When you want to record a HTTP conversation you can use a MITM (Man In The Middle) Proxy.
I was trying to record a replay a HTTP request for one of my projects and stumbled across the MITMProxy project. The tools is really powerful however documentation is not detailed so after some research on web I realized that I need to try on my own.
It took me a day to figure out, I hope to be able to save your time by this article.
This tutorial is focused mainly for beginners like me. I have created a simple tutorial to run a proxy on your local machine that can record and replay HTTP request on a HTTP server. I have taken tomcat manager app as the example.
This can also be treated as a sample MITM attack demonstration since I am recording the tomcat manager login session and then able to replay it to get execute more requests as tomcat manager account without client initiating any requests.
What Is Man In The Middle (MITM) Attack
Man in the middle attack is a type of communication hacking attack where an attacker can modify the information between client and server.
For example just imagine you are logged into your bank account and want to transfer money from your account to a friends account. If a hacker having access to communication channel suing MITM attack is able to modify the information in your transfer request and change the friends account number to someone else. This way you may not realize that the money was transferred to someone else.
What is mitmproxy Project
This is a command line utility that can intercept the traffic flows and record it to be replayed later. For more details visit project website – mitmproxy project
How A Man In The Middle (MITM) Attack Is Performed
MITM attack requires an attacker to have control over the communication channel. A common scenario could be a internet cafe that has all the traffic going through a proxy. A proxy server can see the traffic between client and server and may modify it. In case when a hacker has control of the proxy, it can be really easy for them to intercept a non encrypted traffic and see all the information. This is main reason why HTTP is not considered secure since it sends data in plain text and any proxy in between can see the plain text traffic.
How To Avoid Man In The Middle (MITM) Attack ?
MITM attack can be easily avoided (or at least made very difficult to perform) by using HTTPS connection between client and server.
How To Simulate A Man In The Middle (MITM) Attack Using MITM Proxy
Below are the steps to perform a MITM attack using MITM proxy tool. Real MITM attack may involve much more complex steps, however we have avoided it to keep the tutorial simple.
Running A Reverse Proxy To Record Tomcat Requests
Below command should run a reverse proxy on port 8081 and record any request sent to port 8081
mitmdump -w tomcat-mgr-login.dump -d --keepserving --anticache -p 8081 -R http://localhost:8080 &
Understanding The Options In This Command
This option tells the tool to record and write into a file called “tomcat-mgr-login.dump”
This option will enable tool to show more details
This option will keep the mitmdump reverse proxy running. Otherwise your proxy will stop after one request.
This option will ensure to avoid any web server level caching.
Tells the port at which the reverse proxy needs to listen to client request.
This option tells mitmdump tool to run in Reverse proxy mode. The host:port details are used to forward traffic from the port specified in -p option.
This is a unix way to run process in background, not specific to this tool.
Start Tomcat Server
Start tomcat on your machine, make sure its running on port 8080
You can check it by going to browser on this url http://localhost:8080
Configure Tomcat Manager Password
Go to tomcat_home/conf/tomcat-users.xml and un comment these lines.
Make sure the change the roles value to manager-gui for tomcat user.
<user username="tomcat" password="tomcat" roles="manager-gui"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
Lets Start Recording
- Now point your browser to localhost:8081
- Make sure to use the proxy port 8081, not tomcat default port. This is the main trick that enables proxy to be able to record.
- Visit the tomcat manger app.
- Login to tomcat manager app.
- The mitmdump should record it in the tomcat.dump file
127.0.0.1 GET http://localhost:8080/
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.6.3 (KHTML, like Gecko) Version/8.0.6 Safari/600.6.3
<< 200 OK 11.16kB Server: Apache-Coyote/1.1 Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Fri, 05 Jun 2015 23:44:56 GMT
How To Stop Mitmdump Process
To stop the mitmdump process follow below steps.
- find the mitmdump process using ps command
ps -aef | grep “mitmdump"
- you will see two process ids. I prefer doing kill -9 on both
kill -9 pid1 pid2
How To Replay The Recorded Request
Now open a new shell and run following command to replay the recorded actions.
mitmdump -c tomcat.dump -n --replay-ignore-host
This should show you below output.
127.0.0.1 GET http://localhost:8080/
<< 200 OK 11.16kB 127.0.0.1 GET http://localhost:8080/manager/html << 200 OK 19.11kB
Learn More Mitmdump Commands
Doing more learning on mitmdump tool, use below command to see the help options.
Help Manual In PDF Downloadable Format
I have also exported the command output to a PDF file for convenient reading.
- You can download the mitmdump command help manual as a PDF file from here – mitmdump command help manual
- You can download the mitmproxy command help manual as a PDF file from here – mitmproxy command help manual