Awesome
Wifi Man-in-the-Middle Helper
About
These scripts are designed to make it easy and straight-forward to configure a Ubuntu virtual machine to act as a WiFi access point (AP), and forward traffic to your favorite web proxy or other tool. I personally use this for doing mobile and other embedded device testing. If you've used my PPTP helper, you should feel right at home configuring and using this tool!
Note: There is no black magic here - simply some utilities to make it easier to use.
The typical work flow would be a VM that has one wired (or could even be wireless) interface, we'll call it 'eth0', and a USB WiFi dongle. mitm-wifi
will generate a hostapd
configuration file, create a WiFi access point from the USB WiFi dongle, and then apply appropriate iptables
rules so that you can intercept and modify traffic as you please.
Configuration
Tool Setup
This tool is designed to work on Ubuntu virtual machines operating in 'bridged' mode. Your mileage will vary if you use another VM, but I suppose Kali Linux should also work fine.
To download and setup the tool, run the following commands:
$ git clone https://github.com/jakev/mitm-helper-wifi
$ cd mitm-helper-wifi
$ sudo ./install_dependencies.sh
$ sudo dpkg -i build/mitm-helper-wifi_*.deb
Supported OSes
The following operating systems are fully supported:
- Ubuntu 14 - 16
The following systems are known to work, but require manual dependency installation:
- Kali Linux "Sana"
- Kali Linux "Kali Rolling"
Manual dependency installation should be as simple as:
$ sudo apt-get install dnsmasq hostapd iptables python
Global Settings
I tried to make configuration of the tool both straightforward and flexible. I use a TP Link TL-WN722N, that cost me about 12 dollars on Amazon and does everything I need. If you use a similiar adapter, your setup should work completely out of the box.
The configuration file can be found at /etc/mitm-wifi.conf
. The only setting you need to specify is a WPA passphrase, but you can also select a custom SSID in the section 'Global':
[Global]
Ssid=CoolNetwork
Key=M0bileisfuN
What does this do? This configures a 802.11g network on channel 1, using WPA2 PSK/CCMP. If this doesn't work for you, check out the next section on overriding.
Users
If you're connecting multiple devices to your AP, for example, 1 rooted device you'd like to intercept traffic, and 1 device you're not so concerned with all (or the same) traffic, you can define users. Users are based on MAC addresses. By default, mitm-wifi
supports 5 users: user0 - user4. Users can then be applied to whichever proxy rule section you'd like.
The following adds the host 00:11:22:33:44:55 to user group "user0":
[Global]
Ssid=CoolNetwork
Key=M0bileisfuN
user0=00:11:22:33:44:55
hostapd Overriding
If for some reason the hostapd
configuration I'm using by default doesnt fit your setup, powerusers can manually override any hostapd
configuration settings. You're own your own for validation here, and you might not be able to achieve exactly what you'd like.
As an example, let's say that channel 1 is not ideal and you'd rather use 10. We can override these parameters in the /etc/mitm-wifi.conf
file by specifying the exact hostapd
config equivalent to overrider
[Global]
Ssid=CoolNetwork
Key=M0bileisfuN
[Override]
channel=10
If you need more control than this, please message me and we can talk about adding additional features.
Configuring Proxy Rules
We'll also add sections to the /etc/mitm-wifi.conf
file to configure how you will intercept traffic. By default, traffic is simply passed through (no proxy). This should work if you just want to observe traffic using a tool like Wireshark. In our case, let's assume we have Burp running on port 9999, and we'd like to forward traffic on ports 80 and 443 to this proxy. We configure the /etc/mitm-wifi.conf
file as follows:
...
[HTTP Proxies]
ProxyPort:9999
ForwardPorts:80,443
Now, let's say that we determine our app/device uses a custom protocol on port 1234, and Burp is not useful for intercepting this traffic. We created a python script, and it is listening on port 8888. Let's add rules for this:
...
[HTTP Proxies]
ProxyPort:9999
ForwardPorts:80,443
[Binary Coolness Proxy]
ProxyPort:8888
ForwardPorts:1234
This configuration can be found in the file sample.mitm-wifi.conf
. Note that the section names in the mitm-wifi.conf
can be named anything except 'Global' and 'Override'.
User Specific Rules
If for some reason you'd only like to capture ports 1234 on a specifc device (for example 00:11:22:33:44:55 above), you can apply the proxy rules to specific user or comma delimited users:
[Global]
...
user0=00:11:22:33:44:55
...
[Binary Coolness Proxy]
ProxyPort:8888
ForwardPort:1234
UserIds:user0
Side note for Burp users: You'll likely need to listen on all interfaces AND enable the invisible proxying to have your setup work properly.
Starting the WiFi AP
Once you're ready to start, run:
$ sudo mitm-wifi -v
If you want to specify a custom configuration file, you can do so with the -c
argument:
$ sudo mitm-wifi -v -c my-wifi.conf
By default, hostapd
will attempt to find the USB dongle on wlan0, but if your adapter is named different, use the -w
argument:
$ sudo mitm-wifi -v -w ath1
If you want to set static A records, you can use the -m
argument (or hostmap
in the Global
section of your config). The format should be:
hostname:IP[,hostname:IP]
Example:
$ sudo mitm-wifi -v -w ath1 -m www.acme.com:10.6.9.1
If your host machine is connected to a VPN, you may also need to tell mitm-wifi
about the upstream DNS servers provided by the VPN client. For example, if your host machine was using a DNS server of 172.16.1.50, you can tell mitm-wifi
to use this DNS server, using the -s
argument:
$ sudo mitm-wifi -v -s 172.16.1.50
Stopping the WiFi AP
By hitting Ctrl+C, the script will begin the shutdown process.