More information about the Underscore mailing list

[_] iptables, mitm sniffing - help...

Erik Wallace erik.wallace at lewdewe.com
Tue May 28 20:24:40 BST 2019

It wouldn't have anything to do with needing to put the network stack
for the wireless into promiscuous mode?

As an occasional Wireshark user I seem to remember something with
Wireshark about having to be run as root user so that it can switch to
promiscuous mode to capture all traffic and not just traffic destined
for the machine its running on.


Kind Regards,
Erik Wallace



On 28/05/2019 17:50, Rob Jonson wrote:
> Hi Folks,
>
> I'm trying to sniff some websocket traffic between two devices on my local
> network (an LG TV and an iPad remote control)
>
> I have set up a raspberry pi running mitmproxy (in transparent mode)
>
> the Pi setup is roughly
>
> internet -> [eth0 Raspberry pi wlan0] <- LG TV && iPad
>
> I'm able to sniff traffic which goes from the iPad to the ethernet, but
> traffic between devices on wlan0 just doesn't show up
>
> (e.g. I can't see traffic between the TV and the remote control)
>
> I can't move the TV or the Remote to the ethernet side of the network
> because that breaks the discovery protocol between them (multicast ssdp),
> so they won't talk at all - and there is no traffic to intercept.
>
> I have the following iptable rules:
>
> # Generated by iptables-save v1.6.0 on Tue May 28 15:09:06 2019
>
> *nat
>
> :PREROUTING ACCEPT [108:23640]
>
> :INPUT ACCEPT [46:8292]
>
> :OUTPUT ACCEPT [1:60]
>
> :POSTROUTING ACCEPT [0:0]
>
> -A PREROUTING -i wlan0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
>
> -A PREROUTING -i wlan0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080
>
> -A PREROUTING -i wlan0 -p tcp -m tcp --dport 3000 -j REDIRECT --to-ports
> 8080
>
> -A PREROUTING -i wlan0 -p tcp -m tcp --dport 3001 -j REDIRECT --to-ports
> 8080
>
> -A POSTROUTING -o eth0 -j MASQUERADE
>
> COMMIT
>
> # Completed on Tue May 28 15:09:06 2019
>
> # Generated by iptables-save v1.6.0 on Tue May 28 15:09:06 2019
>
> *filter
>
> :INPUT ACCEPT [16180:3332916]
>
> :FORWARD ACCEPT [0:0]
>
> :OUTPUT ACCEPT [13497:8752351]
>
> -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> -A FORWARD -i wlan0 -o eth0 -j ACCEPT
>
> COMMIT
>
> # Completed on Tue May 28 15:09:06 2019
>
>
> which (I think) mean 'any traffic on wlan0 on the relevant ports should be
> redirected to port 8080 on the local device'
>
>
>
> and have set
>
> sysctl -w net.ipv4.conf.all.send_redirects=0
>
>
> as instructed here
> https://docs.mitmproxy.org/stable/howto-transparent/
>
> the whole thing was set up following instructions from this chap
> https://www.dinofizzotti.com/blog/2019-01-09-running-a-man-in-the-middle-proxy-on-a-raspberry-pi-3/
>
>
> I have spent days on this now! Can anyone help me to capture that traffic
> on the wireless interface...
>
> thank you :)
>
> Rob
>
>
>