Configure Chrome Web Browser to use the attacking host as a proxy.

easy_install --upgrade pip
pip install mitmproxy

Configure MitmProxy and Chrome

Let's first start Chrome with security options disabled: Create a .bat file with the following content and start chrome using this .bat file:

image

  • Go to settings
  • Type proxy
  • Choose open your computer's proxy settings
  • Check "Use Proxy Server"
  • Enter IP address of your Kali VM and port 8080

NOTE: This process is being done manually for the purposes of demonstration of this lab. However, malicious software can modify the configuration files for Firefox etc. and inject their own Proxies IP address.

In Chrome, browse to a site like http://burlingtoncityarts.org . Watch the MITMProxy screen in Kali. Notice how you can see all traffic. That is how a standard proxy works.

image

Intercept and View HTTPS Traffic

image

When browsing to https://login.comcast.net/login with the MITMProxy on, my Windows browser warned me that the certificate for the website was not valid. This is because the certificate authority appears to be my MITMProxy on Kali since traffic is being intercepted and routed through it. My browser does not trust it as a CA since it is not listed in the certificate store and therefore rejects it.

Malware can also add CA's to the certificate store

  • Browse to http://mitm.it
  • Click on the Windows icon (read the instructions first)
    • Note: if the site doesn't link, then View Source to view the raw HTML & it's relative reference.
  • Click on the .p12 file to install the MiTM Proxy CA cert

Important: Make sure to change the Certificate Store during the certificate import. Select Trusted Root Certification Authorities.

image

Once I added my MITMProxy as a trusted CA in the devices certificate store, the certificates of https websites were no longer showing up as invalid.

image

With my MITMProxy, I can view web traffic from my Windows machine that would otherwise encrypted. As seen above, all of the information is decrypted and visible to view.

image

This is another example of how the MITMProxy logs show clear text information from my Windows machines that should be encrypted. After visiting a simple website login page and entering a random login/password, I can see the credentials in plain text via the proxy logs.

Configure MITMProxy to modify the Victim’s network traffic in real-time

MITMProxy supports modifying data on the fly. That means modifying data in transit. MITMProxy can stop a connection, allow you to view it, and then arbitrarily modify data.

  • On Kali - type "q" and answer yes to quit mitmproxy
  • Then restart mitmproxy with the command: sudo mitmproxy --map-remote "|https://champlain.edu|https://uvm.edu"
  • Type https://champlain.edu in your web browser

image

  • You can see in the GET request above, that I have typed in the address for Champlain College’s website.

image

  • However, since my MITMProxy was opened with a command to redirect Champlain College website traffic to UVM’s website, the GET request is modified and my client is redirected.