[HN Gopher] Mitmproxy 9: WireGuard Mode
___________________________________________________________________
Mitmproxy 9: WireGuard Mode
Author : mhils
Score : 120 points
Date : 2022-10-29 10:57 UTC (12 hours ago)
(HTM) web link (mitmproxy.org)
(TXT) w3m dump (mitmproxy.org)
| spockz wrote:
| Is there something like this that can introduce network latency,
| but on the TLS and/or HTTP level? E.g. delay TLS handshake (to
| simulate CRL checks), send headers but delay streaming, etc.
| mdaniel wrote:
| I think that's what comcast
| (https://github.com/tylertreat/comcast#readme) is trying to do
| more than mitmproxy. I think there's a competing project but
| that one is the easiest to remember :-)
| mhils wrote:
| mitmproxy dev here, happy to answer questions once I'm back home
| later! :)
| codethief wrote:
| First of all, thank you for all your work on mitmproxy! :)
|
| Could you elaborate on how exactly the WireGuard mode works
| compared to e.g. TLS interception? After all, WG doesn't come
| with certificate authorities or anything like that.
| mhils wrote:
| WireGuard mode does not help with interception, it helps with
| getting traffic into mitmproxy. Put differently, it's a user-
| friendly alternative to 1. configuring an
| explicit HTTP proxy in your system settings, or 2.
| fiddling with iptables on your router and/or your mitmproxy
| device.
|
| The downside of 1) is that it does not work for UDP-based
| traffic such as DNS and can often be easily bypassed by
| applications. The downside of 2) is that it's generally
| fiddly and does not work very well for users with consumer
| routers (no iptables). In all cases you still need to install
| a trusted mitmproxy CA for TLS interception, that part does
| not change with WireGuard mode. :)
| Avicebron wrote:
| First of all thanks! Not sure if you know any of the Linux
| maintainers, but if you do I'd love to know how to get in touch
| with some of them.
| mhils wrote:
| Are you looking for mitmproxy-on-linux maintainers, or Linux
| kernel maintainers? You have found the former I suppose, but
| I'm the wrong person to ask for the latter. :)
| Avicebron wrote:
| I was looking for a quick way to update my version from the
| command line (ubuntu), but --options didn't show anything
| off hand like an --update/--upgrade. I just briefly skimmed
| the docs/google for something that would avoid having to
| reinstall the binary.
|
| EDIT: also is there a way to configure the IDE that pops up
| when I go to edit path? It's vim which is fine, I'm just
| curious if I can either integrate a custom vim installation
| or route it to another IDE.
| mhils wrote:
| The recommended way to install mitmproxy on Linux is to
| download new standalone binaries. They are self-contained
| and can just be dropped into /usr/local/bin. If you want
| some way to update automatically, use our Docker images,
| install via pipx
| (https://docs.mitmproxy.org/stable/overview-
| installation/#ins...), or (for Windows users) use the
| Microsoft Store.
|
| > also is there a way to configure the IDE that pops up
| when I go to edit path?
|
| You can set $MITMPROXY_EDITOR or more generally $EDITOR.
| :)
| clumsysmurf wrote:
| Thanks for creating awesome software. Being able to script it
| with python is amazing.
|
| One problem I have been having on MacOS with Android emulator:
| proxying traffic from the emulator (my own app) will work for
| about 15 minutes or so... then all traffic ceases to flow, and
| Emulator / Setting / "AndroidWifi" says limited connectivity.
| If I forget AndroidWifi access point, re-add it, and restart,
| it all works again for about 15 minutes. Any ideas how I would
| debug this?
| mhils wrote:
| Hard to say without more details. Once you reach that limited
| connectivity state, do you see anything that stands out in
| the mitmproxy event log? Feel free to open a thread at
| https://github.com/mitmproxy/mitmproxy/discussions and I'm
| happy to help a bit more! Also it would be interesting to
| know if you observe the same thing with our new WireGuard
| mode. :)
| saghul wrote:
| Nice work! Does this mean that intercepting WebRTC media traffic
| is now possible? It's DTLS, so I guess I'll have to check it out!
| mhils wrote:
| We can definitely intercept DTLS now, there are no specific
| contentviews (pretty-printers) for WebRTC yet. I don't know how
| much of a binary protocol WebRTC is that would make pretty-
| printing necessary. :)
| cjbprime wrote:
| This looks great! My only frustration is not with mitmproxy, but
| macOS -- setting a proxy in System Preferences->Network isn't a
| guarantee that it will be used by apps, and there doesn't appear
| to be a clean way to force all traffic through a proxy.
| mhils wrote:
| If you can run mitmproxy on another device, then our new
| WireGuard mode does exactly fix that problem. At least as long
| as WireGuard is able to capture all traffic. :)
|
| Transparent same-device interception is something where we
| still need to do some work on. I've started some work for
| Windows (https://github.com/mitmproxy/mitmproxy/pull/5543), but
| the top priority is HTTP/3 first. :)
| mdaniel wrote:
| Isn't that closer to what a VPN would try to do than a proxy? I
| guess it depends on whether you mean _all traffic_ on the
| machine or only the kind of traffic that travels over proxies
| (I think socks4 /5 are special cases and presumably not what
| you meant on a post about mitmproxy)
| cjbprime wrote:
| I was just thinking TCP, although since mitmproxy now
| supports UDP perhaps it can be all traffic?
| ericb wrote:
| Is the UDP work a precursor to HTTP/3 support? I don't see HTTP/3
| mentioned in the announcement, so I assume that something else is
| needed to make it work still?
|
| Edit: I take that back, I see "Add HTTP/3 binary frame content
| view" in the commits. So does that mean it works? I would have
| thought that would be a headline-level announcement, though?
|
| Either way, amazing stuff, and thanks for the brilliant work!
| mhils wrote:
| Yes, the UDP parts are preparation for QUIC/HTTP/3! We will be
| there soon. :-)
| csdvrx wrote:
| Do you have links for the Magisk module? (and ideally a quick
| android tutorial)
| mhils wrote:
| I haven't played around with this myself yet, but basically:
| 1. Configure your device to use mitmproxy. 2. Visit our
| magic mitm.it domain on the device. 3. Click on "Show
| Instructions" for Android.
| jeroenhd wrote:
| The source code seems to be here:
| https://github.com/jorants/mitmproxy/blob/d3ceb1b0f8a5a09e63...
|
| Installation steps seems to be:
|
| - Navigate to /cert/magisk and download the ZIP file
|
| - Load the ZIP file in your Magisk app
|
| - Might be necessary: reboot
|
| The link to the Magisk module is also on the normal Mitmproxy
| cert page. Because each install generates (or should generate)
| its own certificate, the module needs to be generated on the
| fly.
| dontbenebby wrote:
| Thanks for this! I haven't really played around with packet
| captures since back before HTTPS was widespread but I've heard a
| lot of people gripe about it over the years.
|
| Big shoutout to one of the poor bastards who had me as their
| student back when Pitt segmented the school of information
| science away from the rest of the network.
|
| I have no idea if that's still the case, because those moron
| librarians added a card reader, and I don't know how to parkour
| onto the roof of _that_ building.
|
| I got hung up on the fact an extra credit question go marked
| wrong because I said based on the SSID, the packets were from a
| BSD operating system. The TA marked it wrong and said "no, it's
| from an OSX system"... I ended up in the actual professor's
| office, with a listout of the various codes for manufacturers and
| pointing out there's no "OSX" specific one.
|
| (In retrospect, it was a situation where I was rules lawyering
| because I was pissed because I kept bumping into a string of
| people who'd tell me "It's not my job to teach you" only... they
| weren't some cute woman from Iowa in town for a book signing
| meeting me for espresso, they were literally a professor
| teaching, in one case, a "statistics for psychology students"
| course I selected EXPLICITLY because their students also haven't
| had Calculus... and they were tanking my GPA.
|
| Anyways, I'm re-hash-ing very old gripes, but it felt like
| something fundemental shifted when https went widespread, while
| universities seem to focus on weird CTF bullshit.
|
| (You can just message them on a dating application, though then
| they'll make a show of refusing to hire you _and_ reporting you
| to the FBI as a possible cyberterrorist... like uh, I get that it
| 's spooky season or whatever but if someone made an offer I
| wouldn't be a cyberterrorist anymore!!)
|
| Anyways, I am looking forward to playing with this after I clear
| my todos. Thanks for the hard work.
| syntaxing wrote:
| Is there a good mitmproxy configuration that blocks ads network
| wide particularly YouTube? I tried using mitm-adblock but it was
| so slow it was unusable.
| mhils wrote:
| I don't think I'm aware of any. If possible I would recommend
| using a browser extension like uBlock Origin instead, being in
| the browser context makes adblocking more efficient. (I realize
| not every client is a browser, I simply don't have good
| recommendations for this then)
| nanomonkey wrote:
| A friend of mine claims to have found mitmproxy on her phone, and
| is worried that her ex husband is using it to track her movements
| and interactions. I am unable to find anything concrete to say
| whether or not this is a possibility. Anyone heard of something
| similar being done, and know how this could have been
| accomplished. She says he didn't have access to her phone, but I
| know he is technically capable.
| atonse wrote:
| Is it iOS or Android? I'd suspect it's way easier to do this
| sort of thing on Android.
|
| But iOS also has certain network extensions you can use (like
| for VPN) that can redirect traffic.
|
| Not staying that's what happened, just saying that alters the
| likeliness.
| mhils wrote:
| mitmproxy would not really be helpful for what you describe,
| this sounds like she is confusing it with some other
| software/stalkerware.
| lordgrenville wrote:
| I don't know anything about this project, can somebody explain
| what the (nonmalicious) use case would be?
| lancebeet wrote:
| I use mitmproxy (mainly mitmweb as a reverse proxy) on a daily
| basis to test and debug front-end applications. Mitmproxy
| allows me to reach application states that would otherwise be
| unreachable without modifying the application code. There are
| or course alternatives but mitmproxy is very capable, the
| mitmweb ui is really convenient and the scripting interface is
| a pleasure to use.
| sangnoir wrote:
| What I've used it for on the past:
|
| 1. Debugging client/server API calls to isolate problems in
| complex JSON interactions. You can even set breakpoints to
| modify server responses on the fly (within the client timeout
| period)
|
| 2. Capturing live responses from API for replaying in client
| regression tests.
|
| 3. Faking server responses for a subset of routes that haven't
| been implemented on the server-side yet, while keeping all
| other routes intact (e.g. auth). This enables parallel client &
| server development. Scripting Mitmproxy in Python is easy.
|
| 4. Non-software engineering use case: _replacing_ resources on
| third party websites. e.g. injecting a dark mode css file into
| a website rhat doesn 't officially support one.
| nibbleshifter wrote:
| Debugging first or third party applications that are acting up.
___________________________________________________________________
(page generated 2022-10-29 23:01 UTC)