Proxy (justness) Mac OS
- A Mac computer running OS X. I used OS X Yosemite, but other versions should work too. An iPhone, iPad, or Android mobile device Purpose Many mobile apps don't properly implement SSL/TLS. In this project the Mac computer is used to perform a man-in-the-middle attack using Wi-Fi and Bluetooth as shown in the diagram below.
- Install SquidMan. We're going to use Squid as our proxy. We're actually going to install SquidMan.
This web page shows how to easily tunnel your traffic through an ssh-encrypted proxy on Mac OS X. This allows your traffic to traverse your local network without being visible to snoopers, even when visiting unencrypted sites. It also allows you to appear to come from a different IP address, allowing you to defeat geolocation schemes.
What You Need
- A Mac computer running OS X. I used OS X Yosemite, butother versions should work too.
- An iPhone, iPad, or Android mobile device
Purpose
Many mobile apps don't properly implement SSL/TLS.In this project the Mac computer is used toperform a man-in-the-middle attack usingWi-Fi and Bluetooth as shown in the diagrambelow. Any app on the mobile device can easilybe tested to see if it can detect the attack.Task 1: Sharing the Mac's Internet Connection
On the Mac, connect to a Wi-Fi network.In the top right of the Mac desktop,click the magnifying glass. In thesearch box, type terminal
Double-click Terminal,as shown below.
In the Terminal window, execute thiscommand:
ifconfig
You see a list of all the networkinterfaces on your machine, as shownbelow. Your listwill probably be shorter than the onebelow, but it will depend on howmany networking apps you have installedon your Mac. Notice that you don't haveany interfaces named 'bridge'.On the top left of the Mac desktop, click theApple, 'System Preferences'.
In System Preferences, click Bluetooth.
If Bluetooth is off, turn it on,as shown below.
In System Preferences, at the upper left,click the little rectangular icon made ofdots, as outlined in green in the imageabove.
In System Preferences, click Sharing.
On the left side, click the words (not thecheck box) 'Internet Sharing'.
On the right side, in the'Share your connection from' list, selectWi-Fi.
In the 'To computer using' list, check'Bluetooth PAN', as shown below.
On the left side, click the check box next to'Internet Sharing'. In the 'Are you sure...?' box,click Start.
In the Terminal window, execute thiscommand:
ifconfig
A new network interface appears inthe list with a name starting with'bridge'. This is the interface themobile device will use.In my case the name wasbridge0, as shown below.
Make a note of your bridge interface name.You will need it later, when youconfigure the 'pf' firewall.
TroubleshootingThe Sharing panel makes it look like you couldshare any type of network connection overany other sort of connection, but that's nottrue. There are nasty bugs here, and strangechanges Apple makes in updates that surprisepeople.When I used OS X 10.9, I was able to share aniPhone USB connection to computers using Wi-Fi,but that option was removed in OS X 10.10. If you try some other combination than Wi-Fito Bluetooth, you may have problems. |
Testing the Shared Internet Connection
On your mobile device, turn off Wi-Fi andCellular data. The images below showhow to do that on an iPad:On the mobile device, turn on Bluetooth.Click the name of your Mac computer.
On your Mac, a box pops up. Click Pair.
The portable device should now show that itis 'Connected' to the Mac, as shown below.
On your portable device, open a Webbrowser and go to a website, such asaol.com
The page should load, although it may be slow.
At this point, the Mac is in the middle--allInternet traffic from the mobile device passesthrough it. All that remains is to configureBurp and pf on the Mac to intercept andexamine that traffic.
Task 2: Install Java
Burp requires Java, so you must makesure Java is installed.On the Mac, open a Web browser and go tojava.com
Click 'Do I have Java?',as shown below.
On the next page, click the'Verify Java Version' button.
If you see a 'Java blocked for this website'message, as shown below, click that message,and click Trust. Then click Run.
You should see the 'Congratulations!' messageshown below. If you don't, follow the instructionson the page to download and install Java.
Task 3: Start a Burp Transparent Proxy
At the upper right of the Mac desktop,click the magnifying glass icon,as shown below.In the search box, typeburpsuite. If Burp isalready on your Mac, it will be found,as shown below.
If you don't have Burp, open a Web browser,go to
and download the free version. Then repeatthe search.
In the search box, double-clickburpsuite_free.
If a box appears saying 'Are you sure...',as shown below, click Open.
TroubleshootingIf error messages appear, saying you cannotrun software from unknown sources, open'System Preferences', click'Security & Privacy', andconfigure your Mac to Allow apps downloadedfrom Anywhere,as shown below. |
If the Intercept button reads'Intercept is on', click it,so the message reads'Intercept is off',as shown below.
Click the Options sub-tab.At the top, in the 'Proxy Listeners'section, see if there are any entrieson the box shown to the right.
If there are, click each entry tohighlight it, and then clickRemove to remove them all,as shown below.
In Burp,Aat the top, in the 'Proxy Listeners'section, click the Add button.
On the Binding tab,enter a 'Bind to port' of 8080
Click the 'All interfaces'button,as shown below.
Click the 'Request handling'tab.
Click the 'Support invisible proxying'box,as shown below.
At the lower right of the box, clickOK. A box pops up,asking 'Are you sure...?'. ClickYes.
Burp should now show a Listeneron '*:8080' with the Invisible boxchecked,as shown below.
On the line showing '*:8080', clickthe Running check box twice tocheck it,as shown below.
Task 4: Forward Traffic to the Proxy with pf
Burp is now ready to gather trafficon port 8080 and forward it to theInternet.However, the mobile device doesn'tknow it should be sending traffic tothe proxy server, so Burp won'tever see it.It is possible to configure the mobiledevice to use a proxy, but not all appswill respect that setting. Some appswill just send traffic past the proxy,defeating our goal of auditing thenetwork traffic. A much better way toaudit apps is to use the Mac firewall'pf' to send all traffic from theBluetooth adapter through the proxy,so the mobile device won't know it'susing a proxy.
To use the 'pf' firewall, we needto create two files: 'pf.rules' and'pf.conf'. For our purposes thesefiles can be very simple.
In the Terminal window, execute thesecommands.
cd
pwd
Proxy (justness) Mac Os 11
In my case, the directory was/Users/sambowne
Your directory will be different.
In the Terminal window, execute thiscommand:
nano pf.rules
The 'nano' text editor opens.In nano, type this line, as shown below.If your interface was namedsomething other than 'bridge0',edit this line to use the correctinterface name.This rule redirects all TCP traffic fromthe Bluetooth connection to Burp,at 127.0.0.1:8080.
rdr pass on bridge0 inet proto tcp from any to any port 1:65535 -> 127.0.0.1 port 8080
Press Ctrl+X, Y, Enter to savethe file.
In the Terminal window, execute thiscommand:
nano pf.conf
The 'nano' text editor opens.In nano, type the twolines shown below.In the second line, change/Users/sambowne to thecorrect directory you found above.
This configuration file tellspf where to find the rules file.
Proxy (justness) Mac Os X
rdr-anchor 'forwarding'
load anchor 'forwarding' from '/Users/sambowne/pf.rules'
Press Ctrl+X, Y, Enter to savethe file.
The next step is to test the files.
In the Terminal window, execute thiscommand:
sudo pfctl -vnf pf.conf
Enter your password when you areprompted to.If your files are correct,you'll see a 'Loading anchor forwarding...'message, followed by the line beginningwith 'rdr pass on bridge',as shown below.
If there are errors in your files,you'll see error messages here.If that happens, use nano to editthe files and correct the errors.
When your files pass this test withouterrors, execute this command tostart pf:
sudo pfctl -evf pf.conf
You should see several messagesbut no errors,as shown below.Task 5: Testing the Proxy
On your mobile device, in the Webbrowser, go toattack.samsclass.infoThe page should load,as shown below.
On your Mac, in Burp, click the'HTTP History' sub-tab.
You should see traffic tohttp://attack.samsclass.info,as shown below.
Burp is now intercepting and examiningyour mobile device's Internettraffic.There's no way for your mobiledevice to detect this man-in-the-middleattack for the HTTP protocol, which isone of the reasons it's an insecureprotocol.However, Burp won't be ableto get away with that with a properly-implementedHTTPS protocol.
On your mobile device, in the browser,go to samsclass.info --this is a secure page.
You should see a 'Cannot Verify Server Identity'message, as shown below.
Click Details.
A 'Certificate' box opens, showing thatthis certificate was 'Issued by PortSwigger CA',as shown below.
PortSwigger is the company that madeBurp, and Burp is creating fakecertificates for every website andsigning them. Thebrowser on your mobile device is correctlynotifying you that PortSwigger isnot a trusted CA, indicating thata possibleman-in-the-middle attack is in progress,
Sources
Dev tip: Port forwarding/redirecting (internally) on OS X MavericksPosted 6-9-15 by Sam BowneOS X v10.5.1 and later include an application firewall you can use to control connections on a per-application basis (rather than a per-port basis). This makes it easier to gain the benefits of firewall protection, and helps prevent undesirable apps from taking control of network ports open for legitimate apps.
Configuring the application firewall in OS X v10.6 and later
Use these steps to enable the application firewall:
- Choose System Preferences from the Apple menu.
- Click Security or Security & Privacy.
- Click the Firewall tab.
- Unlock the pane by clicking the lock in the lower-left corner and enter the administrator username and password.
- Click 'Turn On Firewall' or 'Start' to enable the firewall.
- Click Advanced to customize the firewall configuration.
Configuring the Application Firewall in Mac OS X v10.5
Make sure you have updated to Mac OS X v10.5.1 or later. Then, use these steps to enable the application firewall:
- Choose System Preferences from the Apple menu.
- Click Security.
- Click the Firewall tab.
- Choose what mode you would like the firewall to use.
Advanced settings
Block all incoming connections
Selecting the option to 'Block all incoming connections' prevents all sharing services, such as File Sharing and Screen Sharing from receiving incoming connections. The system services that are still allowed to receive incoming connections are:
- configd, which implements DHCP and other network configuration services
- mDNSResponder, which implements Bonjour
- racoon, which implements IPSec
To use sharing services, make sure 'Block all incoming connections' is deselected.
Allowing specific applications
To allow a specific app to receive incoming connections, add it using Firewall Options:
- Open System Preferences.
- Click the Security or Security & Privacy icon.
- Select the Firewall tab.
- Click the lock icon in the preference pane, then enter an administrator name and password.
- Click the Firewall Options button
- Click the Add Application (+) button.
- Select the app you want to allow incoming connection privileges for.
- Click Add.
- Click OK.
You can also remove any apps listed here that you no longer want to allow by clicking the Remove App (-) button.
Automatically allow signed software to receive incoming connections
Applications that are signed by a valid certificate authority are automatically added to the list of allowed apps, rather than prompting the user to authorize them. Apps included in OS X are signed by Apple and are allowed to receive incoming connections when this setting is enabled. For example, since iTunes is already signed by Apple, it is automatically allowed to receive incoming connections through the firewall.
If you run an unsigned app that is not listed in the firewall list, a dialog appears with options to Allow or Deny connections for the app. If you choose Allow, OS X signs the application and automatically adds it to the firewall list. If you choose Deny, OS X adds it to the list but denies incoming connections intended for this app.
If you want to deny a digitally signed application, you should first add it to the list and then explicitly deny it.
Some apps check their own integrity when they are opened without using code signing. If the firewall recognizes such an app it doesn't sign it. Instead, it the 'Allow or Deny' dialog appears every time the app is opened. This can be avoided by upgrading to a version of the app that is signed by its developer.
Enable stealth mode
Enabling stealth mode prevents the computer from responding to probing requests. The computer still answers incoming requests for authorized apps. Unexpected requests, such as ICMP (ping) are ignored.
Firewall limitations
The application firewall is designed to work with Internet protocols most commonly used by applications – TCP and UDP. Firewall settings do not affect AppleTalk connections. The firewall may be set to block incoming ICMP 'pings' by enabling Stealth Mode in Advanced Settings. Earlier ipfw technology is still accessible from the command line (in Terminal) and the application firewall does not overrule any rules set using ipfw. If ipfw blocks an incoming packet, the application firewall does not process it.