MitmProxy on Kali and Xubuntu – attack and testing

MitmProxy allows you to manipulate your web traffic at will. For example, you make forms send things that are not mentioned in the user interface.

It has very simple TUI (text user interface) for easy use, and Python API tougher problems.

Penetration testing requires a lot of ethical and legal considerations. They are not handled here, you are responsible for following the law.

These are just short notes without troughout explanations.

Install MitmProxy with Pip

$ sudo apt-get -y install virtualenv python3-pip
$ virtualenv env –python=python3
$ source env/bin/activate
$ cat requirements.txt
mitmproxy
$ pip install -r requirements.txt

Run MitmProxy

$ export EDITOR=nano # if you mistakenly open vim, to exit: ESC :q!
$ mitmproxy -p 8888

Connect Firefox using FoxyProxy

FoxyProxy Standard addon makes it easy to use mitmproxy as a proxy. Firefox updates keep breaking the built in proxy settings, so FoxyProxy is often required.

Set it to use localhost, port 8888.

Firefox Addons: FoxyProxy Standard

– Add
– Proxy Type: HTTP # Did not work with socks5
– Title or Description: mitmproxy 8001 # only first letters show in Firefox toolbar
– IP address, DNS name… : localhost
– Port: 8001 # mitmproxy listen port, given with ‘mimproxy -p 8001’

Patterns
– New White: Pattern: ‘localhost:*’
– Remove all other patters. Remove “All URLs” pattern. Remove all Black Patterns.

Test
– google.com should open without warnings. Foxyproxy icon shows (in Firefox toolbar) shows direct connection (no proxy).
– WebGoat (localhost:8080) browsing should make Foxyproxy icon show “mitm” proxy. All requests to localhost webgoat should show in mitmproxy TUI.

Useful commands

e # edit flow, 2 form. Enter to edit field value, tab to accept
q # quit to previous screen
f ~m post # filter POST requests
f ~b Congra # search body, case sensitive
f \.js # URLs containing ‘.js’ (TUI does not show backslash after typing the rest of the filter)
f ~t json # match content type
F # follow (autoscroll)
K # keybindings (different from ? help)
? # help
m # mark flow (HTTP request) toggle
M # show marked only/all toggle
w # write flows to file. Load with ‘mitmproxy -r goat1.mitmproxy –no-server’
shift # select text for copy-paste
i accountID= # intercept flow (stop http request, wait until you allow it)
a # allow intercepted flow (A allow all)

Posted in Uncategorized | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *