initial commit

Author: stypr

.gitignore

@@ -0,0 +1,2 @@
+__pycache__
+config/

README.md

@@ -0,0 +1,68 @@
+## mitmproxy-tools
+
+List of generic mitmproxy scripts I use while working on various researches, pentests and bug bounties.
+
+Previously
+
+* I wrote a blog post about my [mitmproxy + openvpn](https://blog.flatt.tech/entry/mitmproxy) setup at my former workpace.
+* then I wrote another [mitmproxy + openvpn](https://gist.github.com/stypr/abe9ef83556759847c063ae9389fa0ae) setup to show the current setup
+
+What has been changed this time
+
+* Directory structures have been changed for convenient addons
+  - `views/*` can be used to auto decrypt some of request/response data for better visuals
+  - `addons/*` can be used to work like plugins to do actions upon send/receive.
+
+* Replacing openvpn setups to wireguard setups
+  - When upstream SOCK5 proxy only supports TCP, UDP packets have to be passed through somehow.
+    1. Unfortunately, transparent proxy will not pass UDP packets, while the wireguard mode does support DNS and UDP packet mitm.
+  - Setups are much simpler than typical openvpn setup.
+  - Reference: https://mitmproxy.org/posts/wireguard-mode/
+  - There are still some limitations like lack of handling for HTTP2 and HTTP3, but we can still use the old HTTPS.
+
+Feel free to contribute if you have any interesting addons/views to share.
+
+### Installations
+
+#### Summary
+
+Most of them are same as [the gist version](https://gist.github.com/stypr/abe9ef83556759847c063ae9389fa0ae), except that you don't have to install OpenVPN anymore.
+
+1. Install `wireguard` on your system (`apt install -y wireguard`)
+
+2. `bind9` is not needed anymore. Also, [mitmproxy now has its own way to handle DNS manipulations now](https://github.com/Kriechi/mitmproxy/blob/dns-addon/docs/src/content/overview-features.md#dns-manipulation).
+
+2. Install [Caddy](https://caddyserver.com/docs/install)
+
+3. Add passwords on [caddy/Caddyfile](caddy/Caddyfile) using `caddy hash-password`, move files to `/etc/caddy`
+
+4. Install mitmproxy to latest
+```sh
+apt install -y python3-pyasn1 python3-flask python3-dev python3-urwid python3-pip libxml2-dev libxslt-dev libffi-dev
+pip3 install -U mitmproxy --break-system-packages
+mitmproxy --version
+```
+
+5. The script proxies through upstream [WARP](https://one.one.one.one/) by default.
+   You might want to install or make appropriate changes to the script.
+
+6. Once everything is done, `screen ./run.sh`
+
+#### Installing WARP on Linux
+
+1. Install WARP CLI.
+
+```sh
+curl https://pkg.cloudflareclient.com/pubkey.gpg | sudo gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg
+echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/ bookworm main" | sudo tee /etc/apt/sources.list.d/cloudflare-client.list
+sudo apt update && sudo apt install -y cloudflare-warp
+```
+
+2. Register WARP, set proxy with appropriate ports, start proxy.
+
+```sh
+warp-cli register
+warp-cli proxy port 40000
+warp-cli mode proxy
+warp-cli connect
+```

addons/debug.py

@@ -0,0 +1,32 @@
+import os
+import logging
+import tempfile
+import requests
+from mitmproxy import http
+
+class Debug:
+    """
+    Main debug script
+    """
+
+    def request(self, flow: http.HTTPFlow) -> None:
+        """
+        Main Request Handler
+        """
+
+        match flow.request.path:
+            case "/__ok__":
+                flow.response = http.Response.make(200, "ok", {"Content-Type": "text/html"})
+            case _:
+                pass
+
+    def response(self, flow: http.HTTPFlow) -> None:
+        """
+        Main Response Handler
+        """
+
+        match flow.request.path:
+            case "/iam/api/login":
+                flow.response.content = flow.response.content.replace(b"true", b"false")
+            case _:
+                pass

addons/no_cache.py

@@ -0,0 +1,20 @@
+import os
+import logging
+import tempfile
+import requests
+from mitmproxy import http
+
+class NoCache:
+    """
+    Disable caching completely.
+    """
+
+    def response(self, flow: http.HTTPFlow) -> None:
+        """
+        Disable caching completely.
+        """
+
+        # Never ever cache responses.
+        flow.response.headers["cache-control"] = "no-cache, no-store, must-revalidate"
+        flow.response.headers["pragma"] = "no-cache"
+        flow.response.headers["expires"] = "0"

addons/upstream_proxy.py

@@ -0,0 +1,33 @@
+import random
+from mitmproxy import http
+from mitmproxy.net.server_spec import ServerSpec
+from mitmproxy.connection import Server
+
+class UpstreamProxy:
+    """
+        Empty proxy_servers if you don't plan to use proxy at all
+    """
+    proxy_servers = [
+        ("127.0.0.1", 40000)
+    ]
+
+    def get_proxy_address(self) -> tuple[str, int]:
+        """
+        Load balancing based on random.choice
+        """
+        return random.choice(self.proxy_servers) if self.proxy_servers else None
+
+
+    def request(self, flow: http.HTTPFlow) -> None:
+        """
+        Main Request Handler
+        """
+
+        # Forward to Upstream Proxy
+        proxy_address = self.get_proxy_address()
+        if proxy_address:
+            server_connection_already_open = flow.server_conn.timestamp_start is not None
+            if server_connection_already_open and proxy_address:
+                flow.server_conn = Server(address=flow.server_conn.address)
+            flow.server_conn.via = ServerSpec(("http", proxy_address))
+

addons/web_console.py

@@ -0,0 +1,63 @@
+import os
+import logging
+import tempfile
+import requests
+from mitmproxy import http
+
+class WebConsole:
+    """
+    Adds web console for convenient mobile devtools
+    You may use vConsole as an alternative.
+    """
+    console = ""
+    console_url = "https://cdn.jsdelivr.net/npm/eruda"
+
+    def load(self, loader):
+        console_path = os.path.join(tempfile.gettempdir(), "console.js")
+
+        try:
+            self.console = open(console_path).read()
+        except:
+            logging.warning("Dowloading Eruda to temporary directory...")
+            self.console = requests.get(self.console_url, timeout=10).text
+            open(console_path, "w").write(self.console)
+
+    def request(self, flow: http.HTTPFlow) -> None:
+        """
+        Main Request Handler
+        """
+        match flow.request.path:
+            case "/__script__/__console__.js":
+                flow.response = http.Response.make(
+                    200,
+                    self.console,
+                    {"Content-Type": "text/javascript"}
+                )
+            case _:
+                pass
+
+    def response(self, flow: http.HTTPFlow) -> None:
+        """
+        Append console script for all text/html responses
+        """
+
+        # Inject Eruda if the response is HTML
+        is_html = False
+        for key, value in flow.response.headers.items():
+            # text/html; charset=utf-8
+            if key.lower() == "content-type" and value.startswith("text/html"):
+                is_html = True
+                break
+
+        if is_html:
+            console_loader = b"""
+                <script async>
+                    (() => {
+                        var script3336974aaa = document.createElement('script');
+                        script3336974aaa.src="/__script__/__console__.js";
+                        document.head.append(script3336974aaa);
+                        script3336974aaa.onload = () => { eruda.init(); };
+                    })();
+                </script></head>
+            """
+            flow.response.content = flow.response.content.replace(b"</head>", console_loader)

caddy/Caddyfile

@@ -0,0 +1,47 @@
+example.tld {
+	# tls internal
+
+    log {
+        format json {
+            time_format rfc3339
+        }
+        output file /var/log/caddy/default.log {
+            roll_size 1gb
+            roll_keep 2
+            roll_keep_for 2160h
+        }
+    }
+
+    header /* {
+        -Server
+        -X-frame-options
+        -X-powered-by
+        ?Access-Control-Allow-Methods "POST, GET, OPTIONS"
+        ?Access-Control-Allow-Origin "*"
+        Cache-Control: no-cache, no-store, must-revalidate
+        defer
+    }
+
+    handle_errors {
+        header /* {
+            -Server
+            -X-frame-options
+            -X-powered-by
+            ?Access-Control-Allow-Methods "POST, GET, OPTIONS"
+            ?Access-Control-Allow-Origin "*"
+            Cache-Control: no-cache, no-store, must-revalidate
+            defer
+        }
+    }
+
+    handle_path /* {
+        # use `caddy hash-password` to generate credentials
+        basicauth {
+            admin $2a$......
+        }
+        reverse_proxy * http://localhost:8000 {
+            header_up Host localhost:8000
+            header_up Origin http://localhost:8000
+        }
+    }
+}

config/.keep

@@ -0,0 +1,40 @@
+#!/usr/bin/python3 -u
+
+"""
+Main script for debugging
+"""
+
+import logging
+import requests
+
+from mitmproxy import contentviews
+from views.sekai import ViewSekai
+from addons.upstream_proxy import UpstreamProxy
+from addons.web_console import WebConsole
+from addons.no_cache import NoCache
+from addons.debug import Debug
+
+####
+
+addons = [
+    UpstreamProxy(),
+    WebConsole(),
+    NoCache(),
+    Debug()
+]
+
+####
+
+views = [
+    ViewProjectSekai(),
+]
+
+####
+
+def load(loader):
+    for view in views:
+        contentviews.add(view)
+
+def done():
+    for view in views:
+        contentviews.remove(view)

main.py

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+warp-cli disconnect
+warp-cli connect
+mitmweb \
+  --ignore-hosts dns.google.com \
+  --web-port 8000 \
+  --web-host localhost \
+  --ssl-insecure \
+  --set stream_large_bodies=1024000 \
+  --set connection_strategy=lazy \
+  --set http2=false \
+  --set http3=false \
+  --no-web-open-browser \
+  --set confdir=$PWD/config \
+  --mode wireguard:$PWD/config/wireguard_server1.conf@303 \
+  --script main.py
+
+# For mulitple clients, add more configs.
+# Client configurations are available in the web frontend
+#   --mode wireguard:$PWD/config/wireguard_server2.conf@304