Ok, I have to admit that I recently realized, such a tool named Mallory exists. So much so that I even started to develop mitmproxy4j to intercept SSL traffic.
It was obvious that every tester needs such a tool to intercept applications’ traffic to see what is going on over network. You may think that you can accomplish this by using a few iptables command and writing a tool to intercept and redirect traffic, but doing so for every application you want to examine, can be tedious and frustrating.
So Intrepidus Group did a great job to develop Mallory. Formally, Mallory is a transparent TCP&UDP proxy that is able to intercept any traffic over TCP and UDP. HTTP, HTTPS, DNS and SSH are some of them. Also its transparency allows tester to use it without any special configuration on client side. That means you can use it on your mobile phone by using built-in configuration options.
Enough said, lets setup our Mallory!
Mallory needs to live on a gateway, so first of all, you need a machine to operate as a gateway for clients those we want to intercept their traffic. So I installed Ubuntu 12.04 LTS on a virtual machine with a bridge network.(Also there is a vm torrent link on their bitbucket address but I didn’t manage to download it because lack of seeders nowadays.)
I have Python 2.7.3 installed on Ubuntu. Also there is a bunch of packets to be installed in order to use Mallory. Run these commands:
Now it is time for downloading Mallory source:
You have installed Mallory and it is ready to launch. But first we need an another interface for incoming connections.(Remember Mallory lives on gateway and gateways have at least two interfaces.(LAN/WAN)).
As a second interface, we will use Point-to-Point Tunnelling Protocol(PPTP). So we need to install a “pptpd” server.
Now some configuration is needed to get PPTPD up and running.
Edit this file like this: here “vpnuser” and “123456” are the username and password respectively that clients will use to connect PPTP server.
Now run below command and edit PPTP server for local and remote ip addresses
You only need to uncomment and edit “localip” and “remoteip” lines.
You also may want to define DNS servers for windows pptp clients: Run
and edit “ms-dns” lines like this:
Now we can restart the pptpd server and test it.
To test it, we need to enable ipv4 forwarding and redirect incomming connections to network. Run:
and uncomment “net.ipv4.ip_forward=1” line. Run this command to get configuration changes.
Redirect traffic with this command and connect from client.
Aha! Client it is!
I used my android phone as a PPTP client. Configuration is pretty straightforward.
If all goes well, you should connect to internet over configured gateway.
Ok, I connect to PPTP server, so what?
Now it is time to start mallory and its gui!
In interfaces tab, you should see something like this. Here eth0 and ppp0 will be outgoing interface and inteface to be mitm-ed, respectively.
If you click “Apply Configuration” at this point, you can see traffic flowing at streams tab.(Assuming no protocol is selected and only “Debug All” rule exists). But it is raw data that is no stripping done on it.
So, if you want to strip SSL on, let’s say, 5228 port, you need to define a protocol at Protocols tab like this:
*Be warned! I think there is a misconception about debuggability of defined protocols that, I couldn’t see protocol-enabled traffic at streams tab. But “Db View” section under Advanced tab can always be used for listing streams. *
Do you have any last words?
As I said, Mallory is a great tool. But it needs some contribution about feature-adding and bug-solving. I think it’s authors don’t have time nowadays. I’ll see what I can do ;)
blog comments powered by Disqus