Skip to content

Instantly share code, notes, and snippets.

@av-gantimurov

av-gantimurov/mitmproxy.md

Last active March 14, 2023 09:06
Show Gist options
  • Save av-gantimurov/c5ed8a9ca251f0f0a907e2a7bab1bc71 to your computer and use it in GitHub Desktop.
Save av-gantimurov/c5ed8a9ca251f0f0a907e2a7bab1bc71 to your computer and use it in GitHub Desktop.
Download ZIP
Steps to configure mitmproxy for ssl interception in malware analysis
Raw
mitmproxy.md

Mitmproxy

Steps to configure mitmproxy for ssl interception in malware analysis.

Download and install

wget https://snapshots.mitmproxy.org/5.0.1/mitmproxy-5.0.1-linux.tar.gz --output-document=mitmproxy.tgz
sudo tar -xzvf mitmproxy.tgz -C /usr/local/bin/

Configure

Generate certs

mkdir -p /var/lib/mitmproxy/certs
cd /var/lib/mitmproxy/certs
openssl req -nodes -days 3650 -new -x509 -newkey rsa:2048 -keyout mitmproxy-ca-key.pem -out mitmproxy-ca-cert.pem -subj "/C=US/ST=California/L=Berkeley/O=DigiCert Inc/OU=DigiCert Inc Root CA/CN=www.digicert.com"
openssl pkcs12 -export -in mitmproxy-ca-cert.pem -inkey mitmproxy-ca-key.pem -name "Root Cert" -out mitmproxy-ca-cert.p12
cat mitmproxy-ca-cert.pem mitmproxy-ca-key.pem > mitmproxy-ca.pem
cp mitmproxy-ca-cert.pem mitmproxy-ca-cert.cer

Mitmdump as service

My config:

  • certs in /var/lib/mitmproxy/certs;
  • autostart via systemctl as service;
  • generate pre shared SSL key to shared directory /mnt/public;
  • extra logging to /var/log/mitm.log

  1. Create mitmproxy config

    #cat /var/lib/mitmproxy/config.yaml
# dir with certificates
confdir: /var/lib/mitmproxy/certs
# keep hostname to inetsim
keep_host_header: true
# listen connections on default HTTPS port
listen_port: 443
# NB! change <server> to your http server address
mode: reverse:http://<server>:80
# extra details (full header and content) in console log
flow_detail: 3

  2. Create systemctl config

    #cat  /lib/systemd/system/mitmdump.service
[Unit]
Description=mitmdump service
Requires=inetsim.service
After=inetsim.service

[Service]
StandardOutput=syslog
StardardError=syslog
SyslogIdentifier=mitmdump
Environment=MITMPROXY_SSLKEYLOGFILE=/mnt/public/ssl-keys.log
Type=simple
User=root
ExecStart=/usr/local/bin/mitmdump --set confdir=/var/lib/mitmproxy
Restart=always
RestartSec=1

[Install]
WantedBy=multi-user.target

  3. Create rsyslog config

    #cat /etc/rsyslog.d/mitmdump.conf
if $programname == 'mitmdump' then /var/log/mitm.log
& stop

  4. Reload configuration and run

    systemctl daemon-reload
systemctl enable mitmdump.service
systemctl start mitmdump.service
systemctl restart rsyslog

Run

run mitmdump onetime

MITMPROXY_SSLKEYLOGFILE="./ssl.log" mitmdump --listen-port 443 --set confdir=<certsdir> --set keep_host_header --mode reverse:http://<server>:80

run as service

systemctl start mitmdump.service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment