mitmproxy?

[crepsidro]

Hello peeps.

I am wondering, how hard it would be to make infusion out of amazing http://mitmproxy.org/ ?

Also, pointers on how to install it manually will be greatly appreciated.

There's so many ssl-capable mitm proxy software out now (mitmproxy, sslsniff, burp proxy) and none is available for pineapple, otherwise fine pentesting device?!

Sure there's schemes, where pineapple is used to karma clients to it, and route the traffic to the notebook.

But just imagine ssl logging proxy on the pineapple connected to 3g/phone/ethernet/wlan1?!

Thanks!

[crepsidro]

Actually did some research.

I'm on 2.8.1.

With mitm infusion installed, i get mitmproxy (fails to start) and mitmdump 0.8.1.

mitmdump seems to work, BUT it fails to proxy plain http requests - it treats all requests as https, thus breaking functionality.

I tryed updating mitmdump to current version, but that broke it, 0.9 fails to start.

Please, some help here on how to install the new version?

And i tryed opkg install sslsniff. Sslsniff --help produces help, BUT when i try to use it = segmentation fault.

I just want a decent http/https logging proxy running on pineapple.

Thanks

[Foxtrot]

You can get SSLSniff on the pineapple... as for an infusion, their is none.

Why not make one?

[crepsidro]

As i said, sslsniff package loads, but produces segmentation fault upon launch in 'work' mode.

I have 2gb swap, all processes stopped, but still get seg.fault.

Hoping for pros to investigate.

Just imagine smoothly running sslsniff?! Why focus on completely obsolete sslstrip?

Edited September 14, 2013 by crepsidro

[Whistle Master]

The MITM infusion is indeed already using mitmdump but I haven't port it to firmware 3.0 yet. I remember that I tried to install mitmproxy on 2.8.X but had some difficulties except for mitmdump so that's why I developed the infusion.

[crepsidro]

Ok, thanks for info.

Any tips on getting sslsniff to work?

[crepsidro]

Ok, i did some research and disappointed with results...

I tried flashing to 3.0 and installing sslsniff (openwrt version, which is waaay obsolete).

Still get seg.fault upon running.

Got back to 2.8.1 and still wondering about possibility of having autonomous ssl sniffing proxy (NOT sslstrip, which is useless for most modern sites).

Still cannot properly invoke mitmdump (from mitm infusion) to catch and reroute both HTTP and HTTPS traffic TO it. It takes HTTPS traffic and mitms it, but still cannot get plain HTTP proxied to the mitmdump.

If i hard-set proxy address in 'victim browser' i DO get somewhat reliable ssl pass-thru decoding proxy (yes, i get wrong cert dialogs, but that's acceptable for pentesting).

Can anyone help me with proper iptables commands to route, say, all 80 and 443 traffic to port say 9999 on the pineapple?

Say, i use 3g-wan2 interface OR/AND eth1 interface to get internet to the pineapple.

Thanks.

Guys, i mean, why still no working ssl proxy on the device? Just imagine how cool and almost 100% transparent it can be.

PS. any progress on getting last (not ancient) sslstrip working? Thanks

[crepsidro]

Yup, urwid fails due to absence of compiler. I edited setup.py for urwid to comment out ext.module requirement, it went thru setup.

I also had to do the same for PIL and lxml...

Thing is, lxml fails to compile and i get error

Traceback (most recent call last):
  File "/usb/usr/bin/mitmdump", line 4, in <module>
    from libmproxy import proxy, dump, cmdline, version, console
  File "/usb/usr/lib/python2.7/site-packages/libmproxy/console/__init__.py", line 5, in <module>
    import flowlist, flowview, help, common, grideditor, palettes, contentview, flowdetailview
  File "/usb/usr/lib/python2.7/site-packages/libmproxy/console/flowview.py", line 3, in <module>
    import common, grideditor, contentview
  File "/usb/usr/lib/python2.7/site-packages/libmproxy/console/contentview.py", line 10, in <module>
    import lxml.html, lxml.etree
  File "/usb/usr/lib/python2.7/site-packages/lxml-3.2.3-py2.7.egg/lxml/html/__init__.py", line 42, in <module>
    from lxml import etree
ImportError: cannot import name etree

Also tried manually do a static build of lxml (python setup.py --static-deps to no avail. I guess lxml does needs some binaries compiled...

Please, do something! I want mitmproxy on my pineapple again. It WAS working couple of months ago, but i guess PIP distro changed..

Thanks

Maybe just tell me what to comment out and where to force mitm to run.

[crepsidro]

Edited contentview.py and ran mitmdump (and mitmproxy).

Now, it needs pyopenssl 0.13 and opkg have 0.10-1.

I cannot resolve a conflict there. It either runs with 0.10 but drops all SSL traffic OR it doesnt run with 0.13 pip'ed over 0.10

HELP PLEASE, i guess i need some pyopenssl 0.13 bins (((

[crepsidro]

Can somebody please compile the binaries for pyopenssl 0.13? it needs it to proceed. not familliar with pineapple build enviroment etc.

thanks!

[crepsidro]

Ok, nobody? What?

More futility from me then... :(

I managed to install mitmproxy 0.8.1 by using pip install "mitmproxy<=0.8.1".

But it lacks -T (transarent http/https mode), it lack --host option, and it's basically useless.

I also tried to build some binaries 'on-device'. I tried root_fs_mips and root_fs_mipsel uClibs' packs, both fail to chroot on device (architecture mismatch most probably).

We need pyOpenSSL compiled for pineapple ASAP! That will lead to mitmproxy 0.9.2 (which works GREAT on linux machine, sniffs/mitms ALL ssl traffic!) and NEW version of SSLstrip many folks love.

Please, please devs. Compile the opkg .ipk or just 3 binaries needed for pyOpenSSL 0.13 (crypto and 2 more).

THANKS!

Edited September 17, 2013 by crepsidro

[crepsidro]

i guess nobody gives a crap... that's sad.

this infusion is broken, as updated mitmproxy requires many new deps, which is not compiled for pineapple/ar71xx yes.

i thought hak5 are almost gods...

[crepsidro]

nobody gives a toss? guess i gotta buy Pi for all the work... had high hopes for pineapple but it turned out to be outdated meh....

[Foxtrot]

crepsidro :

How about you stop posting all the time for the same thing, eh?

Developers of both infusions and the system, especially sebkinne who is always working on the pineapple, aswell as other tinkerers 'give a toss'. Developers are incredibly busy, they do what they can when they can.

So my advice to you sir, is back off.

Edited September 18, 2013 by Foxtrot

[crepsidro]

Thanks

[Sebkinne]

Can somebody please compile the binaries for pyopenssl 0.13? it needs it to proceed. not familliar with pineapple build enviroment etc.

thanks!

Yes. We can and will - but please don't keep posting the same things. I suggest creating a bug / suggestion in the appropriate manner so that it is added to our to-do lists.

Best Regards,

Sebkinne

[crepsidro]

done!