Help in setting up a man-in-the-middle proxy

lnx · November 10, 2021, 10:50pm

Hey, I want some help on setting up a MITM proxy between qubes to monitor connections. I’ve installed and configured the mitm-proxy in a standalone qube, set it up to provide network and nothing, if I try to configure a proxy on the target qube, the option is unavailable or doesn’t work at all. Any help please? And would it be the same process to setup something like OpenSnitch?

icequbes1 · November 11, 2021, 2:23am

I assume you are already aware of the dangers of doing this or that this is only for testing purposes.

For the uninitiated, mitmproxy stands for “man in the middle proxy” which intercepts TCP traffic and allows inspection (and modification if you want to get fancy). This lets you “hack yourself” and spy on your traffic, even if it’s in a TLS-protected stream.

With that out of the way, you can do this for HTTP(S) traffic with the following steps:

Install mitmproxy, we can call this qube: mitmproxy-qube
Make sure mitmproxy-qube has: Provides Network
Add the following iptables rules to mitmproxy-qube:
```
sudo iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 443 -j REDIRECT --to-port 8080
sudo iptables -t filter -I INPUT -i vif+ -p tcp -m tcp --dport 8080 -j ACCEPT
```
1. The first two rules redirect any TCP packets from attached qubes with destination port 80 or 443 to get redirected to port 8080, which mitmproxy will be listening on.
2. The third rule ensures that the redirection is allowed. Otherwise, there is a default firewall rule to REJECT input packets from vif interfaces (these are attached qubes).
Run mitmproxy in transparent mode, which will listen on port 8080 by default:
```
mitmproxy --mode transparent --showhost
```
Test curl http://mitm.it in an attached qube and it should be seen in mitmproxy.
To get TLS/HTTPS to work and be a very dangerous hacker, the mitmproxy CA certificate needs to be marked trusted in attached qubes.
- In Fedora, copy the cert to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust extract
- In Debian, copy it to /usr/local/share/ca-certificates and run sudo update-ca-certificates
- In Firefox, import it under Privacy & Security // Certificate settings
  - To be extra dangerous, set about:config option security.cert_pinning.enforcement_level to 1, for disabling pinned hosts such as google.com and facebook.com. 2 is the default (enforce pinning), whereas 1 says allow user trust anchors (the CA we imported).

Please do not follow these directions unless you are 100% you wish to intercept traffic which may contain sensitive data such as your passwords or PII. Installing mitmproxy and its certificate in attached qubes means HTTPS protection in the browser is deemed pointless and equivalent to (unauthenticated, unencrypted) HTTP.

lnx · November 11, 2021, 7:06pm

Sorry for not responding in time, it worked flawlessly, thank you, and yes I’m aware of the risks, its only for testing connections on browsers and other ‘spyware-like’ programs, again, thanks a lot.