More information about the Underscore mailing list

[_] iptables, mitm sniffing - help...

Rob Jonson rob at hobbyistsoftware.com
Tue May 28 17:50:22 BST 2019

Hi Folks,

I'm trying to sniff some websocket traffic between two devices on my local
network (an LG TV and an iPad remote control)

I have set up a raspberry pi running mitmproxy (in transparent mode)

the Pi setup is roughly

internet -> [eth0 Raspberry pi wlan0] <- LG TV && iPad

I'm able to sniff traffic which goes from the iPad to the ethernet, but
traffic between devices on wlan0 just doesn't show up

(e.g. I can't see traffic between the TV and the remote control)

I can't move the TV or the Remote to the ethernet side of the network
because that breaks the discovery protocol between them (multicast ssdp),
so they won't talk at all - and there is no traffic to intercept.

I have the following iptable rules:

# Generated by iptables-save v1.6.0 on Tue May 28 15:09:06 2019

*nat

:PREROUTING ACCEPT [108:23640]

:INPUT ACCEPT [46:8292]

:OUTPUT ACCEPT [1:60]

:POSTROUTING ACCEPT [0:0]

-A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

-A PREROUTING -i wlan0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080

-A PREROUTING -i wlan0 -p tcp -m tcp --dport 3000 -j REDIRECT --to-ports
8080

-A PREROUTING -i wlan0 -p tcp -m tcp --dport 3001 -j REDIRECT --to-ports
8080

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Tue May 28 15:09:06 2019

# Generated by iptables-save v1.6.0 on Tue May 28 15:09:06 2019

*filter

:INPUT ACCEPT [16180:3332916]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [13497:8752351]

-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -i wlan0 -o eth0 -j ACCEPT

COMMIT

# Completed on Tue May 28 15:09:06 2019


which (I think) mean 'any traffic on wlan0 on the relevant ports should be
redirected to port 8080 on the local device'



and have set

sysctl -w net.ipv4.conf.all.send_redirects=0


as instructed here
https://docs.mitmproxy.org/stable/howto-transparent/

the whole thing was set up following instructions from this chap
https://www.dinofizzotti.com/blog/2019-01-09-running-a-man-in-the-middle-proxy-on-a-raspberry-pi-3/


I have spent days on this now! Can anyone help me to capture that traffic
on the wireless interface...

thank you :)

Rob



-- 





Hobbyist Software is a trading name of Hobbyist Software Limited.
Registered office 12 Fraley Rd, Bristol, BS93BS. Registered in England.
Company no:7876492