# MITMproxy ## Intro MITMproxy is proxy that allows easily to make MITM attacks on traffic that come trough proxy. It supports HTTP/HTTPS and SOCKS5 modes. It allow to modify traffic on the fly or just trigger some interesting info for further analysis. Its good to for researching API interfaces on mobile platforms. Project page is https://mitmproxy.org/ where you can find additional info. ## Install There is possible to install mitmproxy from distribution repositories On Debian like systems ```bash sudo apt-get install mitmproxy ``` On archlinux system ```bash pacman -S mitmproxy ``` ### Sources Mitmproxy uses github for development here is project page on github https://github.com/mitmproxy/mitmproxy If you whant just clone it ```bash git clone https://github.com/mitmproxy/mitmproxy.git ``` ## Using There is many scenarios when you would like to use mitmproxy here is some that are for fun or serious job to do with proxy. ### Use proxy for browser Okey lets cover just setting up mitmproxy in simple scenario for some browser. Here is snippet how to run mitmporxy in HTTP mode on port 10000 ```bash #!/bin/sh export LANG=en_US.UTF-8 mitmproxy --port 10000 ``` Setup your browser to http proxy mode and you try some http pages and will see all requests. ### Setting up your own proxy for Android Lets try now mitmproxy as Android proxy. First way how to setup proxy is As application can just bypass proxy setting that you set in Android default way, its better way to use ProxyDroid otherwise some APPs will ignore proxy settings. #### Setting up mitmproxy certificate on Android device mitmproxy certificates are stored in _~/.mitmproxy_ directory To install certificate in Android _Setting->Security_ you should choose option _Install from storage_ and point where you saved mitmproxy certificate. How to transfer mitmproxy certificate on you device is up to you, there is many ways from old-school ftp style to some Bluetooth connected file sharing. Final step is to setup proxy. You can do it in Network menu but applications can bypass it. That why rooted device with ProxyDroid is better solution. Set in ProxyDroid you port to **8080** (default port of mitmproxy) and _Proxy Type_ to **SOCKS**. You can choose also **HTTP** or **HTTPS** proxy type but if application uses both of them then you will not see one or other. #### Starting mitmproxy in SOCKS5 mode ```bash mitmproxy --socks ``` Now when you will use apps you will see how some traffic going in or out. Also as mitmproxy is HTTP/HTTPS proxy you will not see if there is some other protocols. Here is some top applications on Android [Top 50](http://www.techradar.com/news/phone-and-communications/mobile-phones/top-210-best-android-apps-2013-693696) you can search for many other list of "top" Android applications. Now when you have something to explore you there is few tips. * You could experience that application works but you dont see any traffic mitmproxy, check network traffic with wireshark maybe just non-http protocol used. * If application fail to connect while you sure that proxy works properly it could be it use some MTIM attack protection such as certificate pinning. * If application fail to connect while you sure that proxy works run such application with different MTIM proxy like [Charles](http://www.charlesproxy.com/) it could be just mitmproxy bug (as its in active development) * If there is some streaming in application and it doesnt work with mitmproxy confirm that with [Charles](http://www.charlesproxy.com/) sometime mitmproxy couldnt stream http while [Charles](http://www.charlesproxy.com/) could do it. ### Writing you own scripts ### Traffic monitoring ## Conclusion As any open source project mitmproxy suffers from usual open source project diseases, like lack of support bad documentation and small amount users who use it professionally. From other point it written in python and its easy to hack into source by extending with your own use case specific scripts. And unlimited libraries that python have allows to integrate mitmproxy in anything you would like from statistical libraries for analyzing traffic to where you imagination stops. If speak about how applications work on Android then they all definitely suck. There you can find plain usernames/password sended in HTTPS to secret API's whose only security is trust in HTTPS. Many applications uses many external API's for extra services with requires plain password to authenticate. And definitely OAuth 2.0 suck more then OAuth1.0 from user security point. Here is some talks from guy who worked on OAuth standard [http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/comment-page-1/](http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/comment-page-1/). Probably you will find much more about how security suck in application API level. ## Links 1. [https://mitmproxy.org/](https://mitmproxy.org/) 2. [https://github.com/mitmproxy/mitmproxy](https://github.com/mitmproxy/mitmproxy)