Mallory!?

Ok, I have to admit that I recently realized, such a tool named Mallory exists. So much so that I even started to develop mitmproxy4j to intercept SSL traffic.

It was obvious that every tester needs such a tool to intercept applications' traffic to see what is going on over network. You may think that you can accomplish this by using a few iptables command and writing a tool to intercept and redirect traffic, but doing so for every application you want to examine, can be tedious and frustrating.

So Intrepidus Group did a great job to develop Mallory. Formally, Mallory is a transparent TCP&UDP proxy that is able to intercept any traffic over TCP and UDP. HTTP, HTTPS, DNS and SSH are some of them. Also its transparency allows tester to use it without any special configuration on client side. That means you can use it on your mobile phone by using built-in configuration options.

Enough said, lets setup our Mallory!

Mallory needs to live on a gateway, so first of all, you need a machine to operate as a gateway for clients those we want to intercept their traffic. So I installed Ubuntu 12.04 LTS on a virtual machine with a bridge network.(Also there is a vm torrent link on their bitbucket address but I didn't manage to download it because lack of seeders nowadays.)

I have Python 2.7.3 installed on Ubuntu. Also there is a bunch of packets to be installed in order to use Mallory. Run these commands:

sudo apt-get -y install build-essential mercurial libnetfilter-conntrack-dev libnetfilter-conntrack3 python-pip python-m2crypto python-qt4 pyro-gui python-netfilter python-pyasn1 python-paramiko python-twisted-web python-qt4-sql libqt4-sql-sqlite sqlite3 

sudo easy_install pynetfilter_conntrack

sudo ln -s /usr/lib/libnetfilter_conntrack.so /usr/lib/libnetfilter_conntrack.so.1

Now it is time for downloading Mallory source:

hg clone http://bitbucket.org/IntrepidusGroup/mallory

You have installed Mallory and it is ready to launch. But first we need an another interface for incoming connections.(Remember Mallory lives on gateway and gateways have at least two interfaces.(LAN/WAN)).

PPTP Interface

As a second interface, we will use Point-to-Point Tunnelling Protocol(PPTP). So we need to install a "pptpd" server.

sudo apt-get install pptpd

Now some configuration is needed to get PPTPD up and running.

sudo gedit /etc/ppp/chap-secrets

Edit this file like this: here "vpnuser" and "123456" are the username and password respectively that clients will use to connect PPTP server.

# Secrets for authentication using CHAP
# client    server  secret          IP addresses
vpnuser pptpd 123456 *

Now run below command and edit PPTP server for local and remote ip addresses

sudo gedit /etc/pptpd.conf

You only need to uncomment and edit "localip" and "remoteip" lines.

# (Recommended)
localip 10.0.0.1
remoteip 10.0.0.100-200

You also may want to define DNS servers for windows pptp clients: Run

sudo gedit /etc/ppp/pptpd-options

and edit "ms-dns" lines like this:

ms-dns 8.8.8.8
ms-dns 8.8.4.4

Now we can restart the pptpd server and test it.

sudo service pptpd restart

To test it, we need to enable ipv4 forwarding and redirect incomming connections to network. Run:

sudo gedit /etc/sysctl.conf

and uncomment "net.ipv4.ip_forward=1" line. Run this command to get configuration changes.

sudo sysctl -p

Redirect traffic with this command and connect from client.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Aha! Client it is!

I used my android phone as a PPTP client. Configuration is pretty straightforward.

pptp

If all goes well, you should connect to internet over configured gateway.

Ok, I connect to PPTP server, so what?

Now it is time to start mallory and its gui!

cd <install-dir>/mallory/src/
sudo python mallory.py
sudo python launchgui.py

In interfaces tab, you should see something like this. Here eth0 and ppp0 will be outgoing interface and inteface to be mitm-ed, respectively.

mallory_interfaces

If you click "Apply Configuration" at this point, you can see traffic flowing at streams tab.(Assuming no protocol is selected and only "Debug All" rule exists). But it is raw data that is no stripping done on it.

So, if you want to strip SSL on, let's say, 5228 port, you need to define a protocol at Protocols tab like this:

ssl_1: sslproto.SSLProtocol:5228

*Be warned! I think there is a misconception about debuggability of defined protocols that, I couldn't see protocol-enabled traffic at streams tab. But "Db View" section under Advanced tab can always be used for listing streams. *

Do you have any last words?

As I said, Mallory is a great tool. But it needs some contribution about feature-adding and bug-solving. I think it's authors don't have time nowadays. I'll see what I can do ;)

Cheers!



Ali Demiroz

I am a software developer, life-long learner and time-pemitted gamer!

blog comments powered by Disqus