DIY/wiki
2
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Wiki page device_inspections changed with summary [created] by Dan

Browse source
This commit is contained in:
ORG_User 2024-05-26 02:10:41 +02:00
parent 2e1585abd6
commit 820caaf234
1 changed files with 389 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

389
pages/en/extras/device_inspections.txt Normal file
View file

@ -0,0 +1,389 @@
====== Device inspections with mitmproxy/wireshark and other clever tools ======
This tutorial is to help you to dig deeper into your devices. See what your specific device/software does on your server, phone and desktop.\\
Below you will find a short description and the link to the website of the software we are using here.
\\
[[https://mitmproxy.org/|mitmproxy]] is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols. You can prettify and decode a variety of message types ranging from HTML to Protobuf, intercept specific messages on-the-fly, modify them before they reach their destination, and replay them to a client or server later on.
\\
[[https://www.wireshark.org/|wireshark]] is a network packet analyzer. A network packet analyzer presents captured packet data in as much detail as possible.\\
You could think of a network packet analyzer as a measuring device for examining whats happening inside a network cable, just like an electrician uses a voltmeter for examining whats happening inside an electric cable (but at a higher level, of course).\\
In the past, such tools were either very expensive, proprietary, or both. However, with the advent of Wireshark, that has changed. Wireshark is available for free, is open source, and is one of the best packet analyzers available today.\\
\\
[[https://frida.re/|frida]] is a dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, watchOS, tvOS, Android, FreeBSD, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.
\\
[[https://github.com/rofl0r/proxychains-ng|proxychain-ng]] is a hook preloader that allows to redirect TCP traffic of existing dynamically linked programs through one or more SOCKS or HTTP proxies.
\\
[[https://tsocks.sourceforge.net/|tsocks]] provides transparent network access through a SOCKS version 4 or 5 proxy (usually on a firewall). tsocks intercepts the calls applications make to establish TCP connections and transparently proxies them as necessary.
\\
[[https://www.tcpdump.org/|tcpdump]] is a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.
\\
[[https://github.com/emanuele-f/PCAPdroid|PCAPdroid]] is a privacy-friendly open source app which lets you track, analyze and block the connections made by the other apps in your device. It also allows you to export a PCAP dump of the traffic, inspect HTTP, decrypt TLS traffic and much more!
PCAPdroid simulates a VPN in order to capture the network traffic without root. It does not use a remote VPN server, instead data is processed locally on the device.
\\
===== mitmproxy =====
\\
==== Package ====
<code>
pacman -S mitmproxy
</code>
\\
==== Firewall ====
Open port ''1080'' for ''TCP'' and ''UDP'' protocol.
Check [[/en/server/services/firewalld#custom_made|firewalld]] and create a new service named ''mitmproxy''.
\\
==== Start via ... ====
<alert type="info" icon="fa fa-info-circle">If you prefer a web view use ''mitmweb'' instead of ''mitmproxy'' in the command.</alert>
\\
=== socks5 ===
<code>
MITMPROXY_SSLKEYLOGFILE="$HOME/.mitmproxy/sslkeylogfile.txt" mitmproxy --mode socks5 --showhost -w +output.mitm
</code>
\\
=== WireGuard ===
This is convenient if you have also already installed [[/en/server/services/wireguard|wireguard]].
<code>
MITMPROXY_SSLKEYLOGFILE="$HOME/.mitmproxy/sslkeylogfile.txt" mitmproxy --mode wireguard --listen-port 1080 --showhost -w +output.mitm
</code>
\\
==== .bashrc alias ====
Below is an example for your ''.bashrc''. Just use ''setproxy'', ''setproxy-wg'' and ''unsetproxy''.
<code>
# Set socks5 Proxy
function setproxy() {
sudo firewall-cmd --add-service=mitmproxy --zone=home
echo "Start mitmproxy on `date`"
MITMPROXY_SSLKEYLOGFILE="$HOME/.mitmproxy/sslkeylogfile.txt" mitmproxy --mode socks5 --showhost -w +output.mitm
}
# Set WireGuard Proxy
function setproxy-wg() {
sudo firewall-cmd --add-service=mitmproxy --zone=home
echo "Start mitmproxy on `date`"
MITMPROXY_SSLKEYLOGFILE="$HOME/.mitmproxy/sslkeylogfile.txt" mitmproxy --mode wireguard --listen-port 1080 --showhost -w +output.mitm
}
# Unset Proxy
function unsetproxy() {
echo "Stopped mitmproxy on `date`"
sudo firewall-cmd --remove-service=mitmproxy --zone=home
unset MITMPROXY_SSLKEYLOGFILE
}
</code>
\\
===== Set up Firefox and download certificates =====
- To download the mitmproxy-certificates and to check websites, it is best to install the [[https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/?utm_source=addons.mozilla.org&utm_medium=referral&utm_content=search|Firefox Multi-Account Containers]] addon and create a new container named for example ''%%proxy%%'' and under **//Advanced proxy settings//** add the following link ''%%socks://$mitmproxy_ip:1080%%''.\\ This way, you can just open the new proxy tab instead of connecting Firefox as a whole to the proxy.\\ However, if you prefer the entire Firefox, follow option **__a__** below:\\ \\
- Go to ''about:preferences#general'' and search for ''proxy'' or scroll to the button to ''Network Settings''.
- {{:security:socks5.png?direct:1000|}}\\ \\
- Go to http://mitm.it/ and download the certificate for your specific device.
\\
==== Install certificate/s ====
Follow [[/en/server/services/ssl#installing_your_root_certificate_on_all_the_devices|ssl]] and use ''mitmproxy-ca-cert.pem'' instead of ''rootCA.pem''.
\\
===== Proxychains-ng / tsocks =====
You have two options, if one or the other doesn't work for whatever reason.
\\
==== Packages ====
<code>
pacman -S proxychains-ng tsocks
</code>
\\
==== conf ====
<code>
nano /etc/proxychains.conf
</code>
<code>
#socks4 127.0.0.1 9050
socks5 $mitmproxy_ip 1080
</code>
<code>
nano /etc/tsocks.conf
</code>
<code>
server = 127.0.0.1
server_port = 1080
server_type = 5
default_user = ""
default_pass = ""
</code>
\\
==== Example ====
<code>
proxychains $SOFTWARE
</code>
<code>
export LD_PRELOAD=/lib/libtsocks.so
tsocks $SOFTWARE
</code>
\\
===== Wireshark =====
If you prefer to decrypt/use wireshark then add ''SSLKEYLOGFILE'' to wireshark TLS. To decrypt via mitmproxies certificates.
\\
==== Package ====
<code>
pacman -S wireshark-qt
</code>
\\
==== SSL/TLS ====
Go to ''Edit'' -> ''Preferences'' -> ''Protocols'' -> ''TLS'' -> ''(Pre)-Master-Secret log filename'' and add the file which will be under ''~/.mitmproxy/sslkeylogfile.txt''
\\
==== MAP ====
This way you can easily see where your devices/software are connecting to. The overview is displayed on a world map (see image below).\\
You will need 3 files in **one folder**:
- GeoLite2-ASN.mmdb
- GeoLite2-City.mmdb
- GeoLite2-Country.mmdb
You can download them from https://www.maxmind.com/. You need to register.\\
Afterwards you will find these files under //__GeoIP2 / GeoLite2__// -> //__Download Files__//
Extract the files, start Wireshark and select //__Edit__// -> //__Preferences (Ctrl+Shift+P)__// -> //__Name Resolution__// -> //__Enable IP geolocation__// and click MaxMind database directories //__Edit...__// button and select the path whereever the extracted files are located.
The screenshot below shows a Windows 11 VM running on a proxmox server:
{{:en:extras:windows11-map.png?direct&1200|}}
\\
===== Check IoT, TV,... devices with wireshark and ... =====
The following option can actually be used with any ssh connection. The user just needs to have permission to use tcpdump or use ''-t'' and add ''sudo'' in front of the commands (''ssh -t server "sudo ..."''). However, the last important command does not work this way. The easiest way is to create a user with the right permission right away!\\
This option does not include decryption via mitmproxy/wireshark, but is still useful for checking IoT devices etc. where e.g. installation of mitmproxy certificates is not possible. However, it can still give you a good overview with whom the device is communicating and whether your firewall/DNS blocklist is set up correctly or not.
If you are not in a position to find out the name and IP address of your device, you can also try nmap`s ping sweep option - ''sudo nmap -sn 192.168.1.0/24''.
\\
==== OpenWrt ====
List connected devices and the associated ip:
<code>
ssh openwrt "cat /tmp/dhcp.leases | awk {'print\$3,\$4'}"
</code>
If you have multiple interfaces (vlans, ...) check with:
<code>
ssh openwrt "ip -o addr show | grep global | awk '{print\$4,\$2}'"
</code>
Create piped name, start wireshark and run tcpdump real time dump.
<code>
mkfifo openwrt.fifo ; wireshark -k -i openwrt.fifo | ssh openwrt "tcpdump -i wonder-lan host Nasty-little-IoT -U -s0 -w -" > openwrt.fifo
</code>
<alert type="info" icon="fa fa-info-circle">Change interface (''-i'') ''wonder-lan'' and device name (''host'') ''Nasty-little-IoT''.</alert>
\\
==== OPNsense ====
List connected devices and the associated ip:
<code>
ssh opnsense "cat /var/dhcpd/var/db/dhcpd.leases | grep -E 'client-hostname|lease' | grep -B 1 'client-hostname' | sed 's/client-hostname//g;s/\"//g;s/;//g;s/{//g;s/lease //g;s/^--*//g;/^$/d;s/ //g'"
</code>
If you have multiple interfaces (vlans, …) check with:
<code>
ssh opnsense "ifconfig | grep -E 'UP|inet' | awk '{ print \$1, \$2 }' | sed -e 's/flags=.*$//g;s/://g;s/inet //g'"
</code>
Create piped name, start wireshark and run tcpdump real time dump.
<code>
mkfifo opnsense.fifo ; wireshark -k -i opnsense.fifo | ssh opnsense "tcpdump -i wonder-lan host Nasty-little-IoT -U -s0 -w -" > opnsense.fifo
</code>
<alert type="info" icon="fa fa-info-circle">Change interface (''-i'') ''wonder-lan'' and device name (''host'') ''Nasty-little-IoT''. Hostname needs to be an IP address on opnsense.</alert>
\\
===== Android with PCAPdroid =====
\\
==== Download and install apk ====
Install PCAPdroid via [[en:phone:apps:f-droid|F-Droid]] - https://f-droid.org/en/packages/com.emanuelef.remote_capture/.
\\
==== mitmproxy socks5 ====
You'll need to import [[#install_certificate_s|mitmproxys certificate]] on your Android.
To use [[#start_via_socks5|mitmproxy socks5]] just go to:
- //__Settings__//
- //__Traffic inspection__//
- //__SOCKS5__//
- Enable //__SOCKS5 redirection__//
- Add your ''$mitmproxy_ip'' under //__Proxy host__//
- Add port ''1080'' under //__Proxy port__//
- Go back to //__STATUS__//
- Click //__No dump__//
- Enable //__HTTP server__//
- Click on //__Ready__//
\\
==== With wireshark ====
Make sure you followed [[#wireshark]] installation.
Connect to PCAPdroids HTTP server:
<code>
curl -NLs http://$android_ip:8080 | wireshark -k -i -
</code>
\\
===== Windows 11 =====
\\
==== WireGuard ====
Download [[https://www.wireguard.com/install/|WireGuard installer]].\\
Create a ''wireguard.conf'' file under Windows with the output of mitmweb or mitmproxy (Shift+E) and import it into wireguard.
\\
==== socks ====
For some reason the socks setup did not work on a Windows 11 VM, at least not on this side of the screen. But give it a go, it should actually work with the following configurations:
Go to //__Settings__// -> //__Network & Internet__// -> //__Proxy__// -> (Manual proxy setup) //__Use a proxy server__// -> //__On__// -> //__Proxy IP address__// (your ''$mitmproxy_IP'') -> //__Port__// (''1080'').
For ''$mitmproxy_IP'' try also ''socks=$mitmproxy_IP'' or ''%%http://socks=$mitmproxy_IP%%''.
\\
==== Certificate/s ====
After the connection with WireGuard or socks head to https://mitm.it/#Windows and follow the instruction there.\\
If you also want to check certain things via the Firefox browser, you must also download the Android certificate and install it directly in the Firefox browser.\\
For that go to //__Settings__// and search for ''Certificates'' and click on //__View Certificates__// -> //__Authorities__// -> //__Import...__// and choose the .crt file.
\\
===== macOS / iOS =====
Unfortunately there is no device/VM on hand for an "Apple Tutorial".
There are only further links:
macOS:\\
[[https://support.apple.com/en-nz/guide/mac-help/mchlp2591/mac|socks config]]\\
[[https://mitm.it/#macOS|install certificate]]
iOS:\\
[[https://proxyway.com/guides/configure-proxy-iphone|socks config]]\\
[[https://mitm.it/#iOS|install certificate]]\\
\\
===== frida =====
\\
==== Packages ====
<code>
pacman -S python-pip android-tools
</code>
\\
==== Create environment ====
<code>
mkdir -p ~/env/frida
python -m venv ~/env/frida
~/env/frida/bin/pip install --upgrade frida-tools objection setuptools
</code>
<alert type="info" icon="fa fa-info-circle">[[https://github.com/sensepost/objection|Frida-Modul Objection]] is a runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak.</alert>
\\
==== Android - disable pinning with frida-server ====
<alert type="danger" icon="fa fa-warning">You need to be able to [[/en/phone/operating_systems/android#check_your_bootloader|unlock your bootloader]] and [[/en/phone/apps/magisk|enable root]] on your Android device!</alert>
What is [[https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning|ssl pinning]]?
Download the latest [[https://github.com/frida/frida/releases|frida-server]] release for your device.
<alert type="info" icon="fa fa-info-circle">Check which architecture you're running with ''adb shell getprop ro.product.cpu.abi''</alert>
<code>
wget https://github.com/frida/frida/releases/download/16.2.1/frida-server-16.2.1-android-arm64.xz
unxz frida-server*.xz && mv frida-server* disable-pinning
adb push disable-pinning /data/local/tmp/
adb root
adb shell "chmod 755 /data/local/tmp/disable-pinning"
adb shell "/data/local/tmp/disable-pinning &"
</code>
<alert type="info" icon="fa fa-info-circle">Some apps might be able to detect the frida-server location. Renaming the frida-server binary to a random name, or moving it to another location such as /dev may do the trick.</alert>
\\
=== List all apps and start app without pinning ===
<code>
~/env/frida/bin/frida-ps -Uai
</code>
Start fdroid:
<code>
~/env/frida/bin/objection --gadget "org.fdroid.fdroid" explore --startup-command 'android sslpinning disable'
</code>
\\
==== Uninstall ====
<code>
adb shell "rm /data/local/tmp/disable-pinning"
~/env/frida/bin/pip uninstall frida-tools objection
pacman -Rsn python-pip
rm -rf ~/env/frida
</code>