What is Reddit's opinion of mitmproxy?

How are you with python?

Wouldn’t take much effort to find anything with a header of “content-type: video/mp4” or whatever it is we’re talking about here, and have python stash the response body somewhere. I’ve used this method for saving all kinds of stubborn shit. All the JavaScript trickery in the world isn’t gonna stop this.

Automate requests through the proxy with selenium, maybe?

I have Windows 10 Enterprise installed on a machine earlier today. Even with telemetry set to Full, the lights on my switch don't blink when I double-click on an image in Explorer.

I also set Windows to proxy HTTP/HTTPS to mitmproxy running on another computer, and I get no requests when opening images.

Independently of that, with telemetry fully disabled I still get some disappointing requests to bing.com and live.com when using the operating system. I'm not even logged into a Microsoft account.

The sweet spot of this seems to be debugging the SSL configuration of your server. For everything else, I feel there are more convenient ways.

If you're just interested in the communication contents, just open chrome://net-internals/#events (or the devtools for a high level view). Works without any installation whatsoever, also on the stable versions. For actual debugging on the protocol level, I'd go for mitmproxy, which offers client/server replay etc. (I'm affiliated with the project - Burp, Fiddler, Charles, ZAP, ... would be great alternatives, so it's not about that).

Honestly? vim and grep. A couple quick greps on an unfamiliar codebase usually gives me a good idea of how "smelly" it is security-wise, pull me out a list of http routes so I can see what looks interesting, etc.

As far as infosec-specific tools, maybe mitmproxy? It gives you the ability to replay HTTP requests with slight modifications. I think Firefox allows editing a request before resending in its network inspector but it didn't handle multipart encoded forms very well last time I used it. mitmproxy is also nicer because you can also write plugins to do things like automatically strip CSRF tokens out of proxied requests and replay them so you can quickly verify that all endpoints correctly mitigate CSRF.

Self-signed certs in general provide no security. If your client blindly accepts a self-signed cert, an attacker can trivially MITM the traffic [1] and record/alter any packets in either direction. It's no better than HTTP.

You /can/ securely use your own certs if you control the trusted certificate store on the client. That's generally not the case though.

Look into StartSSL and Let's Encrypt for no-cost certificates.

[1] https://mitmproxy.org/

This is wrong. Check out

https://mitmproxy.org/doc/ssl.html

It allows you to sniff TLS/SSL. You simply need to create a self-signed certificate for the API's domain name, and then add that certificate to Android's certificate chain (a very common/easy process). The app will then trust mitmproxy which decrypts the connection for you in real-time (while proxying onwards to the real server)

Almost certainly. mitmproxy does this. It will generate a new cert that you need to install on your device as trusted.

However, if an app is verifying the certificate itself against a list of known certain they provide, it could fail. Basically HSTS cert pinning. After all, it was designed to prevent MITM attacks.

No, the data is encrypted through TLS and both wireshark and tcp dump don't actively decrypt it.

To decrypt the data, you will need to get Niantic's TLS private key (highly unlikely to ever happen) or mitm the connection at runtime with a certificate you have the private key to. Try <code>mitmproxy</code>, it makes these things easy to do.

/u/larrysalibra, do you know about mitmproxy? It makes intercepting internet traffic (even HTTPS) much easier than sshing your router.

What's interesting to note here is not how much data Tantan is sending back to their servers, but that they're doing it without SSL. If you monitor Tinder traffic, you'll notice largely the same personal details (location, match data, distance, etc.) being transmitted – albeit via HTTPS.

There are a couple ways to do it. First is to use something like Wireshark or mitmproxy to read the network requests the app is making.

Another option is to decompile the apps. This will let them view the source code, which will let them see where it's making network connections

Finally, you can use debugging tools on a physical device to see what's going on.

mitmproxy

You can interactively view requests, and create replacement filters on them. You can also pass all options by cli arguments.

It has a kinda funky UI, but you get used to it pretty quick.

For functional testing (like testing user flows), mitmproxy/mitmdump is a really great tool.
For "pedal-to-the-metal" stress tests, check out Apache/AB.
For pre-built stress tests (like generic unit tests), Apache/JMeter is pretty powerful.

I think mitmdump is the best fit for your use case. Only thing to watch out for is that mitmproxy is a bit of a resource hog, so you might need some port-mirror trickery to avoid introducing performance-related bugs on production.

The general idea is pretty simple, but there is some trickery involved in practice (you can see an open source implementation here for example). As you noticed, the proxy has its own root CA. The general idea is that the proxy uses this CA to generate certificates for any sites you access, on the fly (it probably caches the generated certificates, for efficiency). You can read a more detailed explanation about the whole process here -- look for the sections "Explicit HTTPS" and "Transparent HTTPS" depending on whether Chrome is set up to use the proxy ("Explicit HTTPS") or not ("Transparent HTTPS").
Chrome doesn't know the CA used by the proxy, so even though the certificate it receives for "reddit.com" has a valid signature from this CA, it doesn't consider the connection secure. If you really wanted, you could change that by adding that CA to the list of root CAs trusted by Chrome. You'd have to export the root CA to a file and then import it as a trusted CA by going here: chrome://settings/search#ssl and clicking "Manage Certificates" (this opens the right tool to manage the certificates regardless of the OS Chrome is running). I don't really recommend doing this, though.

Short of traffic monitoring/MITM SSL proxies (mitmproxy for example) to see if proper encryption is used (or if encryption is used at all), you're left with a few choices:

Trusting the company and their privacy policies (if they even have one). I don't personally recommend this.
Sticking to open source software (and verifying the code/compiling it yourself, or, again, trusting a third party to have done that; examples: Hacker's Keyboard and the AOSP keyboard).
Using keyboards that do not require an Internet connection (to list some: Hacker's Keyboard, NextApp Keyboard, Multiling O Keyboard).
Using a firewall to block Internet access to the keyboard after you've installed the language pack, if applicable.

It's a trade-off between security and convenience.

You can packet-sniff your own computer to watch the game communicate with the server, and begin to reverse-engineer the undocumented API by watching the interaction. Assuming the connection is encrypted (and why wouldn't it be, in this day and age), you'll probably have to run something like mitmproxy to decrypt the connection. If they're using certificate pinning, or connect using something other than HTTPS, you may have to reverse engineer the application directly, reading the strings or stepping through instructions to see what calls it makes. Doable, but complicated and tedious.

Used: mitmproxy/Burp Suite to understand how the api works, and jadx to try to get readable decompiled source code once I knew what to look for and general idea of what to expect/how it works.

Security Advisory

Concerning web-based wallets. Why are they so insecure?

In order to allow law enforcement and intelligence agencies to intercept encrypted messages, HTTPS implements a well-known backdoor.

The certificate for a site's public key can be issued by 600+ different certificate authorities, some of which are very shady. Therefore, any attacker on a node in between your device and the website server can intercept the public key and the real certificate and replace it by a fake couple of credentials.

From there on, the Man In The Middle (MITM) can completely decrypt your not so secure communications over HTTPS. A large number of attackers, working various WIFI locations, telecom operators, and backbone operators will automatically harvest userids and passwords from multiple known sites such as indeed blockchain.com. They also intercept a massive number of fiat banking logins and passwords, usually, with a view on selling them on the darknet.

Therefore, a thefting occurrence is just a question of time. All that needs to happen, is that one node on the route between your computer and the website happens to be compromised.

This type of attack is typically automated with tools such as: https://mitmproxy.org.

A fourteen year old script kiddie can learn how to do that in just a few weeks.

This problem also arises when using websites such as coinbase.com. An exchange that you access through the browser is an accident waiting to happen. It is just a question of time and your money will be gone. You can still use them for small amounts if you make sure not to leave your coins on the exchange's website for extended periods of time.

In other words, never use a web application for secure computing. Websites can simply not be secured. This is by design so.

I had a blast doing this!

Reverse engineer the Animal Crossing API with mitmproxy and find out the endpoints for reactions
Set up a Python server to fetch the authentication cookies to access the API
Use Google's Teachable Machine to capture, train my gestures, and export to a Tensorflow model
Pour the model into Tensorflow to predict what gesture I am doing and call the corresponding reaction API on my Python server

Nice list!

I want to give a shout-out to mitmproxy as an open-source alternative to Charles. It has a command-line interface as well as a web interface. It's also scriptable (in Python).

It's come a long way since I first started using it. It's much simpler to get up and running now.

если у сяоми можно устанавливать руками самоподписанные сертификаты (или всовывать руками CA, а потом сертификат), и если можно указать прокси -- то прошивать роутер не обязательно.

На свободную тачку ставится mitmproxy, он генерит сертификат который надо установить в исследуемую систему. Далее в исследуемой системе надо указать, что тачка с mitmproxy это прокси и ходить надо через него.

Тул фактически делает tcpdump, но цимес в том что TLS расшифровывается. В принципе кажется с некоторой гимнастикой Wireshark тоже может залезть внутрь TLS, но с mitmproxy как-то проще в настройках показалось. Это работает, я так успешно проснифал закрытое api одного телефонного приложения и смог написать альтернативный клиент.

https://mitmproxy.org/#mitmdump would probably be a good fit. You can programmically strip out data from http requests using its python api.

I've used mitmproxy in the past with messing around with malware. It works pretty good

As /u/0x414142424242 pointed out, OWASP ZAP is basically an open source alternative with similar core functionality. However, I think mitmproxy is also worth a look -- it has a command line and web interface and is very extensible in Python.

> scraping off an app is different to HTML scraping

for sure, yes, but in my experience it can also be much, much easier because it is highly unlikely that your target will send down presentation stuff (i.e. HTML) to the app -- they will send down only the data, which is what you wanted to begin with.

That said, there are different hurdles to overcome when going after app data: authentication is almost surely involved, there could be rate limiting per login, and they are (strangely) able to change the format or data sent down almost arbitrarily, which isn't typically true for web targets.

> I intend to use an extension to run the android app

I'm not certain what that means, but I guess so long as you know and are comfortable with it, then try it out. My experience has been a mixture of man in the middle attacks, and decompilation of the app to learn the URLs and any auth schemes. But, just like going after a web target, almost every job differs.

I don't at all mean to dissuade you from using the app-centric approach, but also be sure to look at any XHRs on their current website, as it may very well be sending down the JSON you want but without all the authentication or other tidbits you may can avoid. It can be the best of both worlds: just the data, thankyouverymuch, but without all the energy expended to learn those URLs and responses.

> Je suis 100% d'accord avec toi, mais même si ils réussissent à avoir un certifcat signé avec la clef privé il ne peuvent pas lire le traffic envoyé vers un autre certificat en écoutant les câbles. Et si ils ont changé le certificat, de sorte que le traffic soit crypté pour ce certificat, ils ont déjà accès au trafic et ça ne sert donc à rien de toucher aux câbles.

Il suffit de créer un certificat intermédiaire signé avec une clé racine, comme ça tous les navigateurs le reconnaissent. Ensuite, générer des clés à la volée signées avec ce certificat n’est pas très compliqué, il y a même des logiciels qui permettent de faire ça très facilement.

Parce que soyons honnête, peu de sites déploient DNSSEC et DANE/TLSA, peu de gens utilisent un résolveur qui vérifient leur validité, peu de gens vérifient les certificats émis par les sites, et peu de gens n’utilisent un VPN.

>Ce que je veut dire c'est que ce câble ne vas avoir aucun impact sur la force de renseignement de la DGSE

Ça oui je suis d’accord. Ils doivent avoir assez de moyens technique avec les fameuses boites noires.

charlesproxy/fiddler are both very good, and will address most situations. I personally use mitmproxy in a transparent proxy mode, because I have came across some apps that "ignore" a proxy configured on the device client.

https://mitmproxy.org/ http://docs.mitmproxy.org/en/latest/transparent.html?highlight=--host#fully-transparent-mode

If the devs were really focused on preventing a MITM they might leverage cert pinning. Not sure of a way you can snoop that traffic, without doing some http client logging on the server in a lab env.

From what little I read on their site, it looks like they're just an http proxy.

Should be as easy as installing it on any other debian distribution. Get the raspbian flash, and install mitm. The biggest thing you'll have to look out for is dependencies. You may run into several libraries you have to install that aren't called out in the default instructions because normally they're there.

Try the Ubuntu Install Instructions first.

You may be able to use a MITM proxy with these.

https://mitmproxy.org/ for example. (I've never used it. Just came up in a googlesearch)

If they support the older ssl versions, they may redo the ssl protocol for the connection to your browser. They're having to decrypt it anyway.

using STunnel is also possibly an option. Use one stunnel to unwrap the old ssl protocol. Then if you need it, another to rewrap it. (or only connect via an ssh tunneled proxy, which is the only thing allowed to talk to the stunnel port)

Is the ACL (access control list) (A/k/a Ip whitelisting) being done in an access router or in a firewall? Most firewalls are very good at dropping spoofed packets while a router could be bypassed.

The typical way a MITM app works is that it's not a router, it's a proxy. As a proxy it is able to deal with HTTPS and also provide valid routing info to both ends of the conversation.

https://mitmproxy.org/doc/howmitmproxy.html

It works for me. I just point the settings in the wifi settings to the proxy.

http://puu.sh/hFnKW/8c33317b18.jpg

Did you remember to install the certificate on the phone? https://mitmproxy.org/doc/certinstall/webapp.html

If you want less bloat, more open source and non-missing images in the documentation, you way want to take a look at mitmproxy. Also, you get real Python scripting instead of this weird FiddleScript thing.

> Reason 1: make things easy to use.

Burgher's solution: a web wallet.

He does not elaborate, however, on the known phenomenon of why web wallets get hacked incessantly?

The reason is otherwise simple.

The browser was specifically designed to leak its secrets to law enforcement. We also know that not only the official mafia makes use of this browser feature but that every other mafia does that too.

Nowadays, we even have user-friendly and automated tools to assist absolutely anybody in duly and extensively hacking browser traffic:

> https://mitmproxy.org

> It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols.

When you see a large herd of sheep somewhere, then rest assured that the presence of a pack of wolves will automatically materialize out of the blue and start circling this juicy source of extra proteins.

Mutatis mutandis, when a large number of unsuspecting mimic users will start using their browser-based wallet, that will certainly also draw the attention of hungry predators in search of easy prey. Before you know the successful predators will exclaim:

All your base are belong to us!

So, on the one side, yes to making some things easier.

However, on the other side, no, to making it easier for a new socialist income and wealth redistribution scheme to collect funds from the naive segment of the population to be handed over to the more ruthless one.

2FA is a fledgling workaround for the fact that SSL/TLS (as in "https") does not secure anything at all:

> https://mitmproxy.org

> mitmproxy ... can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols.

Is 2FA the solution?

Not necessarily, because the second factor usually also revolves around using (yet another) insecure protocol such as SMS.

Seriously, why use something for protection that simply does not protect?

Can you really solve the problem caused by an insecure protocol by using two insecure protocols (2FA)? And if that does not work, three insecure protocols? Ad nauseam?

The real solution is not to use browser-based client applications and not to use SSL/TLS in any client application at all, be it desktop, web, or mobile.

Nothing is fixed, my friend.

Not even close!

> https://mitmproxy.org

> mitmproxy is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing.

> It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols.

Anything that runs in a browser, such as Chrome, is low-hanging fruit. It is just too easy to strip clean.

If you store anything of value in a browser, you are doing something very dumb.

Firefox has an option to dump TLS keys into a separate file which you can then use to decrypt captured packets. Note that the keys used in your browser and the ones used by the game itself are likely not the same.

Should the above not work, you could look into using a tool like mitmproxy to man in the middle your own connection. This requires that you install the certificate it generates as a trusted certificate in your system.

It's easy to check for HTTP by setting up a proxy such as mitm. For other protocols you'd need a transparent proxy.

There used to be a network log in iOS many years ago. Not sure if that still exists.

Plenty of ways to go here.

If you just want a quick win, set PiHole to return the IP address of your PI as the A record for the domain in question. Then set up something to snoop on incoming network traffic. If you want to try doing it without upsetting the connection, you'll need to proxy it through your Pi so that you can see it but leave it untouched.

If your router supports it (unlikely), you could try to set your Pi as the gateway for all traffic from the target Pi, then use mitmproxy to invisibly proxy traffic. (Or just forward all traffic like a real gateway and use Wireshark.)

If not you might be limited to using NAT firewall rules. You could still use mitmproxy, but it would be rather limited because it's not supposed to be used behind after NAT. You'd need something like

sudo mitmproxy -p 80 --mode reverse:http://example.org:80/ --set keep_host_header

where example.org is the target domain you determined via the PiHole. (If you are stuck with NAT you might find this script useful. Although I haven't tested it extensively, it seems to work.)

... of course, your router might always have the capability to do all this more easily, but that's hard to say without being familiar with the details.

> I can just analyse it and find out if it's true or not.

You can do the same thing for WhatsApp, and it has been done. It's not all that hard to analyze network traffic if you're somewhat tech-savvy. The additional TLS encryption layer can be stripped with a tool like mitmproxy and you will still see no plain-text message content after that (but probably some plain-text metadata). Of course truly verifying that it's the Signal protocol being used as opposed to something else encrypting or obscuring the message content is much harder than having a quick peek behind into the plain client-server communication data, but it *is possible.

> Security Advisory > Concerning web-based wallets. Why are they so insecure? > > In order to allow law enforcement and intelligence agencies to intercept encrypted messages, HTTPS implements a well-known backdoor. > > The certificate for a site's public key can be issued by 600+ different certificate authorities, some of which are very shady. Therefore, any attacker on a node in between your device and the website server can intercept the public key and the real certificate and replace it by a fake couple of credentials. > > From there on, the Man In The Middle (MITM) can completely decrypt your not so secure communications over HTTPS. A large number of attackers, working various WIFI locations, telecom operators, and backbone operators will automatically harvest userids and passwords from multiple known sites such as indeed blockchain.com. They also intercept a massive number of fiat banking logins and passwords, usually, with a view on selling them on the darknet. > > Therefore, a thefting occurrence is just a question of time. All that needs to happen, is that one node on the route between your computer and the website happens to be compromised. > > This type of attack is typically automated with tools such as: https://mitmproxy.org. > > A fourteen year old script kiddie can learn how to do that in just a few weeks. > > This problem also arises when using websites such as coinbase.com. An exchange that you access through the browser is an accident waiting to happen. It is just a question of time and your money will be gone. You can still use them for small amounts if you make sure not to leave your coins on the exchange's website for extended periods of time. > > In other words, never use a web application for secure computing. Websites can simply not be secured. This is by design so.

Thank you. So what do you suggest?

Security Advisory

Concerning web-based wallets. Why are they so insecure?

In order to allow law enforcement and intelligence agencies to intercept encrypted messages, HTTPS implements a well-known backdoor.

The certificate for a site's public key can be issued by 600+ different certificate authorities, some of which are very shady. Therefore, any attacker on a node in between your device and the website server can intercept the public key and the real certificate and replace it by a fake couple of credentials.

From there on, the Man In The Middle (MITM) can completely decrypt your not so secure communications over HTTPS. A large number of attackers, working various WIFI locations, telecom operators, and backbone operators will automatically harvest userids and passwords from multiple known sites such as indeed blockchain.com. They also intercept a massive number of fiat banking logins and passwords, usually, with a view on selling them on the darknet.

Therefore, a thefting occurrence is just a question of time. All that needs to happen, is that one node on the route between your computer and the website happens to be compromised.

This type of attack is typically automated with tools such as: https://mitmproxy.org.

A fourteen year old script kiddie can learn how to do that in just a few weeks.

This problem also arises when using websites such as coinbase.com. An exchange that you access through the browser is an accident waiting to happen. It is just a question of time and your money will be gone. You can still use them for small amounts if you make sure not to leave your coins on the exchange's website for extended periods of time.

In other words, never use a web application for secure computing. Websites can simply not be secured. This is by design so.