• This repository has been archived on 09/Apr/2024
  • Stars
    star
    195
  • Rank 199,374 (Top 4 %)
  • Language
    Shell
  • Created almost 9 years ago
  • Updated about 8 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An easy-to-deploy virtual machine that can provide flexible man-in-the-middle capabilities.

MITM-VM

Author

Written by Kelby Ludwig (@kelbyludwig)

Description

This is an easy-to-deploy virtual machine that can provide flexible man-in-the-middle capabilities. This project will require little configuration, require little additional hardware, and provide many utilites and tools to accomplish common (and not so common) man-in-the-middle scenarios.

Setup

Virtual Machine Setup

Note: Almost all of the documentation assumes you are using a Macbook and OS X. Setup is possible via Linux distros but has not been documented. Furthermore, you will need two physical connections to the Internet (e.g. one wired, one wireless) for MitM-VM to route traffic properly.

git clone https://github.com/praetorian-inc/mitm-vm.git

cd mitm-vm

vagrant up

When prompted, select the interface that will be the gateway interface. In other words, the "gateway interface" is the interface that will connect the virtual machine to the Internet. For example, in use case 1 (see below) you want to act as a proxy for a device that connects to a WiFi network. You will want to configure your Macbook to share its connection to the Internet (over Ethernet) to the target device over WiFi. In this scenario, the "gateway interface" is the Ethernet interface.

You will need to install VirutalBox Extensions for your version of VirtualBox.

If you do not plan on using trudy (Which this box was built for!) then remove the iptables commands for trudy from route.sh.

Host Setup

This is dependent on the use case. The following use-cases should cover most situations.

Use Case 1: The device you want to man-in-the-middle connects to the Internet over Wi-Fi.

  1. I have made a diagram for this use case. Check it out under the diagrams folder if anything seems unclear.

  2. Update the INTERNET_ROUTER_IP environment variable in route.sh to match the IP address of your gateway interface router.

  3. Spin-up the mitm-vm using vagrant up. During initializiation you will be prompted to select an interface for bridging in the vm. Select the interface that will go from the virtual machine to the Internet. In this use-case, it will be your Ethernet interface.

  4. Route all traffic on your Macbook through the VM.

    • This can be done via your Network System Preferences in OS X. System Preferences → Network → Ethernet → Configure IPv4 → Manually → Set Static IP to a valid static IP, set the subnet to 0.0.0.0, and set Router to the ip address of the mitm-vm.
  5. Confirm that you have Internet access on the host, and that traffic is routing through the VM.

  6. Turn your Macbook into a Wireless Access Point

  7. Confirm that the device you want to mitm can access the internet. I typically test this by pinging 8.8.8.8 on my host. If I actually get a response, I will check that it is filtering through the VM. To confirm this, run tcpdump on the VM (make sure you specify the correct interface!).

  8. Run vagrant ssh to get on the mitm-vm and do all your sniffing/modifying/etc.

Use Case 2: The device you want to man-in-the-middle connects to the Internet over Ethernet.

  1. This is roughly the same setup as use case 1. The primary difference is how you share your Macbook's Internet (Step 2 - 4). Instead of sharing Ethernet connectivity over WiFi, you would share WiFi over Ethernet.

Use Case 3: You want to sniff / proxy bluetooth using OS X's built-in hardware.

  1. Install the VirtualBox Extension Pack. You need the most recent version of VirtualBox to do this (don't trust the "Check For Updates" mechanism in VirtualBox).

  2. Add a USB filter for the OS X bluetooth device. VirtualBox -> Mitmvm -> Settings -> Ports -> USB -> Little USB with a "+".

  3. Before booting the vm, you will need to convince OS X to relinquish control of the bluetooth hardware. I have provided scripts to automate disabled and re-enabled host control of the bluetooth hardware (bt-down.sh and bt-up.sh). Run bt-down as sudo. This will create a file of the modules that were disabled. Re-enabling the modules needs this file so please don't delete it.

  4. Boot the vagrant vm. Test that you have access to the bluetooth module by running hcitool dev. You should see a device! This same utility can be used to sniff and attach to devices.

  5. For bluetooth mitm please refer to btproxy's documentation.

Use Case 4: You want to sniff / modify Zigbee traffic using a peripheral Zigbee USB device.

  1. Follow the steps for the bluetooth use case.

Includes the following tools

  • trudy

    • A transparent TCP proxy that supports packet interception and programmatic modification.
  • mitmproxy

    • An interactive console program that allows HTTP traffic flows to be intercepted, inspected, modified and replayed.
  • netsed

    • A utility that is designed to alter the contents of packets forwarded through your network in real time.
  • sslstrip

    • A tool to transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.
  • sslsniff

    • Constructs new certificate chains for SSL/TLS connections on the fly.
  • socat

    • A relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these.
  • btproxy

    • Man-in-the-Middle analysis for bluetooth.
  • killerbee

    • IEEE 802.15.4/ZigBee Security Research Toolkit

More Repositories

1

gokart

A static analysis tool for securing Go code
Go
2,176
star
2

noseyparker

Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
Rust
1,657
star
3

Hob0Rules

Password cracking rules for Hashcat based on statistics and industry patterns
1,441
star
4

pentestly

Python and Powershell internal penetration testing framework
Python
717
star
5

purple-team-attack-automation

Praetorian's public release of our Metasploit automation of MITRE ATT&CKâ„¢ TTPs
Ruby
713
star
6

PortBender

TCP Port Redirection Utility
C
668
star
7

DVRF

The Damn Vulnerable Router Firmware Project
HTML
668
star
8

fingerprintx

Standalone utility for service discovery on open ports!
Go
561
star
9

gato

GitHub Actions Pipeline Enumeration and Attack Tool
Python
539
star
10

trudy

A transparent proxy that can modify and drop traffic for arbitrary TCP connections.
Go
275
star
11

pyshell

PyShell makes interacting with web-based command injection less painful, emulating the feel of an interactive shell as much as possible.
Python
253
star
12

gladius

Automated Responder/secretsdump.py cracking
Python
181
star
13

snowcat

a tool to audit the istio service mesh
Go
173
star
14

vulcan

a tool to make it easy and fast to test various forms of injection
C++
172
star
15

ADFSRelay

Proof of Concept Utilities Developed to Research NTLM Relaying Attacks Targeting ADFS
Go
171
star
16

goffloader

A Go implementation of Cobalt Strike style BOF/COFF loaders.
Go
151
star
17

trident

automated password spraying tool
Go
145
star
18

NTLMRecon

A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
Go
79
star
19

epictreasure

radare, angr, pwndbg, binjitsu, ect in a box ready for pwning
Shell
75
star
20

INTRACTABLEGIRAFFE

A Proof of Concept Rootkit Demonstrating Keylogging and Virtual File System (VFS) Capabilities
C
73
star
21

hashcatJS

An implementation of the hashcat rules engine in javascript
JavaScript
47
star
22

proxylogon-exploit

Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.
Python
45
star
23

slack-c2bot

Slack C2bot that executes commands and returns the output.
Go
44
star
24

ruby_hashcat

Command line wrapper, Library, and Rest API for oclHashcat.
Ruby
40
star
25

dert

DNS Enumeration and Reconnaissance Tool
Ruby
37
star
26

Matryoshka

Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.
C
37
star
27

Okta_Watering_Hole

Next Generation Phishing Tool For Internal / Red Teams
Python
35
star
28

ctf-writeups

Collection of Praetorian solutions to CTF challenges
OpenEdge ABL
25
star
29

chariot-ui

Chariot Offensive Security Platform
TypeScript
21
star
30

konstellation

Konstellation is a configuration-driven CLI tool to enumerate cloud resources and store the data into Neo4j.
Cypher
19
star
31

bsidesaustin

Python
14
star
32

chariot-launch-nuclei-templates

12
star
33

burp-wcf-gzip

Burp extension for decoding WCF-gzipped requests.
Python
12
star
34

gcloud-lockdown

Scripts to demonstrate VPC Service Controls between tenant and shared projects
Shell
12
star
35

highlight

Text file to BMP image with box drawing and blurring from the command line
C
9
star
36

log4j-detector

Log4j detector and reporting server for scalable detection of vulnerable running processes.
Go
7
star
37

sonicwall-nsv-decrypter

C
6
star
38

aws-labs

Shell
5
star
39

tpm_bound_sa_key

Go
5
star
40

rpi-setup

set up rpi for zbwardrive
Python
5
star
41

zeroqlik-detect

A Nuclei template to detect ZeroQlik (CVE-2023-41265 and CVE-2023-41266)
4
star
42

product-frontend-interview

JavaScript
3
star
43

product-backend-interview

Java
1
star
44

praetorian-cli

CLI and SDK for interacting with the Praetorian Chariot platform
Python
1
star