Skip to content

Instantly share code, notes, and snippets.

@Sharpie

Sharpie/mitmproxy.md

Last active February 5, 2025 12:39
Show Gist options
  • Save Sharpie/3add247bd45a9530c66710a8abf3053d to your computer and use it in GitHub Desktop.
Save Sharpie/3add247bd45a9530c66710a8abf3053d to your computer and use it in GitHub Desktop.
Download ZIP
Inspecting Puppet Traffic with MITMProxy
Raw
mitmproxy.md

This is an example of using MITM Proxy to inspect HTTPS traffic between services.

Setup

Install Python 3, then use Pip to install the latest MITM Proxy package:

pip3 install mitmproxy

Distros may have mitmprox packages that provide an older version but are usable in cases where pip install runs into dependency issues.

Create a user acccount for running the proxy. Using a dedicated user provides options for re-routing traffic via firewall rules:

useradd --create-home mitmproxy

Create a bundle containing the TLS private key and certificate that the proxy should use:

cat $(puppet config print hostprivkey) $(puppet config print hostcert) >/home/mitmproxy/cert_bundle.pem
chown -R mitmproxy /home/mitmproxy

Run the proxy server in the background. Intercepted traffic will arrive on port 9000 and port 9080 is used to connect via a web browser to view results:

systemd-run --uid mitmproxy -- /usr/local/bin/mitmweb \
  --certs /home/mitmproxy/cert_bundle.pem  \
  --set client_certs=/home/mitmproxy/cert_bundle.pem \
  --ssl-insecure \
  --mode transparent \
  --listen-port 9000 --web-host 0.0.0.0 --web-port 9080

(mitmweb can be swapped for mitmproxy command that provides a TUI instead of Web interface. The mitmdump command records traffic in a non-interactive manner)

Due to an excess of paranoia aroud DNS rebinding attacks, the web UI must be accessed using the IP address of the host:

http://<IP address>:9080

Intercepting Traffic

Intercept all HTTPS traffic going to a particular port:

iptables -t nat -A OUTPUT --match owner ! --uid-owner mitmproxy -p tcp --dport 8081 -j REDIRECT --to-port 9000

Intercept all HTTPS traffic generated by Puppet Server:

iptables -t nat -A OUTPUT --match owner --uid-owner puppet -p tcp -j REDIRECT --to-port 9000

Intercept all traffic (firehose):

iptables -t nat -A OUTPUT --match owner ! --uid-owner mitmproxy -p tcp -j REDIRECT --to-port 9000

The above interceptions can be removed by re-running the same commands, but with -D OUTPUT instead of -A OUTPUT

Further Reading

See the MITM Proxy docs:

https://docs.mitmproxy.org/stable/

Particulary, the section on filter expressions for intercepting (pausing) requests:

https://docs.mitmproxy.org/stable/concepts-filters/

And, the section on using Python to programatically interact with intercepted traffic:

https://docs.mitmproxy.org/stable/addons-overview/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment