Skip to content

How To Quickly Setup A Wireless MitM Proxy

While working on the A Look Inside A Hunter Pro-HC Controller project, I needed to setup a wireless MitM proxy as part of my test rig.

Here's the fastest way I found to get one up and running, and it works on both Windows and Mac.

Requirements

  • VMWare Fusion (Mac) or VMWare Player (PC)
  • Kali Linux VMWare image
  • USB WiFi Dongle (i.e. Edimax EW-7811un) Edimax EW-7811un 802.11n WiFi Adapter

Download Kali Image

Kali Linux is available as pre-built VMs: here

Pasted image 20230314205243.png

Download the "VMWare 64" package, which comes an ~3GB .7z file.

Pasted image 20230318093847.png

VMWare Fusion

Install VMWare Fusion (Mac)

VMWare Fusion is available for free under a Personal Use license: here

Configure WiFi Adapter

Pasted image 20230318093436.png

Pasted image 20230318093252.png

Pasted image 20230318093738.png

Launch Kali Linux VM

Double-click on the .vmwarevm file, which will launch VMWare Fusion:

Pasted image 20230318094102.png

Log into the desktop using the username and password: kali / kali:

Pasted image 20230318094156.png

Launch a terminal window:

Pasted image 20230318094237.png

VMWare Player

Install VMWare Player (PC)

Configure WiFi Adapter

Pasted image 20230321165749.png

Pasted image 20230321165724.png

[   65.314104] usb 2-1: new high-speed USB device number 2 using ehci-pci
[   65.594275] usb 2-1: New USB device found, idVendor=7392, idProduct=7811, bcdDevice= 2.00
[   65.594281] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   65.594284] usb 2-1: Product: 802.11n WLAN Adapter
[   65.594286] usb 2-1: Manufacturer: Realtek
[   65.594287] usb 2-1: SerialNumber: 00e04c000001
[   66.140875] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   66.141105] cfg80211: Loaded X.509 cert 'benh@debian.org: 577e021cb980e0e820821ba7b54b4961b8b4fadf'
[   66.141330] cfg80211: Loaded X.509 cert 'romain.perier@gmail.com: 3abbc6ec146e09d1b6016ab9d6cf71dd233f0328'
[   66.141536] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[   66.143667] platform regulatory.0: firmware: direct-loading firmware regulatory.db
[   66.144695] platform regulatory.0: firmware: direct-loading firmware regulatory.db.p7s
[   66.455402] rtl8192cu: Chip version 0x10
[   67.475089] rtl8192cu: Board Type 0
[   67.478596] rtl_usb: rx_max_size 15360, rx_urb_num 8, in_ep 1
[   67.478636] rtl8192cu: Loading firmware rtlwifi/rtl8192cufw_TMSC.bin
[   67.478849] ieee80211 phy0: Selected rate control algorithm 'rtl_rc'
[   67.479499] usb 2-1: firmware: direct-loading firmware rtlwifi/rtl8192cufw_TMSC.bin
[   67.481837] usbcore: registered new interface driver rtl8192cu
[   67.519276] rtl8192cu: MAC auto ON okay!
[   67.870081] rtl8192cu: Tx queue select: 0x05
[   69.294999] rtl8192cu: MAC auto ON okay!
[   69.706304] rtl8192cu: Tx queue select: 0x05

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.19.128  netmask 255.255.255.0  broadcast 192.168.19.255
        inet6 fe80::967f:4a3c:2b65:4b8c  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:b4:6d:1b  txqueuelen 1000  (Ethernet)
        RX packets 68378  bytes 97618915 (93.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13366  bytes 1070043 (1.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 180  bytes 1224635 (1.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 180  bytes 1224635 (1.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.1.1  netmask 255.255.255.0  broadcast 192.168.1.255
        ether 46:85:6b:ca:34:d5  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Pasted image 20230321171313.png

Launch Kali Linux VM

Start Bridged MitM Proxy

mitm setup using hostapd in kali

setup-mitm-bridged.sh

setup-mitm-bridged.sh
#!/bin/bash

# Based on: https://mirzafahad.github.io/2021-03-07-wifi-rouge-access-point-part3/

sudo apt-get update && sudo apt-get install hostapd bridge-utils

mkdir conf

cat > conf/wifi_ap.config <<EOF
interface=wlan0
bridge=br0
driver=nl80211
hw_mode=g
ssid=WifiTest
channel=1
EOF

sudo brctl addbr br0
sudo brctl addif br0 eth0
sudo ifconfig br0 up
brctl show
sudo /etc/init.d/networking stop
sudo ifconfig eth0 down
sudo ifconfig wlan0 down
sudo ifconfig br0 up
sudo ifconfig eth0 up
sudo hostapd -d conf/wifi_ap.config

Start Transparent MitM Proxy

This is a "transparent" proxy which utilizes mitmproxy --transparent.

setup-mitm-transparent.sh

setup-mitm-transparent.sh
#!/bin/bash

# Based on: https://bumper.readthedocs.io/en/latest/Sniffing/

mkdir -p conf logs

cat > conf/dnsmasq.conf <<EOF
interface=wlan0
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1
# Set DNS settings per Bumper documentation as needed below
#address=/msg-na.ecouser.net/192.168.1.1
#address=/mq-ww.ecouser.net/192.168.1.1
EOF

cat > conf/hostapd.conf <<EOF
interface=wlan0
driver=nl80211
ssid=bumper_mitm
hw_mode=g
channel=11
macaddr_acl=0
ignore_broadcast_ssid=0
auth_algs=1
wpa=2
wpa_passphrase=IAmNotSafe
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=86400
ieee80211n=1
wme_enabled=1
EOF

sudo apt-get update
sudo apt-get install gnome-terminal hostapd

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.send_redirects=0

iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 8883 -j REDIRECT --to-port 8080

sudo nmcli radio wifi off
sudo rfkill unblock wlan
ifconfig wlan0 up 192.168.1.1 netmask 255.255.255.0
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

#Open in new tabs
gnome-terminal -x sh -c "SSLKEYLOGFILE="logs/sslmitmkeylog.txt" mitmweb -m transparent -w "logs/mitmout_new.txt" --tcp-hosts 192.168.1.\d+ --ssl-insecure --raw; bash"
gnome-terminal -x sh -c "dnsmasq -C conf/dnsmasq.conf -d; bash"
gnome-terminal -x sh -c "hostapd conf/hostapd.conf; bash"

References

Start MQTT MitM Proxy

setup-ioxy.sh

Frequently Asked Questions

  1. Why not VirtualBox? I'm an open source guy, I like VirtualBox, but VMWare Player and VMWare Fusion just. work.

IMG_3210.png

IMG_3201.png

IMG_3202.png

IMG_3203.png

IMG_3204.png

IMG_3205.png

IMG_3206.png

IMG_3207.png

IMG_3208.png

IMG_3209.png

Last update: 2023-03-21