Voici les options utilisables que je connais pour intercepter du traffic HTTP lorsque tout ce qu'on a est Kali Linux isolé (accédé via SSH sans aucune option d'accès X/VNC et sans accès Internet):
- Proxy simple en mode texte plein écran (à la Kismet) mitmproxy -p 8080
- Proxy simple en mode de défilement (à la tcpdump) mitmdump -v -p 8080
# mitmdump -w /var/log/mitmdump-$$.log -v -p 8080
192.168.2.109 GET http://www.jourzero.com/
Host: www.jourzero.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
If-Modified-Since: Wed, 13 Nov 2013 17:27:42 GMT
If-None-Match: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
<< 304 Not Modified 0B
Expires: Wed, 13 Nov 2013 17:30:43 GMT
Date: Wed, 13 Nov 2013 17:30:43 GMT
Cache-Control: private, max-age=0
ETag: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
Server: GSE
# mitmproxy -r /var/log/mitmdump-3099.log
>> GET http://www.jourzero.com/
← 304 [empty content]ENTER
2013-11-13 12:30:43 GET http://www.jourzero.com/
← 304 [empty content]
Request Response
Host: www.jourzero.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
If-Modified-Since: Wed, 13 Nov 2013 17:27:42 GMT
If-None-Match: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
2013-11-13 12:30:43 GET http://www.jourzero.com/
← 304 [empty content]
TAB
Request Response
Expires: Wed, 13 Nov 2013 17:30:43 GMT
Date: Wed, 13 Nov 2013 17:30:43 GMT
Cache-Control: private, max-age=0
ETag: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
Server: GSE
Ces autres options offrent aussi un mode "headless" qui ne sont pas aussi simples à utiliser:
- Zed Attack Proxy avec l'option "-daemon": zap.sh -daemon. Mon expérience dit qu'on doit savoir éditer les fichiers xml de configuration du proxy pour obtenir ce qu'on veut. Pas l'option la plus intéressante.
- Burp avec l'option -Djava.awt.headless=true. Scripts qui utilisent cette option: sodapop.sh and bscan
- Proxystrike avec l'option -c (console) - pas certain si cette option est vraiment utilisable...
- Metasploit socks4a auxiliary server:
msf > use auxiliary/server/socks4a
msf auxiliary(socks4a) > info
Name: Socks4a Proxy Server
Module: auxiliary/server/socks4a
Version: 0
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
sf
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on.
Description:
This module provides a socks4a proxy server that uses the builtin
Metasploit routing to relay connections.
msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server
msf auxiliary(socks4a) > jobs
Jobs
====
Id Name
-- ----
0 Auxiliary: server/socks4a
--
Here are the usable options I know to intercept HTTP traffic in headless mode. I've had to use that on an isolated Kali Linux (accessed via SSH without possibility for X/VNC and without Internet download capability):
There are other options on Kali but they are not as usable or simple to setup:
- Simple intercepting proxy in full-screen text mode (à la Kismet) mitmproxy -p 8080
- Simple intercepting proxy in log viewing mode simple (à la tcpdump) mitmdump -v -p 8080
- Zed Attack Proxy with the option "-daemon": zap.sh -daemon.
- Burp with the option -Djava.awt.headless=true. Scripts that use that option: sodapop.sh and bscan (to be tested)
- Proxystrike with the option -c (console) - not too sure that this option has any real use-case...
