Skip to content

Traffic inspection

Silvio Moioli edited this page Jun 6, 2022 · 1 revision

Capturing HTTP/HTTPS traffic with MITM Proxy

This method is the nicer buat only works with http/https traffic.

Installation

Install mitmproxy in your workstation from here

General Usage

First time you run it mitmproxy (exit with "q") the CA authorities will be created in ~/.mitmproxy

Copy mitmproxy-ca-cert.pem to the client machine where you want to inspect the traffic. In the client, make the mitmproxy CA trusted:

  • SLE-11 in /etc/ssl/certs and then run c_rehash
  • SLE-12 in /etc/pki/trust/anchors and run update-ca-certificates

In your workstation, start mitmproxy:

mitmproxy -p 9999

On the client machine, start the program that will communicate with the server via SSL. Make sure you can make your program use the your workstation as the proxy with an ENV variable. If not, check its specific configuration file.

export http_proxy=yourworkstation:9999
./yourprogram

You should start seeing traffic. Check the documentation on how to navigate and how to inspect the flow and even modify it.

There is also a companion tool mitmdump, that works like tcpdump, which you can use to save the traffic

You can also use the -R host to do a reverse proxy and put mitmproxy in front of the server, instead of using it as a proxy to the client

Also see this Full Tutorial.

Arbitrary traffic using sslplit

INCOMPLETE, not yet working for osad. Needs STARTTLS support.

Install sslplit in your workstation.

On the client, alter /etc/hosts to redirect the server to your workstation:

....
ff02::2         ipv6-allrouters
ff02::3         ipv6-allhosts

10.160.5.9      sumars21.suse.de

Now when the client asks for sumars21.suse.de, it will get my workstation (10.160.5.9) before the real dns entry.

Get the server keys:

scp root@sumars21.suse.de:ssl-build/RHN* .

Start sslplit to listen in the ports you want to capture, with the right spec: tcp, ssl, http or https. In this case I want to capture SSL traffic for osad (jabber, 5222) and https, 443. I redirect both to the same original server (sumars21.suse.de).

sudo sslsplit -D -l - -k RHN-ORG-PRIVATE-SSL-KEY -c RHN-ORG-TRUSTED-SSL-CERT ssl 0.0.0.0 5222 sumars21.suse.de 5222 https

Also see this Full tutorial.

Clone this wiki locally