├── .gitignore ├── LlCENSE ├── README.md ├── conf ├── dnsmasq.conf └── hostapd.conf ├── dumps └── output.pcap ├── monitor.sh └── pics ├── burpproxy.png ├── burpsuite443.png ├── burpsuite443_proxy.png ├── burpsuite80.png ├── burpsuite80_proxy.png ├── burpsuite_exportcert.png ├── burpsuite_exportcertder.png ├── example_embedded_wireshark.png ├── example_mobile_app.png ├── example_mobile_burp.png ├── example_mobile_connect.png ├── example_mobile_importcertandroid.png ├── example_mobile_importcertandroid2.png ├── example_mobile_importcertandroid3.png ├── example_mobile_importcertandroid4.png ├── example_mobile_wireshark.png ├── example_windows1.png ├── example_windows2.png ├── example_windows_browserburp.png ├── example_windows_browserwireshark.png ├── kalidevices.png ├── raspberrypisetup.jpg ├── resizepartition.png ├── resizepartition2.png ├── resizepartition3.png ├── setup.draw.io.xml ├── setup.png ├── vmbridged.png └── vmconnectdevices.png /.gitignore: -------------------------------------------------------------------------------- 1 | kalirouter.img.xz -------------------------------------------------------------------------------- /LlCENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Koen Buyens 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # TL;DR 2 | This repository contains code to turn your Kali Linux machine into a router 3 | that 4 | - records all traffic with wireshark 5 | - sends HTTP and HTTPS traffic to an intercepting proxy, such as BurpSuite, running on another machine. 6 | 7 | This setup is only appropriate in a lab setting where you want to learn how a device works. 8 | 9 | Read [Setup](#setup) and [Automation](#automation) to configure your Kali Linux machine and run the scripts. 10 | 11 | Read [A Raspberry Pi Kali Router](#a-raspberry-pi-kali-router) if you want to run this on a Raspberry Pi. 12 | 13 | We assume that you own an [ Ethernet LAN Network USB Adapter](https://www.amazon.com/Plugable-Gigabit-Ethernet-Network-Adapter/dp/B00AQM8586) and a [wireless B/G/N USB adapter](https://www.amazon.com/gp/product/B004Y6MIXS/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1). Any card (USB or built-in) supported by Linux can be used. 14 | 15 | # Intercepting IP traffic originating from any device, app, or application 16 | 17 | - [TL;DR](#tldr) 18 | - [Intercepting IP traffic for any device, app, or application](#intercepting-ip-traffic-for-any-device-app-or-application) 19 | - [Introduction](#introduction) 20 | - [Setup](#setup) 21 | - [Configuring Kali Linux as a Router](#configuring-kali-linux-as-a-router) 22 | - [Ethernet](#ethernet) 23 | - [Wi-Fi Data Link Layer](#wi-fi-data-link-layer) 24 | - [Network Configuration](#network-configuration) 25 | - [Network Services](#network-services) 26 | - [Sniffing and Intercepting Traffic](#sniffing-and-intercepting-traffic) 27 | - [Automation](#automation) 28 | - [Intercepting Communication from Embedded Devices, Android Apps, and Windows Applications](#intercepting-communication-from-embedded-devices-android-apps-and-windows-applications) 29 | - [Embedded Device](#embedded-device) 30 | - [Mobile Applications](#mobile-applications) 31 | - [Windows Applications](#windows-applications) 32 | - [A Raspberry Pi Kali Router](#a-raspberry-pi-kali-router) 33 | - [Conclusion](#conclusion) 34 | - [References](#references) 35 | 36 | 37 | ## Introduction 38 | Many of us regularly sniff or intercept traffic coming from embedded devices, mobile apps, or windows applications. For devices or applications that are proxy-aware, interception of traffic is straightforward: we configure the application or device to use our [proxy](https://en.wikipedia.org/wiki/Proxy_server), such as [BurpSuite](https://portswigger.net/burp), and go on with our lives. For devices or applications that are not [proxy-aware](https://docstore.mik.ua/orelly/networking_2ndEd/fire/ch09_02.htm), intercepting traffic is more challenging. 39 | 40 | In this article, we describe how to set up [Kali Linux](https://www.kali.org/) to sniff [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol)/[UDP](https://en.wikipedia.org/wiki/User_Datagram_Protocol) traffic of any device, app, or application by configuring Kali as an intercepting router that can forward specific traffic to a transparent proxy on a different machine, such as HTTP(S) traffic to BurpSuite. Situations where an intercepting router is useful include complex scenarios where many devices and applications interact with each other, such as an embedded device that interacts with a web service, but that can also be configured via a mobile and a windows application. To maximize portability, we implement the above set-up on a Raspberry Pi. 41 | 42 | ## Setup 43 | We configure Kali Linux as a proxy-aware router. Clients, such as embedded devices or mobile apps, make connections to their servers as they normally would, but interesting packets (e.g. HTTP and HTTPS packets) are intercepted by our Kali Linux machine and redirected to a proxy server (e.g. BurpSuite). All traffic passing through our router is monitored with [Wireshark](https://www.wireshark.org/). Both our Kali Linux machine and BurpSuite act as a transparent proxy as the clients are not aware of their existence. The main advantage of this set-up is that it reduces the configuration of the clients to a minimum. This setup is illustrated in the figure below. 44 | 45 | ![Setup](pics/setup.png) 46 | 47 | Before configuring our Kali Linux machine, we need to configure VMWare and our network interfaces as follows. 48 | - We connect our Kali Linux machine running within [VMWare](https://www.vmware.com/) to the network in bridged mode so that it is directly connected to the network the device/application/mobile phone that we want to monitor would normally connect to. 49 | ![Set up VMware in Bridged Mode](pics/vmbridged.png) 50 | - We connect two adapters (Ethernet and WiFi) and give the USB connections to Kali. In the figure below, our adapters are the [Ethernet LAN Network Adapter ASIX AX88179](https://www.amazon.com/Plugable-Gigabit-Ethernet-Network-Adapter/dp/B00AQM8586) and the [wireless B/G/N USB adapter Atheros UB91C](https://www.amazon.com/gp/product/B004Y6MIXS/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1). For WiFi, we could have used any adapter that is compatible with [Linux](http://www.wirelesshack.org/best-kali-linux-compatible-usb-adapter-dongles-2016.html), as long as it supports promiscuous mode. 51 | ![Connect the adapters to the VMware machine](pics/vmconnectdevices.png) 52 | 53 | The subsequent sections elaborate how we configure our Kali Linux machine as a router and how we monitor devices and applications by connecting them to the Kali Linux router. 54 | 55 | ## Configuring Kali Linux as a Router 56 | Our Kali Linux machine will route traffic from the plugged in USB network interfaces (Ethernet and WiFi) to its own Internet connection and vice versa. Creating a router consists of four main parts. 57 | - Setting up the **Ethernet layer** so that wired clients can connect to Kali's interface. 58 | - Setting up the **Wi-Fi data link layer**, so that wireless clients can connect to Kali's "software access point" and send/receive IP packets from/to Kali. We use the ```hostapd``` application to do this. We bridge both the wired interface as well as the access point so that the machines connected to them are part of the same network (so that we can monitor a multi-device set-up such as an embedded device connected via Ethernet communicating with a mobile application, a Windows application, and the Internet). 59 | - Setting up the **network configuration** on our Kali Linux machine, so that it properly relays IP packets from its own Internet connection to its connected clients (and vice versa). 60 | - Adding **network services** such as DNS and DHCP so that clients get assigned IP addresses and can resolve domain names. We can use the DNS network service to redirect any domain name to a machine under our control. 61 | 62 | Before we execute the aforementioned steps, we will need to figure out what interfaces the adapters show up as. To do so, we execute ```ifconfig``` on our Kali Linux machine before and after we connect the adapters. 63 | ```shell 64 | $ ifconfig -a 65 | ``` 66 | Our Ethernet adapter will typically show up as ```eth1``` while our WiFi adapter will typically show up as ```wlan0```. (```eth0``` is the interface that is configured by VMWare to give Kali access to the Internet). 67 | 68 | ![Interfaces in Kali](pics/kalidevices.png) 69 | 70 | We tell the [network-manager](https://wiki.gnome.org/Projects/NetworkManager) service that we will manage the interfaces ourselves by adding the adapters MAC addresses to the unmanaged-devices section of the ```/etc/NetworkManager/NetworkManager.conf``` file. 71 | 72 | ``` 73 | [keyfile] 74 | unmanaged-devices=mac:d8:eb:97:b6:ce:12;mac:56:6b:a2:90:c4:b9 75 | ``` 76 | 77 | We restart the networking service so that the devices become unmanaged. 78 | ```shell 79 | $ /etc/init.d/networking restart 80 | ``` 81 | 82 | ### Ethernet 83 | Before we create our monitoring network, we select an appropriate network and network mask. Using a different network range than the one of the network our Kali Linux machine connects to (via `eth0`) ensures that the IP addresses of our monitored devices do not clash with IP addresses used on the main network. We select the ```172.16.0.0/12``` network, as our main network interface (```eth0```) typically receives a ```10.0.0.0/8``` (corporate) or a ```192.168.0.0/16``` (home) network address. 84 | 85 | As we want our wireless and wired network to be part of the same network, we create a bridge between them with the [```bridge-utils```](https://help.ubuntu.com/community/NetworkConnectionBridge) tool. 86 | ```shell 87 | $ apt-get install bridge-utils 88 | ``` 89 | We then delete any IP address assigned to our wired interface ```eth1```. 90 | ```shell 91 | $ ip addr flush dev eth1 92 | ``` 93 | We create a bridge interface named ```br0```. 94 | ```shell 95 | $ brctl addbr br0 96 | ``` 97 | We add our wired interface ```eth1``` to the bridge interface ```br0```. 98 | ```shell 99 | $ brctl addif br0 eth1 100 | ``` 101 | We bring the bridge interface ```br0``` up. 102 | ```shell 103 | $ ip link set dev br0 up 104 | ``` 105 | We assign it an IP address in the network that we selected. As it is a gateway for our monitored devices, we chose ```172.16.0.1```. 106 | ```shell 107 | $ ip addr add 172.16.0.1/12 dev br0 108 | ``` 109 | 110 | ### Wi-Fi Data Link Layer 111 | After configuring the Ethernet interface, we create a wireless access point with the [```hostapd```](https://w1.fi/hostapd/) program. We first install it with apt-get. 112 | 113 | ```shell 114 | $ apt-get install hostapd 115 | ``` 116 | We then create its configuration file ```hostapd.conf``` with the following information. 117 | ``` 118 | # create a wireless network with this interface; change it if your wireless card is not wlan0 119 | interface=wlan0 120 | # change this if a different bridge interface was chosen 121 | bridge=br0 122 | # the name of our wireless network 123 | ssid=Monitor-Network 124 | # Change the passphrase to something you like 125 | wpa_passphrase=Monitor-Network 126 | # the driver used 127 | driver=nl80211 128 | auth_algs=3 129 | # the wireless channel we listen on. 130 | channel=7 131 | driver=nl80211 132 | # the mode we use (g) 133 | hw_mode=g 134 | # we don't log 135 | logger_stdout=-1 136 | logger_stdout_level=2 137 | max_num_sta=5 138 | rsn_pairwise=CCMP 139 | wpa=2 140 | wpa_key_mgmt=WPA-PSK 141 | wpa_pairwise=TKIP CCMP 142 | ``` 143 | The first line is the interface that our wireless LAN will be created upon; i.e. the plugged in Wireless adapter ```wlan0```. We configure the name of the network (```ssid```) and its password (```wpa_passphrase```). We will use this later on when we connect our devices. The ```nl80211``` driver is the one used for the Atheros chipset. As we want our Ethernet and Wireless USB adapters to be part of the same network, we add them to the same bridge (```br0```). Our network is a ```g``` wireless network (```hw_mode```), as it is compatible with most devices that we want to monitor. All the other parameters are related to the configuration of WPA and logging. Refer to the [hostapd Linux documentation](http://wireless.kernel.org/en/users/Documentation/hostapd) for more information. 144 | 145 | [As there are some problems with the ```nl80211``` driver](https://askubuntu.com/questions/472794/hostapd-error-nl80211-could-not-configure-driver-mode), we execute the following commands to let our script use the wlan interfaces. 146 | ```shell 147 | $ nmcli radio wifi off 148 | $ rfkill unblock wlan 149 | ``` 150 | 151 | After creating the wireless interface ```wlan0```, we bring it up. 152 | ```shell 153 | $ ip link set dev wlan0 up 154 | ``` 155 | We tell the ```hostapd``` program to start the monitor network. 156 | ```shell 157 | $ hostapd ./hostapd.conf -B 158 | ``` 159 | 160 | ### Network Configuration 161 | After configuring our wireless and wired interfaces, we configure Kali to forward traffic to the interface that is configured by VMWare to give Kali access to the Internet (```eth0```). To do so, we first enable the kernel option for IP forwarding and then tell the [```iptables```](http://ipset.netfilter.org/iptables.man.html) program to forward all packets to that interface. 162 | 163 | **Note**: this should not be done on a real world router as it is rather insecure. 164 | ```shell 165 | $ sysctl -w net.ipv4.ip_forward=1 166 | $ iptables -P FORWARD ACCEPT 167 | $ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 168 | ``` 169 | 170 | ### Network Services 171 | We use [```dnsmasq```](http://www.thekelleys.org.uk/dnsmasq/doc.html) to act as our DNS and DHCP server. We install it with ```apt-get install dnsmasq``` and we create a ```dnsmasq.conf``` file with the following information. 172 | ``` 173 | # listen to this interface; change it if a different bridge name was chosen 174 | interface=br0 175 | # give IP addresses, lease is valid for 8 hours 176 | dhcp-range=172.16.0.10,172.31.255.254,8h 177 | # router 178 | dhcp-option=3,172.16.0.1 179 | # dns server 180 | dhcp-option=6,172.16.0.1 181 | # upstream DNS server 182 | server=8.8.8.8 183 | log-queries 184 | log-dhcp 185 | 186 | # include addresses 187 | address=/attacker.com/172.16.0.1 188 | ``` 189 | We give DHCP addresses to any request received on the bridge interface in our DHCP range (```172.16.0.10-172.31.255.254```) and we tell the device to connect to our Kali router (```172.16.0.1```) and our DNS server (```dnsmasq``` itself reachable via the interface ```br0``` on IP ```172.16.0.1```). If ```dnsmasq``` does not know the answer to a DNS query, it asks the upstream server ([```8.8.8.8``` - google](https://developers.google.com/speed/public-dns/docs/using)) for answers. We add addresses to the bottom of the file so that those domain names resolve to a machine under our control. We add more addresses by adding more lines and we restart the ```dnsmasq``` daemon every time we do: 190 | ```shell 191 | $ service dnsmasq restart 192 | ``` 193 | 194 | ## Sniffing and Intercepting Traffic 195 | As all traffic between devices on our monitor network passes via the bridge interface (```br0```), we can simply run wireshark on that interface to sniff the network traffic. The ```tshark``` program is the command-line equivalent of wireshark (We replace ```tshark``` with ```wireshark``` if we want a graphical user interface). We listen to traffic on the bridge interface (```-i br0```) and write all traffic to a file (```-w ./output.pcap```). 196 | ```shell 197 | $ tshark -i br0 -w ./output.pcap -P 198 | ``` 199 | 200 | Typically, we also want to intercept traffic and thus require a few more ```iptables``` rules that redirect HTTP/1.1 and HTTPS traffic to our intercepting proxy (BurpSuite) rather than the actual server. For other protocols, including HTTP/1.0, refer to the second method of [http://www.tldp.org/HOWTO/TransparentProxy-6.html](http://www.tldp.org/HOWTO/TransparentProxy-6.html). 201 | 202 | The first rule intercepts tcp packets (```-p tcp```) on ports 80 and 443 (HTTP and HTTPS; ```--dport 80``` and ```--dport 443```) and sends it to BurpSuite (```--to-destination burpip:burp_http_port``` and ```--to-destination burpip:burp_https_port```). 203 | ```shell 204 | $ iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j DNAT --to-destination burpip:burp_http_port 205 | $ iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to-destination burpip:burp_https_port 206 | ``` 207 | The second rule ensures that the reply gets sent back through the Kali Linux machine, instead of directly to the client that is being monitored (important!). The rule uses masquerade as the Kali Linux machine receives a dynamic IP address. 208 | ```shell 209 | $ iptables -t nat -A POSTROUTING -o eth0 -s 172.16.0.0/12 -d burpip -j MASQUERADE 210 | ``` 211 | The third, potentially unnecessary, rule ensures that the Kali router forwards the appropriate packets to the machine running BurpSuite. Appropriate packets are HTTP (```-p tcp --dport burp_http_port```) and HTTPS packets (```-p tcp --dport burp_https_port```) originating from the monitor network (```-s 172.16.0.0/12```) on the bridge interface (```-i br0```) with as destination BurpSuite (```-d burpip```) running on a machine in the real network (```-o eth0```). 212 | ```shell 213 | $ iptables -A FORWARD -s 172.16.0.0/12 -d burpip -i br0 -o eth0 -p tcp --dport burp_http_port -j ACCEPT 214 | $ iptables -A FORWARD -s 172.16.0.0/12 -d burpip -i br0 -o eth0 -p tcp --dport burp_https_port -j ACCEPT 215 | ``` 216 | 217 | We then configure BurpSuite as a transparent proxy on the machine (```burpip```) and ports (```burp_http_port``` and ```burp_https_port```) referred to in the ```iptables``` rules above. We start BurpSuite, go to the Proxy tab, click Options, and click Add. 218 | 219 | ![Add a New Interface to BurpSuite](pics/burpproxy.png) 220 | 221 | For HTTP traffic, we bind BurpSuite to port 80 (i.e. ```burp_http_port``` in our ```iptables``` rules) on all interfaces. 222 | 223 | ![Bind BurpSuite to port 80](pics/burpsuite80.png) 224 | 225 | We go to the request handling tab and enable support for [invisible proxying](https://portswigger.net/burp/help/proxy_options_invisible.html). This is necessary, as the clients are unaware of BurpSuite's existence. 226 | 227 | ![Enable Invisible Proxying for BurpSuite](pics/burpsuite80_proxy.png) 228 | 229 | For HTTPS traffic, we bind BurpSuite to port 443 (i.e. ```burp_https_port``` in our ```iptables``` rules) on all interfaces. 230 | 231 | ![Bind BurpSuite to port 443](pics/burpsuite443.png) 232 | 233 | We go to the request handling tab, redirect traffic to port 443, force use of SSL, and enable support for invisible proxying. 234 | ![Enable Invisible Proxying for BurpSuite](pics/burpsuite443_proxy.png) 235 | 236 | 237 | ## Automation 238 | As we are lazy, we automate anything that we are going to do more than once. You can find the [configuration files](https://github.com/koenbuyens/kalirouter/tree/master/conf) and the [script](https://github.com/koenbuyens/kalirouter/blob/master/monitor.sh) on [my github](https://github.com/koenbuyens/kalirouter). 239 | 240 | To get up and running do the following. 241 | - Obtain the code from github. 242 | ```shell 243 | $ git clone https://github.com/koenbuyens/kalirouter.git 244 | ``` 245 | - install the necessary dependencies: 246 | ```shell 247 | apt-get install dnsmasq hostapd bridge-utils 248 | ``` 249 | - Plugin the USB interfaces and discover their names and MAC addresses by executing ```iptables -a```. 250 | - Tell the network-manager service that we will manage the interfaces ourselves by adding the adapters MAC addresses to the unmanaged-devices section of the ```/etc/NetworkManager/NetworkManager.conf``` file and restart the networking service by executing ```/etc/init.d/networking restart```. 251 | ``` 252 | [keyfile] 253 | unmanaged-devices=mac:d8:eb:97:b6:ce:12;mac:56:6b:a2:90:c4:b9 254 | ``` 255 | - Modify the ```hostapd.conf``` file and point it to the correct interface for wireless (default ```wlan0```). 256 | - Modify the interface variables in the ```monitor.sh``` script file to point to the correct interfaces. ```WIRELESS_MONITOR_INTERFACE, WIRED_MONITOR_INTERFACE, INTERNET_INTERFACE``` point to the wireless USB adapter, the wired USB adapter, and Kali's VMWare interface respectively. Default is ```wlan0```, ```eth1```, and ```eth0```. 257 | - Modify the proxy variables in the ```monitor.sh``` script file to point to the IP address and port BurpSuite is running on. ```PROXYBOX```, ```PROXYBOX_HTTP_PORT```, and ```PROXYBOX_HTTPS_PORT``` refer to the IP address. HTTP port, and HTTPS port respectively. The defaults are 172.16.0.1, 80, and 443. Modify the IP address if it runs on a different machine (in my case ```192.168.1.192```). 258 | - Execute the script 259 | ```bash 260 | $ ./monitor.sh 261 | ``` 262 | - Output is in the ```dumps/output.pcap``` file. You can stop monitoring by pressing Ctrl-C. 263 | 264 | 265 | ## Intercepting Communication from Embedded Devices, Android Apps, and Windows Applications 266 | After starting our monitor script, we can start monitoring the devices and applications that connect to our monitor network. 267 | 268 | ### Embedded Device 269 | We connect an embedded device to our Monitor Network, either wirelessly or via Ethernet cable. We then let the device do its job. In the example below, our embedded device (```10.0.0.38```) communicates via UDP to a mobile app in our main home network (```192.168.1.230```). We could have connected both devices to our monitor network (```10.0.0.0/8```) to intercept all communication. 270 | 271 | ![Wireshark Logs All Traffic From Our Embedded Device](pics/example_embedded_wireshark.png) 272 | 273 | ### Mobile Applications 274 | Before we can start monitoring mobile applications, we must add the certificate of BurpSuite to the trust store of the Mobile Operating System as most mobile applications (and thick clients) nowadays validate the certificate. 275 | 276 | 1. We export BurpSuite's certificate by clicking ```Import/export CA certificate``` in the ```Proxy``` tab. 277 | ![Export the Certificate of BurpSuite](pics/burpsuite_exportcert.png) 278 | 279 | - We export the certificate as a DER file by selecting the ```Certificate in DER format``` option. 280 | ![Export the Certificate of BurpSuite in DER format](pics/burpsuite_exportcertder.png) 281 | 282 | For Android apps, we add the certificate to the trust store of Android as follows. 283 | 1. We first go to the security settings. 284 | ![Import a Certificate in Android - Security Settings](pics/example_mobile_importcertandroid.png) 285 | 286 | - We then install a certificate from the SD card. 287 | ![Import a Certificate in Android - Install from SD card](pics/example_mobile_importcertandroid2.png) 288 | 289 | - We select the certificate file. 290 | ![Import a Certificate in Android - Select the certificate file](pics/example_mobile_importcertandroid3.png) 291 | 292 | - Finally, we give it a name. 293 | ![Import a Certificate in Android - Give a Name to the Certificate](pics/example_mobile_importcertandroid4.png) 294 | 295 | After importing the certificate, we are ready to monitor an application. 296 | 1. We connect the mobile device to our Monitor Network. We use the password that we had set-up in our ```hostapd``` configuration file. 297 | ![Monitor Android Application - Connect to Monitor Network](pics/example_mobile_connect.png) 298 | 299 | - We then start the application that we want to monitor. The example below shows the Amtrak application. 300 | ![Monitor Android Application - Start the Application](pics/example_mobile_app.png) 301 | 302 | - We observe that BurpSuite receives HTTPS traffic from the Android App. 303 | ![BurpSuite Receives HTTPS Traffic From the Android App](pics/example_mobile_burp.png) 304 | 305 | - We also observe that wireshark logs all traffic (in this case of the Facebook app). 306 | ![Wireshark Logs All Traffic From the Android App](pics/example_mobile_wireshark.png) 307 | 308 | **Note:** To monitor applications that implement [HSTS](https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet), [HPKP](https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning) or [Certificate Pinning](https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning), we would need to [complete](https://finnwea.com/blog/bypassing-http-strict-transport-security-hsts) [additional steps](https://github.com/iSECPartners/Android-SSL-TrustKiller) (that are outside of the scope of this article). 309 | 310 | ### Windows Applications 311 | We can also use this to monitor communication of Windows applications by connecting our Windows machine to the same network and adding BurpSuite's certificate to the Windows trust store. 312 | 313 | 1. We connect our Windows machine (via Ethernet) to our Monitor network. 314 | ![Windows is connected to our monitor network](pics/example_windows2.png) 315 | 316 | - We follow the steps that [Parsia outlined](https://parsiya.net/blog/2016-02-21-installing-burp-certificate-authority-in-windows-certificate-store/) to import the certificate in the Windows Certificate store. 317 | 318 | - We start the application that we are interested in, in this case just our browser. 319 | ![We monitor our browser](pics/example_windows1.png) 320 | 321 | - Observe that both BurpSuite and Wireshark receive the traffic. 322 | ![We monitor our browser](pics/example_windows_browserburp.png) 323 | ![We monitor our browser](pics/example_windows_browserwireshark.png) 324 | 325 | ## A Raspberry Pi Kali Router 326 | As we wanted a portable solution, we applied the above set-up on a Raspberry Pi. You can download a Raspberry Pi Kali Linux image with the set-up [here](mailto:koen+raspberrypi@buyens.org). You most likely will need to apply the changes listed in the [Automation](https://github.com/koenbuyens/kalirouter#automation) Section, especially adding the MAC addresses of your cards to the Network Manager configuration file. 327 | 328 | ![Our Raspberry pi Kali Set-up](pics/raspberrypisetup.jpg) 329 | 330 | First, we download the latest Kali Linux image for the raspberry Pi at [Offensive Security](https://www.offensive-security.com/kali-linux-arm-images/). 331 | This image is most likely compressed with ```xz```, as it ends with the ```xz``` file extension. We install the ```xz``` compression tool and use it to extract the image. If the Kali image is not compressed with ```xz``` (i.e. it has the ```img``` file extension, we can skip this step). 332 | 333 | On MacOSX, this is as follows. 334 | ```shell 335 | $ brew install xz 336 | $ xz -d file-to-extract.xz 337 | ``` 338 | 339 | On Ubuntu, this is as follows. 340 | ```shell 341 | $ apt-get install xz-utils 342 | $ xz -d file-to-extract.xz 343 | ``` 344 | 345 | Second, flash the image to disk. We execute the ```df``` program twice to identify the disks attached to our system: first before inserting the SD card into the reader and then after inserting it into the reader. 346 | ```shell 347 | $ df -h 348 | ``` 349 | The filesystem name of the SD card is the one that was not there before. On MacOSX, it looks like ```/dev/disk2s1```. On Ubuntu, it looks like ```/dev/sdb```. 350 | 351 | We unmount the partition so that we can write to it. On MacOSX, we unmount it with the ```diskutil``` command. As our flash card is the second disk (```/dev/disk2...```), we execute the following. 352 | 353 | ```shell 354 | $ sudo diskutil unmount /dev/disk2 355 | ``` 356 | 357 | On Ubuntu, we unmount it with the ```umount``` command. 358 | ```shell 359 | $ sudo umount /dev/sdb 360 | ``` 361 | 362 | We copy Kali to the SD card with the ```dd``` command. Replace ```rdisk2``` with the correct disk (i.e. ```/dev/sdb``` in my Kali machine) and replace ```LocationOfKaliImage``` with the path to your Kali Linux machine. 363 | 364 | ```shell 365 | $ sudo dd bs=1m if=LocationOfKaliImage of=/dev/rdisk2 366 | ``` 367 | 368 | We expand Kali to take the complete SD card with the ```gparted``` application running on our Ubuntu machine. 369 | 370 | ```shell 371 | $ apt-get install gparted 372 | $ gparted 373 | ``` 374 | 375 | We select the SD card (typically ```/dev/sdb```). Observe that there is empty space after the data partition. We right click on the one that contains data (light yellow, typically ```/dev/sdb2```) and click ```Resize/Move```. 376 | 377 | ![Select the SD card and click resize.](pics/resizepartition.png) 378 | 379 | In the resize dialog box, we change the ```Free Space Following``` to zero, and click ```Resize```. In our case, we expand our kali partition to about 30GB. 380 | 381 | ![Select the SD card and click resize.](pics/resizepartition2.png) 382 | 383 | We right click on the pending operation (at the bottom of gparted), select ```Apply All Operations```. 384 | 385 | ![Select the SD card and click resize.](pics/resizepartition3.png) 386 | 387 | After completion, we eject the SD card and insert it into the Raspberry Pi, connect the Pi to a screen, attach a keyboard and mouse, and connect it to our network with an Ethernet cable. We plug in the power source to boot into Kali Linux for the first time and we login with the username "```root```" and the password ```"toor"```. 388 | 389 | We update the software of the device by running the following commands: 390 | ```shell 391 | $ apt-get update 392 | $ apt-get upgrade 393 | $ apt-get dist-upgrade 394 | ``` 395 | 396 | We update the root password by executing ```passwd```. 397 | 398 | ```shell 399 | $ passwd root 400 | ``` 401 | 402 | To communicate with our Raspberry Pi from our computer, we will use SSH. As it is not installed, we will install and enable it on boot as follows: 403 | 404 | ```shell 405 | $ apt-get install openssh-server 406 | $ update-rc.d -f ssh remove 407 | $ update-rc.d -f ssh defaults 408 | ``` 409 | 410 | We change the default keys as follows: 411 | 412 | ```shell 413 | $ cd /etc/ssh/ 414 | $ mkdir insecure_old 415 | $ mv ssh_host* insecure_old 416 | $ dpkg-reconfigure openssh-server 417 | ``` 418 | 419 | We change the ```sshd_config``` file to allow our root user to authenticate. (Note, this is not secure; it is better to create a regular user). 420 | 421 | ```shell 422 | $ nano /etc/ssh/sshd_config 423 | ``` 424 | 425 | We change the following line. 426 | ```shell 427 | PermitRootLogin without-password 428 | ``` 429 | 430 | to this line instead: 431 | ```shell 432 | PermitRootLogin yes 433 | ``` 434 | 435 | We save our changes and restart the openssh-server. 436 | ```shell 437 | $ service ssh restart 438 | $ update-rc.d -f ssh enable 2 3 4 5 439 | ``` 440 | 441 | We want to install ```net-tools``` so that we are able to use ```ifconfig```. 442 | ```shell 443 | $ apt-get install net-tools 444 | ``` 445 | 446 | We then check out our scripts on the raspberry Pi, connect our USB adapters, follow the instructions in the [Automation](#automation) section (use ```wlan1``` instead of ```wlan0```), and are ready to go. 447 | ```shell 448 | $ git clone https://github.com/koenbuyens/kalirouter.git 449 | ``` 450 | 451 | ## Conclusion 452 | We transformed Kali into an intercepting router so that we can easily intercept communication between multiple devices. 453 | 454 | ## References 455 | The following links helped me creating a wired/wireless router in Kali Linux. 456 | - [https://www.psattack.com/articles/20160410/setting-up-a-wireless-access-point-in-kali/](https://www.psattack.com/articles/20160410/setting-up-a-wireless-access-point-in-kali/) 457 | - [https://cybergibbons.com/security-2/quick-and-easy-fake-wifi-access-point-in-kali/](https://cybergibbons.com/security-2/quick-and-easy-fake-wifi-access-point-in-kali/) 458 | - [https://ubuntuforums.org/showthread.php?t=716192](https://ubuntuforums.org/showthread.php?t=716192) 459 | - [https://help.ubuntu.com/community/NetworkConnectionBridge](https://help.ubuntu.com/community/NetworkConnectionBridge) 460 | - [https://wiki.archlinux.org/index.php/Internet_sharing#Configuration](https://wiki.archlinux.org/index.php/Internet_sharing#Configuration) 461 | - [https://wiki.archlinux.org/index.php/software_access_point#Bridge_setup](https://wiki.archlinux.org/index.php/software_access_point#Bridge_setup) 462 | - [https://wiki.debian.org/BridgeNetworkConnections#Manual_bridge_setup](https://wiki.debian.org/BridgeNetworkConnections#Manual_bridge_setup) 463 | - [https://help.ubuntu.com/lts/serverguide/network-configuration.html](https://help.ubuntu.com/lts/serverguide/network-configuration.html) 464 | - [http://www.tldp.org/HOWTO/TransparentProxy-6.html](http://www.tldp.org/HOWTO/TransparentProxy-6.html) 465 | -------------------------------------------------------------------------------- /conf/dnsmasq.conf: -------------------------------------------------------------------------------- 1 | # listen to this interface; change it if a different bridge name was chosen in the overall script file 2 | interface=br0 3 | # give ip addresses in 10-100, lease is valid for 8 hours 4 | dhcp-range=172.16.0.10,172.31.255.254,8h 5 | # router 6 | dhcp-option=3,172.16.0.1 7 | # dns server 8 | dhcp-option=6,172.16.0.1 9 | # upstream DNS server 10 | server=8.8.8.8 11 | log-queries 12 | log-dhcp 13 | 14 | # include addresses 15 | address=/attacker.com/172.16.0.1 16 | -------------------------------------------------------------------------------- /conf/hostapd.conf: -------------------------------------------------------------------------------- 1 | # create a wireless network with this interface; change it if your wireless card is not wlan1 2 | interface=wlan0 3 | # change this if a different bridge interface was chosen 4 | bridge=br0 5 | ssid=Monitor-Network 6 | # Change the passphrase to something you like 7 | wpa_passphrase=Monitor-Network 8 | driver=nl80211 9 | auth_algs=3 10 | channel=7 11 | driver=nl80211 12 | hw_mode=g 13 | logger_stdout=-1 14 | logger_stdout_level=2 15 | max_num_sta=5 16 | rsn_pairwise=CCMP 17 | wpa=2 18 | wpa_key_mgmt=WPA-PSK 19 | wpa_pairwise=TKIP CCMP 20 | -------------------------------------------------------------------------------- /dumps/output.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/dumps/output.pcap -------------------------------------------------------------------------------- /monitor.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # based on https://www.psattack.com/articles/20160410/setting-up-a-wireless-access-point-in-kali/ 4 | # Interface that we want to monitor on 5 | WIRELESS_MONITOR_INTERFACE=wlan0 6 | WIRED_MONITOR_INTERFACE=eth1 7 | # Bridge between the above two interfaces (created on demand) 8 | BRIDGE_INTERFACE=br0 9 | # Interface that is connected to our regular network (e.g. Internet) 10 | INTERNET_INTERFACE=eth0 11 | # Network address range we use for our monitor network 12 | MONITOR_NETWORK=172.16.0.0/12 13 | # The address we assign to our router, dhcp, and dns server. 14 | MONITOR_MAIN=172.16.0.1/12 15 | # PROXY BOX (e.g. burp). The ip address of the machine running a transparent proxy. 16 | PROXYBOX=172.16.0.1 17 | # port on which the proxy is listening 18 | PROXYBOX_HTTP_PORT=80 19 | PROXYBOX_HTTPS_PORT=443 20 | # configuration directory 21 | CONFIGDIR=./conf 22 | # directory to which to write wireshark dumps 23 | DUMPDIR=./dumps 24 | 25 | # It monitors until we hit Ctrl c 26 | trap ctrl_c INT 27 | function ctrl_c(){ 28 | echo Killing processes. 29 | killall dnsmasq 30 | killall hostapd 31 | echo Bringing down interfaces. 32 | ifconfig $WIRELESS_MONITOR_INTERFACE down 33 | ifconfig $WIRED_MONITOR_INTERFACE down 34 | ifconfig $BRIDGE_INTERFACE down 35 | echo Deleting bridge 36 | brctl delbr $BRIDGE_INTERFACE 37 | } 38 | # make the bridge unamnaged - see https://askubuntu.com/questions/472794/hostapd-error-nl80211-could-not-configure-driver-mode 39 | nmcli radio wifi off 40 | rfkill unblock wlan 41 | 42 | # delete all addresses for wireless and wired 43 | ip addr flush dev $WIRELESS_MONITOR_INTERFACE 44 | ip addr flush dev $WIRED_MONITOR_INTERFACE 45 | # bring the ethernet interface up 46 | ip link set dev $WIRED_MONITOR_INTERFACE up 47 | # create bridge interface 48 | brctl addbr $BRIDGE_INTERFACE 49 | # add the wire to the bridge 50 | brctl addif $BRIDGE_INTERFACE $WIRED_MONITOR_INTERFACE 51 | # bring the bridge up 52 | ip link set dev $BRIDGE_INTERFACE up 53 | # bring up the wireless network interface 54 | ip link set dev $WIRELESS_MONITOR_INTERFACE up 55 | # configure it to be an access point (and add it to the bridge) 56 | hostapd $CONFIGDIR/hostapd.conf -B 57 | ip addr add $MONITOR_MAIN dev br0 58 | 59 | # configure our DHCP server 60 | dnsmasq -C $CONFIGDIR/dnsmasq.conf 61 | 62 | # Add a forward rule for ipv4 traffic from MONITOR towards INTERNET 63 | sysctl -w net.ipv4.ip_forward=1 64 | iptables -P FORWARD ACCEPT 65 | iptables -t nat -A POSTROUTING -o $INTERNET_INTERFACE -j MASQUERADE 66 | 67 | # redirect HTTP traffic to burp running on another machine; http://www.tldp.org/HOWTO/TransparentProxy-6.html 68 | # Note: this approach only works for HTTP/1.1. Read the URI above to make our approach more generic (but this requires 69 | # send the packets to proxybox from our bridge interface. port is the port that we want to intercept. Do this for each port we want to intercept. Leave the port out to proxy all tcp traffic. 70 | # intercept http traffic 71 | iptables -t nat -A PREROUTING -i $BRIDGE_INTERFACE -p tcp --dport 80 -j DNAT --to-destination $PROXYBOX:$PROXYBOX_HTTP_PORT 72 | # intercept https traffic 73 | iptables -t nat -A PREROUTING -i $BRIDGE_INTERFACE -p tcp --dport 443 -j DNAT --to-destination $PROXYBOX:$PROXYBOX_HTTPS_PORT 74 | 75 | # make sure that the reply gets sent back through our monitor, instead of directly to the client we monitor (important!) 76 | iptables -t nat -A POSTROUTING -o $INTERNET_INTERFACE -s $MONITOR_NETWORK -d $PROXYBOX -j MASQUERADE #use masquerade as our monitor gets a dynamic IP address 77 | 78 | # make sure our monitor will forward the appropriate packets to the proxybox. It may not be needed. 79 | # http traffic 80 | iptables -A FORWARD -s $MONITOR_NETWORK -d $PROXYBOX -i $BRIDGE_INTERFACE -o $INTERNET_INTERFACE -p tcp --dport $PROXYBOX_HTTP_PORT -j ACCEPT 81 | # https traffic 82 | iptables -A FORWARD -s $MONITOR_NETWORK -d $PROXYBOX -i $BRIDGE_INTERFACE -o $INTERNET_INTERFACE -p tcp --dport $PROXYBOX_HTTPS_PORT -j ACCEPT 83 | 84 | 85 | # Configure tshark (wireshark) to write whatever passes over our monitored interface to a pcap file. 86 | tshark -i $BRIDGE_INTERFACE -w $DUMPDIR/output.pcap -P 87 | -------------------------------------------------------------------------------- /pics/burpproxy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/burpproxy.png -------------------------------------------------------------------------------- /pics/burpsuite443.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/burpsuite443.png -------------------------------------------------------------------------------- /pics/burpsuite443_proxy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/burpsuite443_proxy.png -------------------------------------------------------------------------------- /pics/burpsuite80.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/burpsuite80.png -------------------------------------------------------------------------------- /pics/burpsuite80_proxy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/burpsuite80_proxy.png -------------------------------------------------------------------------------- /pics/burpsuite_exportcert.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/burpsuite_exportcert.png -------------------------------------------------------------------------------- /pics/burpsuite_exportcertder.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/burpsuite_exportcertder.png -------------------------------------------------------------------------------- /pics/example_embedded_wireshark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_embedded_wireshark.png -------------------------------------------------------------------------------- /pics/example_mobile_app.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_mobile_app.png -------------------------------------------------------------------------------- /pics/example_mobile_burp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_mobile_burp.png -------------------------------------------------------------------------------- /pics/example_mobile_connect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_mobile_connect.png -------------------------------------------------------------------------------- /pics/example_mobile_importcertandroid.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_mobile_importcertandroid.png -------------------------------------------------------------------------------- /pics/example_mobile_importcertandroid2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_mobile_importcertandroid2.png -------------------------------------------------------------------------------- /pics/example_mobile_importcertandroid3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_mobile_importcertandroid3.png -------------------------------------------------------------------------------- /pics/example_mobile_importcertandroid4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_mobile_importcertandroid4.png -------------------------------------------------------------------------------- /pics/example_mobile_wireshark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_mobile_wireshark.png -------------------------------------------------------------------------------- /pics/example_windows1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_windows1.png -------------------------------------------------------------------------------- /pics/example_windows2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_windows2.png -------------------------------------------------------------------------------- /pics/example_windows_browserburp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_windows_browserburp.png -------------------------------------------------------------------------------- /pics/example_windows_browserwireshark.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/example_windows_browserwireshark.png -------------------------------------------------------------------------------- /pics/kalidevices.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/kalidevices.png -------------------------------------------------------------------------------- /pics/raspberrypisetup.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/raspberrypisetup.jpg -------------------------------------------------------------------------------- /pics/resizepartition.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/resizepartition.png -------------------------------------------------------------------------------- /pics/resizepartition2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/resizepartition2.png -------------------------------------------------------------------------------- /pics/resizepartition3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/resizepartition3.png -------------------------------------------------------------------------------- /pics/setup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/setup.png -------------------------------------------------------------------------------- /pics/vmbridged.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/vmbridged.png -------------------------------------------------------------------------------- /pics/vmconnectdevices.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/koenbuyens/kalirouter/1d73c5076c8014a6e9d0c161d0e6044924b7a3b8/pics/vmconnectdevices.png --------------------------------------------------------------------------------