====== Device inspections with mitmproxy/wireshark and other clever tools ======
This tutorial is to help you to dig deeper into your devices. See what your specific device/software does on your server, phone and desktop.\\
Below you will find a short description and the link to the website of the software we are using here.
\\
[[https://mitmproxy.org/|mitmproxy]] is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols. You can prettify and decode a variety of message types ranging from HTML to Protobuf, intercept specific messages on-the-fly, modify them before they reach their destination, and replay them to a client or server later on.
\\
[[https://www.wireshark.org/|wireshark]] is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible.\\
You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course).\\
In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, that has changed. Wireshark is available for free, is open source, and is one of the best packet analyzers available today.\\
\\
[[https://frida.re/|frida]] is a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, watchOS, tvOS, Android, FreeBSD, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.
\\
[[https://github.com/rofl0r/proxychains-ng|proxychain-ng]] is a hook preloader that allows to redirect TCP traffic of existing dynamically linked programs through one or more SOCKS or HTTP proxies.
\\
[[https://tsocks.sourceforge.net/|tsocks]] provides transparent network access through a SOCKS version 4 or 5 proxy (usually on a firewall). tsocks intercepts the calls applications make to establish TCP connections and transparently proxies them as necessary.
\\
[[https://www.tcpdump.org/|tcpdump]] is a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
\\
[[https://github.com/emanuele-f/PCAPdroid|PCAPdroid]] is a privacy-friendly open source app which lets you track, analyze and block the connections made by the other apps in your device. It also allows you to export a PCAP dump of the traffic, inspect HTTP, decrypt TLS traffic and much more!
PCAPdroid simulates a VPN in order to capture the network traffic without root. It does not use a remote VPN server, instead data is processed locally on the device.
\\
===== mitmproxy =====
\\
==== Package ====
<code>
pacman -S mitmproxy
</code>
\\
==== Firewall ====
Open port ''1080'' for ''TCP'' and ''UDP'' protocol.
Check [[/en/server/services/firewalld#custom_made|firewalld]] and create a new service named ''mitmproxy''.
\\
==== Start via ... ====
<alert type="info" icon="fa fa-info-circle">If you prefer a web view use ''mitmweb'' instead of ''mitmproxy'' in the command.</alert>
===== Set up Firefox and download certificates =====
- To download the mitmproxy-certificates and to check websites, it is best to install the [[https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search|Firefox Multi-Account Containers]] addon and create a new container named for example ''%%proxy%%'' and under **//Advanced proxy settings//** add the following link ''%%socks://$mitmproxy_ip:1080%%''.\\ This way, you can just open the new proxy tab instead of connecting Firefox as a whole to the proxy.\\ However, if you prefer the entire Firefox, follow option **__a__** below:\\ \\
- Go to ''about:preferences#general'' and search for ''proxy'' or scroll to the button to ''Network Settings''.
- Go to http://mitm.it/ and download the certificate for your specific device.
\\
==== Install certificate/s ====
Follow [[/en/server/services/ssl#installing_your_root_certificate_on_all_the_devices|ssl]] and use ''mitmproxy-ca-cert.pem'' instead of ''rootCA.pem''.
\\
===== Proxychains-ng / tsocks =====
You have two options, if one or the other doesn't work for whatever reason.
\\
==== Packages ====
<code>
pacman -S proxychains-ng tsocks
</code>
\\
==== conf ====
<code>
nano /etc/proxychains.conf
</code>
<code>
#socks4 127.0.0.1 9050
socks5 $mitmproxy_ip 1080
</code>
<code>
nano /etc/tsocks.conf
</code>
<code>
server = 127.0.0.1
server_port = 1080
server_type = 5
default_user = ""
default_pass = ""
</code>
\\
==== Example ====
<code>
proxychains $SOFTWARE
</code>
<code>
export LD_PRELOAD=/lib/libtsocks.so
tsocks $SOFTWARE
</code>
\\
===== Wireshark =====
If you prefer to decrypt/use wireshark then add ''SSLKEYLOGFILE'' to wireshark TLS. To decrypt via mitmproxies certificates.
\\
==== Package ====
<code>
pacman -S wireshark-qt
</code>
\\
==== SSL/TLS ====
Go to ''Edit'' -> ''Preferences'' -> ''Protocols'' -> ''TLS'' -> ''(Pre)-Master-Secret log filename'' and add the file which will be under ''~/.mitmproxy/sslkeylogfile.txt''
\\
==== MAP ====
This way you can easily see where your devices/software are connecting to. The overview is displayed on a world map (see image below).\\
You will need 3 files in **one folder**:
- GeoLite2-ASN.mmdb
- GeoLite2-City.mmdb
- GeoLite2-Country.mmdb
You can download them from https://www.maxmind.com/. You need to register.\\
Afterwards you will find these files under //__GeoIP2 / GeoLite2__// -> //__Download Files__//
Extract the files, start Wireshark and select //__Edit__// -> //__Preferences (Ctrl+Shift+P)__// -> //__Name Resolution__// -> //__Enable IP geolocation__// and click MaxMind database directories //__Edit...__// button and select the path whereever the extracted files are located.
The screenshot below shows a Windows 11 VM running on a proxmox server:
{{:en:extras:windows11-map.png?direct&1200|}}
\\
===== Check IoT, TV,... devices with wireshark and ... =====
The following option can actually be used with any ssh connection. The user just needs to have permission to use tcpdump or use ''-t'' and add ''sudo'' in front of the commands (''ssh -t server "sudo ..."''). However, the last important command does not work this way. The easiest way is to create a user with the right permission right away!\\
This option does not include decryption via mitmproxy/wireshark, but is still useful for checking IoT devices etc. where e.g. installation of mitmproxy certificates is not possible. However, it can still give you a good overview with whom the device is communicating and whether your firewall/DNS blocklist is set up correctly or not.
If you are not in a position to find out the name and IP address of your device, you can also try nmap`s ping sweep option - ''sudo nmap -sn 192.168.1.0/24''.
<alert type="info" icon="fa fa-info-circle">Change interface (''-i'') ''wonder-lan'' and device name (''host'') ''Nasty-little-IoT''. Hostname needs to be an IP address on opnsense.</alert>
\\
===== Android with PCAPdroid =====
\\
==== Download and install apk ====
Install PCAPdroid via [[en:phone:apps:f-droid|F-Droid]] - https://f-droid.org/en/packages/com.emanuelef.remote_capture/.
\\
==== mitmproxy socks5 ====
You'll need to import [[#install_certificate_s|mitmproxys certificate]] on your Android.
Create a ''wireguard.conf'' file under Windows with the output of mitmweb or mitmproxy (Shift+E) and import it into wireguard.
\\
==== socks ====
For some reason the socks setup did not work on a Windows 11 VM, at least not on this side of the screen. But give it a go, it should actually work with the following configurations:
Go to //__Settings__// -> //__Network & Internet__// -> //__Proxy__// -> (Manual proxy setup) //__Use a proxy server__// -> //__On__// -> //__Proxy IP address__// (your ''$mitmproxy_IP'') -> //__Port__// (''1080'').
For ''$mitmproxy_IP'' try also ''socks=$mitmproxy_IP'' or ''%%http://socks=$mitmproxy_IP%%''.
\\
==== Certificate/s ====
After the connection with WireGuard or socks head to https://mitm.it/#Windows and follow the instruction there.\\
If you also want to check certain things via the Firefox browser, you must also download the Android certificate and install it directly in the Firefox browser.\\
For that go to //__Settings__// and search for ''Certificates'' and click on //__View Certificates__// -> //__Authorities__// -> //__Import...__// and choose the .crt file.
\\
===== macOS / iOS =====
Unfortunately there is no device/VM on hand for an "Apple Tutorial".
<alert type="info" icon="fa fa-info-circle">[[https://github.com/sensepost/objection|Frida-Modul Objection]] is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak.</alert>
\\
==== Android - disable pinning with frida-server ====
<alert type="danger" icon="fa fa-warning">You need to be able to [[/en/phone/operating_systems/android#check_your_bootloader|unlock your bootloader]] and [[/en/phone/apps/magisk|enable root]] on your Android device!</alert>
What is [[https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning|ssl pinning]]?
Download the latest [[https://github.com/frida/frida/releases|frida-server]] release for your device.
<alert type="info" icon="fa fa-info-circle">Check which architecture you're running with ''adb shell getprop ro.product.cpu.abi''</alert>
<alert type="info" icon="fa fa-info-circle">Some apps might be able to detect the frida-server location. Renaming the frida-server binary to a random name, or moving it to another location such as /dev may do the trick.</alert>
\\
=== List all apps and start app without pinning ===