Hi, In this post I’m giving a detailed guide to use mitmproxy on kali Linux to capture the traffic. The mitmproxy tool provides many attacker capabilities in traffic analysis such as intercept, modify, replay, save, etc. You can check here for more details. I wanted to use this tool to capture traffic on the same machine (The tool is by default designed to use as a man-in-the-middle attacker to monitor the traffic of a victim device) to analyze the web protocols. On my windows machine I used Fiddler to capture and analyze traffic. However, it was not enough support for Linux machines, if required to do further processing. Hence, I decided to use mitmproxy on Linux.
Note: In order to use mitmproxy to monitor traffic in the same machine we need to consider two users; one user as to provide the proxy; the other user as the victim. So following are the steps to set up your environment on a kali Linux machine. Although kali Linux comes with mitmproxy as pre-installed, I removed the existing version and installed the latest mitmproxy version 5.0.1. The newest version claims to be 4X faster.
Step 0: Remove previously installed mitmproxy
You may have to install the existing old version of mitmproxy if you are using kali Linux
sudo apt-get remove --auto-remove mitmproxy
Step 1: Create a new account for the proxy.
Use the following commands to create a new user. This user will be used as the attacker.
useradd -m mitmproxyuser// it creates a new direcotry
mitmproxyuser //provide a password
usermod -a -G sudo mitmproxyuser
//add the user to sudo user list
Step 2: Download the mitmproxy version 5.0.1
- Visit https://mitmproxy.org/ and download the v5.0 binary of mitmproxy.
- Extract the downloaded .gz file. It contains following executables:
Step 3: Install the mitmproxy as the newly created user
Change the directory to the directory with the extracted content of mitmproxy
- Use the following command to install the mitmproxy.
Note: I’m using pip3 to install the mitmproxy, the pip gave errors for me.
sudo -u mitmproxyuser bash -c 'cd ~ && pip3 install --user mitmproxy'
If the command was successful, the following hidden files will be generated
Step 3: Update IP forwarding settings and add rules to the iptables.
sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv4.conf.all.send_redirects=0
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080 ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080 ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080
Note*: Once the iptables are updated you will not be able to browse the internet unless the mitmproxy is started
Step 4: Start the mitmproxy as the user mitmproxyuser
sudo -u mitmproxyuser bash -c '$HOME/.local/bin/mitmproxy --mode transparent --showhost --set block_global=false'
Note*: Now, when you visit a web site on Firefox browser, it will still say that the certificate is not trusted.
Step 5: Install the mitmproxy certificates on Firefox browser
Once the mitmproxy is started …
- Open the browser and visit http://mitm.it/
- Click on ‘other’ for Linux. It will download the certificate and prompt for acceptance. You can view the certificate and accept it.
Step 5: Capture traffic on mitmproxy
Finally, after installing the CA certificate, you can use the mitmproxy to analyze your traffic as follows.
Click on an item to view the details.
Cheers ! 🙂