blob: 8f36f57b08cbb33226cdfb32ee093a238fcc7192 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
# MITMproxy
## Intro
MITMproxy is proxy that allows easily to make MITM attacks on traffic that
come trough proxy. It supports HTTP/HTTPS and SOCKS5 modes. It allow to modify
traffic on the fly or just trigger some interesting info for further analysis.
Its good to for researching API interfaces on mobile platforms.
Project page is https://mitmproxy.org/ where you can find additional info.
## Install
There is possible to install mitmproxy from distribution repositories
On Debian like systems
```bash
sudo apt-get install mitmproxy
```
On archlinux system
```bash
pacman -S mitmproxy
```
### Sources
Mitmproxy uses github for development here is project page on github
https://github.com/mitmproxy/mitmproxy
If you whant just clone it
```bash
git clone https://github.com/mitmproxy/mitmproxy.git
```
## Using
There is many scenarios when you would like to use mitmproxy here is some
that are for fun or serious job to do with proxy.
### Use proxy for browser
Okey lets cover just setting up mitmproxy in simple scenario for some browser.
Here is snippet how to run mitmporxy in HTTP mode on port 10000
```bash
#!/bin/sh
export LANG=en_US.UTF-8
mitmproxy --port 10000
```
Setup your browser to http proxy mode and you try some http pages and will
see all requests.
### Setting up your own proxy for Android
Lets try now mitmproxy as Android proxy. First way how to setup proxy is
As application can just bypass proxy setting that you set in Android default
way, its better way to use ProxyDroid otherwise some APPs will ignore proxy
settings.
#### Setting up mitmproxy certificate on Android device
mitmproxy certificates are stored in _~/.mitmproxy_ directory
To install certificate in Android _Setting->Security_ you should choose option
_Install from storage_ and point where you saved mitmproxy certificate.
How to transfer mitmproxy certificate on you device is up to you, there is
many ways from old-school ftp style to some Bluetooth connected file sharing.
Final step is to setup proxy. You can do it in Network menu but
applications can bypass it. That why rooted device with ProxyDroid is better
solution. Set in ProxyDroid you port to **8080** (default port of mitmproxy) and
_Proxy Type_ to **SOCKS**. You can choose also **HTTP** or **HTTPS** proxy type
but if application uses both of them then you will not see one or other.
#### Starting mitmproxy in SOCKS5 mode
```bash
mitmproxy --socks
```
Now when you will use apps you will see how some traffic going in or out.
Also as mitmproxy is HTTP/HTTPS proxy you will not see if there is some
other protocols.
Here is some top applications on Android
[Top 50](http://www.techradar.com/news/phone-and-communications/mobile-phones/top-210-best-android-apps-2013-693696)
you can search for many other list of "top" Android applications.
Now when you have something to explore you there is few tips.
* You could experience that application works but you dont see any traffic
mitmproxy, check network traffic with wireshark maybe just non-http protocol
used.
* If application fail to connect while you sure that proxy works properly
it could be it use some MTIM attack protection such as certificate pinning.
* If application fail to connect while you sure that proxy works run such
application with different MTIM proxy like [Charles](http://www.charlesproxy.com/)
it could be just mitmproxy bug (as its in active development)
* If there is some streaming in application and it doesnt work with mitmproxy
confirm that with [Charles](http://www.charlesproxy.com/) sometime mitmproxy
couldnt stream http while [Charles](http://www.charlesproxy.com/) could do it.
### Writing you own scripts
### Traffic monitoring
## Conclusion
As any open source project mitmproxy suffers from usual open source project
diseases, like lack of support bad documentation and small amount users who use
it professionally. From other point it written in python and its easy to hack
into source by extending with your own use case specific scripts. And unlimited
libraries that python have allows to integrate mitmproxy in anything you would
like from statistical libraries for analyzing traffic to where you imagination
stops.
If speak about how applications work on Android then they all definitely suck.
There you can find plain usernames/password sended in HTTPS to secret API's
whose only security is trust in HTTPS. Many applications uses many external
API's for extra services with requires plain password to authenticate. And
definitely OAuth 2.0 suck more then OAuth1.0 from user security point. Here is
some talks from guy who worked on OAuth standard
[http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/comment-page-1/](http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/comment-page-1/).
Probably you will find much more about how security suck in application API
level.
## Links
1. [https://mitmproxy.org/](https://mitmproxy.org/)
2. [https://github.com/mitmproxy/mitmproxy](https://github.com/mitmproxy/mitmproxy)
|