MitM with TETRA and Burp Suite

[Nusky]

Hello Wonderful People,

So I'm hitting a snag with an attack I'm trying to carry out and could really use anyone's help trying to troubleshoot this. I've got the theory down and get half way but can't seem to jump the last hurdle.

So here's the jist, I'm trying to MitM devices connecting to my TETRA using Burp Suite to capture any HTTP or HTTPS traffic so that I can observe/modify (you know the drill) the HTTP/S traffic.

Thing is, I can capture the traffic and MitM successfully with the TETRA (I am able to see all traffic passing through my attack machine within Wireshark). However, I can't seem to get that traffic into Burp. I'm only interested in sending HTTP/S traffic to Burp, all other traffic can head on out to the Internet. I've tried using iptables rules to preroute the traffic bound for dport 80 or 443 to the Burp Proxy listening on 8080 (and tried individual listeners on 80 and 443 to no avail), but no traffic seems to get to it... well to an extent. If I grab the HTTP header of google.com whilst routing traffic to Burp, I can grab a HTTP header for Burp itself.

Here's a diagram because I like making them:

Attackers IP (Eth1) is 172.16.42.42

Eth0 IP is 192.168.0.10 (LAN has Internet connectivity via gateway at 192.168.32.1)

ETH0 and 1 are wired (I wire into the ETH port of my TETRA). Mobile devices are connecting via WiFi (PineAP).

It's simple enough in my head, have all traffic coming in over ETH1 that is destined for 80 ro 443 re-route to the Burp Listener... but it doesn't seem to work correctly.

Here's the iptables rules I was creating to try and route the traffic (applied on the attackers machine):

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 127.0.0.1:8080

iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 127.0.0.1:8080

And ip forwarding is enabled on the attackers machine with:

sysctl net.ipv4.ip_forward=1

I'm still trying out stuff, next thing is to route HTTP/S traffic from ETH1 to LO (seeing as the listener is on LO 127.0.0.1:8080), but I know from previous posts their are legends on these forums and would appreciate some pokes in the right direction if anyone has any ideas.

And yes, I did look around the forums and on the Internet, but I can't seem to find the thing that works.

Any thoughts are welcome. Think this might be a cool addition to the forums if we can get it going.

Thanks.

[nickphx]

You can't have multiple rules for the same traffic. There are iptables rules for the MITM transparent proxying of traffic. What you need to do is create a prerouting rule that will tee or copy the traffic..

iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TEE --gateway BURP_IP:PORT

http://linuxcommand.org/man_pages/iptables8.html

 ROUTE
       This  is  used  to explicitly override the core network stack’s routing
       decision.  mangle table.

       --oif ifname
              Route the packet through ‘ifname’ network interface

       --iif ifname
              Change the packet’s incoming interface to ‘ifname’

       --gw IP_address
              Route the packet via this gateway

       --continue
              Behave like a non-terminating target and continue traversing the
              rules.  Not valid in combination with ‘--iif’ or ‘--tee’

       --tee  Make a copy of the packet, and route that copy to the given des-
              tination. For the original, uncopied packet, behave like a  non-
              terminating target and continue traversing the rules.  Not valid
              in combination with ‘--iif’ or ‘--continue’