Mitmproxy – Open-source console-based proxy (opens in new tab)

(mitmproxy.org)

188 pointsisarat8y ago39 comments

39 comments

Don't forget mitmdump. It is a great way to log sessions and chain to other proxies at the same time.

Also, mitmdump is one of the best and fastest ways to get ahold of web requests with Python to modify it on the fly.

http://docs.mitmproxy.org/en/stable/mitmdump.html

I have been using mitmproxy over Burp for day to day web app hacking these days. But we still use Burp scanner for lots of chores. I almost always chain through both to then go back in and use Burp features missing in mitmproxy (exploring site contents, etc.). But those are edge cases mostly needed for professional use and not for tinkering.

nopcode8y ago

I don't understand how this can be faster or more friendly than using Burp.

Would you mind sharing an example flow?

bitexploder8y ago

I just like working in terminal. Some things I can do faster in mitmproxy (filtering with lots of constraints, shooting response or request data to a pipe). It has a mutt like interface so if mutt seems fast and intuitive then mitmproxy will feel similar. I have spent a lot of years thrashing around in the Burp GUI and mostly I don't need all the features all the time :)

Things that are a few clicks in Burp are a few terse keystrokes or key presses in mitmproxy. IDK, give it a shot and see if it makes sense . Most of our team just sticks with Burp FWIW.

mrtksn8y ago

It's not just a console, it also has a web based interface: http://docs.mitmproxy.org/en/stable/mitmweb.html

hans_mueller8y ago

I'd say, it's not just a web based interface, it also is a console.

eapen8y ago

This tool recently helped me troubleshoot a bug I was facing and unable to solve due to the lack of Safari's development tools. Here's a link for anyone interested: http://eapen.in/mitmproxy-for-troubleshooting/

c7h8y ago

one of the best tools for reverse engineering mobile apps. I'm just having problems when certificate pinning is enabled. Does anyone have an idea (or even a solution) how to deal with that?

Aissen8y ago

Even without certificate pinning, starting with Android 7, you must decompile the app to allow user provided certificates. Or use an xposed module if you have a rooted device.

See this mitmproxy bug: https://github.com/mitmproxy/mitmproxy/issues/2054

And this tool is nice to automate decompiling, adding the line in the manifest to be able to use user-installed certificates, and recompiling: https://github.com/levyitay/AddSecurityExceptionAndroid

Also, if the app uses Google signin, you have to be rooted, because play services uses the package manager to check the app signer before giving the app a token.

justinjlynn8y ago

Just wait until they go full 'treacherous computing' and turn on remote attestation using TPMs.

1 more reply

gregsadetsky8y ago

Same here, mitmproxy was always the goto tool, but many apps now use certificate pinning, which stops it cold.

I was recently wishing for a "Jailbroken Mobile Testing Tool", similar to Sauce Labs or BrowserStack but with jailbroken mobiles -- i.e. a cloud-based service allowing you to remotely control a mobile phone through a web interface. Would that be interesting to have?

This service would allow you to load an app from the App Store / Google Play, and then interact with it while logging all network connections (in tcpdump/wireshark/HAR/etc. format). The controlled mobiles would be jailbroken and have tools like SSL kill switch (as mentioned by @bitexploder in another comment) installed by default.

(Going further: the same tool would allow you to download the phone's storage as a zip archive for further analysis)

scandinavian8y ago

It's been a while, but when I have been reversing android apps with certificate pinning in the past, I had the most luck with decompiling the apk with apktool, removing the certificate pinning in the samli bytecode, then recompiling and signing the apk again.

For iOS, I know there are jailbreak cydia tweaks that try to disable certificate pinning, but I have no experience with this.

nnd8y ago

For iOS, you can try to install SSL Killswitch on a jailbroken iPhone (https://github.com/nabla-c0d3/ssl-kill-switch2)

drewbug8y ago

A custom Xposed module should work for Android, and Cydia Substrate could work for iOS.

s0l1dsnak31238y ago

I'd also love to know if there's a solution for this problem!

bitexploder8y ago

There is. It depends on the mobile OS and device.

We deal with this routinely. Solutions tend to vary.

On iOS just use SSL kill switch (if you are jailbroken). If you are not jailbroken you don't have a lot of options. On Android there are some well documented approaches. Usually decompiling the app and adding to the local app's cert store will work and then rearchive and sign it.

Function hooking key network calls can work as well. It is pretty much required that if you want to do serious tinkering or assessment you need a jailbroken or rooted device. This can be a significant effort investment, but once done is generally reliable.

pnutjam8y ago

what kind of problems?

gregsadetsky8y ago

Certificate Pinning (in apps) stops mitmproxy from proxying traffic to the servers you're mostly interested in proxying... see:

http://docs.mitmproxy.org/en/stable/certinstall.html#certifi...

jenscow8y ago

Just what I was looking for.

All I wanted to do was change a request header for one host.

After ~15 minutes I now have a transparent MITM https proxy - and I didn't even have to google the openssl command.

Edit: Also, the documentation is excellent as the software.

brazzledazzle8y ago

This tool has really helped me on several occasions with a wide variety of issues up and down the stack. Even with debugging web apps because while the chrome Dev tools are awesome they (at least at the time as far as I know) didn't expose the initial headers/network exchange for certain types of auth like NTLM.

emj8y ago

Mitmproxy is nice, but I think dev tools have become alot better, I discovered that because my standard work horse Chrome+Wireshark is very fincky with SSL:

    SSLKEYLOGFILE=$HOME/ssl_crt_dbg google-chrome --user-data-dir=TEMPUSER

Then you configure wireshark SSL decoding with with pre master key file as "ssl_crt_dbg", it fails too often for me.

Now days I use remote-debugging and Python a lot:

  $ google-chrome --remote-debugging-port=9222

  import PyChromeDevTools
  chrome = PyChromeDevTools.ChromeInterface(host="localhost", port=9222)
  chrome.Network.enable()
  while True:
     print chrome.wait_message(timeout=0.1)

But the simplicity of a Mitmproxy is almost as great as wireshark.

pimlottc8y ago

Can you explain more what you're doing with the python code?

phsource8y ago

Oh my gosh... don't get me started on NTLM. Chrome Network Tools doesn't expose it at all, so the proxy was a lifesaver in our case.

We've shifted to using https://github.com/joeferner/node-http-mitm-proxy as a part of WrapAPI Proxy (https://wrapapi.com/proxy), which is a zero-install proxy in the style of mitmproxy and Charles.

The node proxy is really great in that it's fully extensible, allows you to generate certificates, and filter/save the kinds of traffic you get to simple JSON structures. We've found it to be a huge boon in development, but it's clearly inspired by mitmproxy (which predates node), so credit where it's due.

ijustdontcare8y ago

https://docs.mitmproxy.org/en/latest/mitmproxy.html Nice TLS work

Lightbody8y ago

Although I don't contribute to it anymore, I worked on a similar project that seems to have some continued activity:

https://github.com/lightbody/browsermob-proxy

It's Java-based and forked out from some old MITM code from Selenium. It has a bunch of APIs for manipulating traffic, tweaking DNS resolution, rewriting content, etc. Just passing along in case anyone is looking for alternatives.

jwilk8y ago

Beware that it listens on all interfaces by default:

https://github.com/mitmproxy/mitmproxy/issues/1293

I learned this the hard way. If you run a proxy on an unfirewalled machine with public IPv4, it's going to be abused really fast. :-(

platz8y ago

Mitmproxy works pretty well for HTTPS - but it doesn't seem to generate HTTPS certs as well as Fiddler does

mhils8y ago

Mitmproxy dev here - please feel free to file a bug on GitHub if you have a reproducible example where we fail. :)

pvg8y ago

Many previous discussions:

https://hn.algolia.com/?query=mitmproxy&sort=byPopularity&pr...

beachy8y ago

I was just looking for something like this. Googling led me to Charles proxy, which seems a pretty capable tool, and I'm growing fond of it though the Java UI is jarringly ugly.

Does anyone have any experience with charles vs mitmproxy?

mpeg8y ago

I love mitmproxy, super easy to use (and to install an interception certificate) and the scripting support makes it very useful for pentesting iOS app traffic etc where I can't easily modify the client

cowabungamann8y ago

how do disable certificate pinning on iOS?

mpeg8y ago

Haven't had to as the apps I targeted weren't using it. Can't think of an obvious way without rooting the device though...

1 more reply

humanjvm8y ago

I've been using mitmproxy to inspect HTTPS traffic. Are there any Chrome/Wireshark configurations to allow me to inspect HTTPS with Wirshark?

diegorbaquero8y ago

Mitmproxy is amazing! And you can get it easily in macOS with brew. Highly recommended

sheharyarn8y ago

I love Mitmproxy and how easy it is to use! One of my favorite pentesting tools!

CameronBanga8y ago

mitmproxy is great for iOS and Android pen testing. A must have tool.

j / k navigate · click thread line to collapse

39 comments

bitexploder8y ago

Don't forget mitmdump. It is a great way to log sessions and chain to other proxies at the same time.

Also, mitmdump is one of the best and fastest ways to get ahold of web requests with Python to modify it on the fly.

http://docs.mitmproxy.org/en/stable/mitmdump.html

nopcode8y ago

I don't understand how this can be faster or more friendly than using Burp.

Would you mind sharing an example flow?

bitexploder8y ago

Things that are a few clicks in Burp are a few terse keystrokes or key presses in mitmproxy. IDK, give it a shot and see if it makes sense . Most of our team just sticks with Burp FWIW.

mrtksn8y ago

It's not just a console, it also has a web based interface: http://docs.mitmproxy.org/en/stable/mitmweb.html

hans_mueller8y ago

I'd say, it's not just a web based interface, it also is a console.

eapen8y ago

c7h8y ago

one of the best tools for reverse engineering mobile apps. I'm just having problems when certificate pinning is enabled. Does anyone have an idea (or even a solution) how to deal with that?

Aissen8y ago

Even without certificate pinning, starting with Android 7, you must decompile the app to allow user provided certificates. Or use an xposed module if you have a rooted device.

See this mitmproxy bug: https://github.com/mitmproxy/mitmproxy/issues/2054

And this tool is nice to automate decompiling, adding the line in the manifest to be able to use user-installed certificates, and recompiling: https://github.com/levyitay/AddSecurityExceptionAndroid

Also, if the app uses Google signin, you have to be rooted, because play services uses the package manager to check the app signer before giving the app a token.

justinjlynn8y ago

Just wait until they go full 'treacherous computing' and turn on remote attestation using TPMs.

1 more reply

gregsadetsky8y ago

Same here, mitmproxy was always the goto tool, but many apps now use certificate pinning, which stops it cold.

(Going further: the same tool would allow you to download the phone's storage as a zip archive for further analysis)

scandinavian8y ago

For iOS, I know there are jailbreak cydia tweaks that try to disable certificate pinning, but I have no experience with this.

nnd8y ago

For iOS, you can try to install SSL Killswitch on a jailbroken iPhone (https://github.com/nabla-c0d3/ssl-kill-switch2)

drewbug8y ago

A custom Xposed module should work for Android, and Cydia Substrate could work for iOS.

s0l1dsnak31238y ago

I'd also love to know if there's a solution for this problem!

bitexploder8y ago

There is. It depends on the mobile OS and device.

We deal with this routinely. Solutions tend to vary.

pnutjam8y ago

what kind of problems?

gregsadetsky8y ago

Certificate Pinning (in apps) stops mitmproxy from proxying traffic to the servers you're mostly interested in proxying... see:

http://docs.mitmproxy.org/en/stable/certinstall.html#certifi...

jenscow8y ago

Just what I was looking for.

All I wanted to do was change a request header for one host.

After ~15 minutes I now have a transparent MITM https proxy - and I didn't even have to google the openssl command.

Edit: Also, the documentation is excellent as the software.

brazzledazzle8y ago

emj8y ago

Mitmproxy is nice, but I think dev tools have become alot better, I discovered that because my standard work horse Chrome+Wireshark is very fincky with SSL:

    SSLKEYLOGFILE=$HOME/ssl_crt_dbg google-chrome --user-data-dir=TEMPUSER

Then you configure wireshark SSL decoding with with pre master key file as "ssl_crt_dbg", it fails too often for me.

Now days I use remote-debugging and Python a lot:

  $ google-chrome --remote-debugging-port=9222

  import PyChromeDevTools
  chrome = PyChromeDevTools.ChromeInterface(host="localhost", port=9222)
  chrome.Network.enable()
  while True:
     print chrome.wait_message(timeout=0.1)

But the simplicity of a Mitmproxy is almost as great as wireshark.

pimlottc8y ago

Can you explain more what you're doing with the python code?

phsource8y ago

Oh my gosh... don't get me started on NTLM. Chrome Network Tools doesn't expose it at all, so the proxy was a lifesaver in our case.

We've shifted to using https://github.com/joeferner/node-http-mitm-proxy as a part of WrapAPI Proxy (https://wrapapi.com/proxy), which is a zero-install proxy in the style of mitmproxy and Charles.

ijustdontcare8y ago

https://docs.mitmproxy.org/en/latest/mitmproxy.html Nice TLS work

Lightbody8y ago

Although I don't contribute to it anymore, I worked on a similar project that seems to have some continued activity:

https://github.com/lightbody/browsermob-proxy

jwilk8y ago

Beware that it listens on all interfaces by default:

https://github.com/mitmproxy/mitmproxy/issues/1293

I learned this the hard way. If you run a proxy on an unfirewalled machine with public IPv4, it's going to be abused really fast. :-(

platz8y ago

Mitmproxy works pretty well for HTTPS - but it doesn't seem to generate HTTPS certs as well as Fiddler does

mhils8y ago

Mitmproxy dev here - please feel free to file a bug on GitHub if you have a reproducible example where we fail. :)

pvg8y ago

Many previous discussions:

https://hn.algolia.com/?query=mitmproxy&sort=byPopularity&pr...

beachy8y ago

I was just looking for something like this. Googling led me to Charles proxy, which seems a pretty capable tool, and I'm growing fond of it though the Java UI is jarringly ugly.

Does anyone have any experience with charles vs mitmproxy?

mpeg8y ago

cowabungamann8y ago

how do disable certificate pinning on iOS?

mpeg8y ago

Haven't had to as the apps I targeted weren't using it. Can't think of an obvious way without rooting the device though...

1 more reply

humanjvm8y ago

I've been using mitmproxy to inspect HTTPS traffic. Are there any Chrome/Wireshark configurations to allow me to inspect HTTPS with Wirshark?

diegorbaquero8y ago

Mitmproxy is amazing! And you can get it easily in macOS with brew. Highly recommended

sheharyarn8y ago

I love Mitmproxy and how easy it is to use! One of my favorite pentesting tools!

CameronBanga8y ago

mitmproxy is great for iOS and Android pen testing. A must have tool.

j / k navigate · click thread line to collapse