Open in app

Sign in

Write

Sign in

MITM can be pretty easy with Mitmproxy and Python

Alexey Alter-Pesotskiy
testableapple
Published in
4 min readFeb 25, 2019

This Note originally published on my Personal Blog here. Read original note so that you won’t miss any content.

First of all, I would like to link wiki MITM definition. If you are interested in my simple explanation, MITM is a hacker attack, in which there is a client, a server, and that man from the title in the middle. Man in the middle changes the original connection of the user and receives full access to his traffic with the ability to add or remove any stuff in requests and responses.

Mitmproxy — is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing. This is about HTTP and HTPPS requests and touches on not only mobile (iOS/Android), but also OSX, Windows, and Linux apps. Especially nice that it is FREE.

In this note, I will not go through the advantages of mitmproxy over other similar tools (Charles, scat!), but believe me, there are more than disadvantages.

Install

$ brew install mitmproxy

A broad variety of UI

Mitmproxy has three interfaces for every taste:

  • CLI
$ mitmproxy
  • WEB (I prefer this one)
$ mitmweb
  • Log dump
$ mitmdump

Usage

  • Connect to the same Wi-Fi on computer and device
  • Start mitmproxy on computer
  • Open Wi-Fi settings on the device and set up a proxy with laptop IP and mitmproxy port: 8080
  • Open mitm.it on device browser and choose your platform
  • Then install the downloaded certificate and trust it

Now you can sniff your traffic via mitmproxy.

More information about installing the certificates

Ignore hosts

A useful option when we don’t need to sniff traffic from some hosts, but if we sniff them we can receive a lot of problems. For example, if we don’t ignore:

  • android.clients.google.com, we will have problems with signing into the Play Market
  • init.itunes.apple.com and itunes.apple.com, we will have problems with signing into the App Store
  • ppq.apple.com, we will get this pop-up for some apps

So, let's ignore these hosts. In order to do it we should set up a little regex at the startup of mitmproxy:

$ mitmweb --ignore-hosts '^(?:(?!android.clients.google.com|appldnld.apple.com|mesu.apple.com|ppq.apple.com).)*$'

What Python brings?

Python is the game-changer and the killer feature at the same time.

The main things to consider for the quick start are:

  • method request, if we want to modify our requests and/or create new responses
  • method response, if we want to modify server responses

We’re lucky guys ’cause using these two methods we can control the whole traffic.

Attention! The following examples are really useful but don’t claim to be exhaustive, but only describe some of the possibilities of interaction with the mitmproxy API. Something heavier, and generally anything you want you can find in the official examples.

  • kill requests (e.g.: kill iOS requests for update):
  • change query/headers of requests/responses:
  • change response code (e.g.: return 503 for offline emulation):
  • redirect requests:
  • create own response:

Don’t take seriously

What if we want to flip all the images in the server responses?

Conclusion

MITM attacks on production are almost impossible because they require physical access to the device (hi https). The main thing that we can take from MITM is an analysis of ours, let me highlight, not another’s, but ours traffic. An interesting discovery may be the number of requests with our data flowing to other servers from our own devices and our favorite apps.

If you had any questions or clarifications after reading the note about the MITM or mitmproxy, I’ll be happy to answer them.

So, wish you happy Mondays (:

IOS
Android
Mitmproxy
Alter Al
Pentest

--

--

Alexey Alter-Pesotskiy
testableapple

Written by Alexey Alter-Pesotskiy

52 Followers
Editor for

https://testableapple.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams