-
Notifications
You must be signed in to change notification settings - Fork 180
Traffic inspection
This method is the nicer buat only works with http/https traffic.
Install mitmproxy in your workstation from here
First time you run it mitmproxy (exit with "q") the CA authorities will be created in ~/.mitmproxy
Copy mitmproxy-ca-cert.pem to the client machine where you want to inspect the traffic. In the client, make the mitmproxy CA trusted:
- SLE-11 in /etc/ssl/certs and then run c_rehash
- SLE-12 in /etc/pki/trust/anchors and run update-ca-certificates
In your workstation, start mitmproxy:
mitmproxy -p 9999
On the client machine, start the program that will communicate with the server via SSL. Make sure you can make your program use the your workstation as the proxy with an ENV variable. If not, check its specific configuration file.
export http_proxy=yourworkstation:9999
./yourprogram
You should start seeing traffic. Check the documentation on how to navigate and how to inspect the flow and even modify it.
There is also a companion tool mitmdump, that works like tcpdump, which you can use to save the traffic
You can also use the -R host to do a reverse proxy and put mitmproxy in front of the server, instead of using it as a proxy to the client
Also see this Full Tutorial.
INCOMPLETE, not yet working for osad. Needs STARTTLS support.
Install sslplit in your workstation.
On the client, alter /etc/hosts to redirect the server to your workstation:
....
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts
10.160.5.9 sumars21.suse.de
Now when the client asks for sumars21.suse.de, it will get my workstation (10.160.5.9) before the real dns entry.
Get the server keys:
scp [email protected]:ssl-build/RHN* .
Start sslplit to listen in the ports you want to capture, with the right spec: tcp, ssl, http or https. In this case I want to capture SSL traffic for osad (jabber, 5222) and https, 443. I redirect both to the same original server (sumars21.suse.de).
sudo sslsplit -D -l - -k RHN-ORG-PRIVATE-SSL-KEY -c RHN-ORG-TRUSTED-SSL-CERT ssl 0.0.0.0 5222 sumars21.suse.de 5222 https
Also see this Full tutorial.