MITM TCP Tools

April 14th, 2008 | Category: Tools, Web Apps

A lot of web applications use port 80 and 443, but don’t necessarily speak HTTP or live inside a web browser. Many of these web apps utilize rich content and compiled code, such as Flash/ActiveX/Java, that have the ability to open their own TCP sockets to remote servers, by-passing the browser’s network stack and any HTTP proxy the browser is configured to use.

All the JVMs I’ve used do let you specify a proxy for an applet to use, but in my experience, this process is sometimes a little clumsy. On top of that, this only helps if the applet is speaking HTTP, or some other known protocol for which a proxy exists.

Putting browser based applications aside for a moment, fat client applications (including those on mobile devices) will utilize port 80/443 as a sure-fire way through the firewall, even if they aren’t using a standard protocol like HTTP or SOAP/WS-Security.

WireShark, tcpdump, and other network sniffers can be helpful in these situations where you can’t get application data easily routed through a proxy. However, the ability to replay or modify data on the fly between the client/server is still a challenge. Add SSL encryption to the scenario, and typically you are S.O.L.

What we need is a socket based TCP proxy with SSL support. Such a proxy would capture traffic at the network layer, identify common protocols and accumulate requests/responses for MITMing, but also stream proprietary protocols while providing a mechanism for altering/fuzzing data on the fly.

Tools like WebScarab/Paros/Burp are great at what they do. But as soon as an application strays from a common protocol (security through obscurity anyone?) these tools lose some of their value.

I already have a proof-of-concept tool that has been invaluable to us in some recent pen-testing. Now, the plan is to tighten up the loose ends, add some features, and make it available for others to use.

I’d definitely be interested to hear what anyone has to say about such a tool. Do you think it would help you? Is there already something similar out there? Leave your comments below.

-Schmoilito

3 comments Digg this

3 Comments so far

  1. Peter mcLaughlin July 4th, 2008 9:29 am

    yep, I would be a consumer of such a tool. They are thin on the ground when it comes to fat client SSL MITM particlarly when whats wrapped up in the SSL is not a standard protocol.

    Would not mind a preview of POC?

  2. Saurabh Harit August 27th, 2008 9:38 am

    Hi,

    This is exactly what I am looking for. I am currently pen testing a project which has a fat client. I am experiencing the same problems regarding proxy tools. I would highly appreciate if you could let me lay my hands on the PoC. My mail id is saurabh dot harit at gmail dot com. It will be a big help for me.

    I am also working towards developing similar tools but for this particular project, time is running out of my hands.

    Hope to hear from you.

    Thanks & Regards,
    Saurabh Harit
    Security Analyst

  3. Juicy November 6th, 2009 10:47 am

    Does this apply to TLS connections as well? v2? v3?

    What browser/interface exposures have you tested against successfully (completed MitM successfully)?

Leave a reply

the best natural fertilizers pirodr! 666