Recently I tried my hands on conducting security tests for client side active content like Flash, ActiveX & Java Applet based applications. My usual tools like Paros Proxy, Burp Suite etc failed right away. They cannot intercept binary protocol traffic (i.e. Applets client-server communication typically make use of Java Object Serialization and not your standard HTTP).
Burp has a plugin Belch which actually can intercept binary protocols like Applets but I wanted some thing more powerful and extensible which I could use for different types of protocols and something which hopefully will be extended with more features and options over time.
After long hours of Googling and reading, I came across Mallory (Alice Mallory, Bob – Remember?) from Intrepidusgroup.
My initial reaction was – “Its too complicated” and yes it is when compared to Burp or Paros setup. But I had to try it out and so I did!.
In this post, I will explain how to setup Mallory using the VMWare images to intercept/alter traffic. You can download the VMWare images from Mallory website.
1. Network Interfaces setup
2. Updating Mallory & Setup
3. Starting Mallory and Intercepting traffic
In this example, there will be 2 VMware machines (You can use Mallory VMWare image for both) as following
1. First VMWare will act as victim’s machine. It will have its default gateway setup to second VMWare machine IP address. We will refer to this machine as “Alice’s machine”
2. Second VMWare server will actually run Mallory and intercept traffic. It is configured with 2 network interfaces. One which will receive traffic from victim’s machine and the second interface that will forward it onto its destination i.e. internet. We will refer to this as “Mallory’s machine”
1. Network Interfaces setup
Here is how the network file looks for Alice’s machine
auto lo
iface lo inet loopback
auto eth1
iface eth1 inet static
address 1892.168.157.130
netmask 255.255.255.0
network 192.168.157.0
broadcast 192.168.157.255
# Gateway is set to Mallory’s machine IP address
gateway 192.168.157.129
You also need to add a DNS/Name server entry to /etc/resolv.conf file in order for Alice’s machine to be able to resolve DNS entries. Google’s public DNS would do the job
8.8.8.8
And here is the interfaces file configuration for Mallory’s machine
# The loopback network interface
auto lo
iface lo inet loopback# This NIC will be forwarding traffic onto its destination
auto eth2
iface eth2 inet dhcp# This NIC will be receiving traffic from victim’s machine
auto eth3
iface eth3 inet static
address 192.168.157.129
netmask 255.255.255.0
network 192.168.157.0
broadcast 192.168.157.255
2. Updating Mallory & Setup
You have to perform these steps only on Mallory’s machine.
1. Follow the steps using the Mallory Minimal Guide until the meeting GUI dependencies section.
2. Download & Run the Mallory Update Script which should update the Mallory scripts
This completes the configuration. You can try pinging Mallory from Alice’s machine to make sure they can see each other.
3. Starting Mallory and Intercepting traffic
1. Open a new terminal (Ctrl+Alt+T)
2. Browse to /home/mallory/mallory/current/src
2. Run sudo python mallory.py
3. If your logs look like the ones in below screenshot, Mallory has started properly
1. Open a new terminal (Ctrl+Alt+T)
2. Browse to /home/mallory/mallory/current/src
3. Run sudo python launchguy.py and you should see the below screen
4. At the screenshot above, you have to select which interface will be used for MiTM purposes and which will be used for forwarding traffic onto its destination
Select eth3 for MitM and eth2 for outbound interface (this is how we had configured our interfaces in step 1. Don’t click Apply Configuration yet!
5. The rules (defined under the Rules Tab) determine what type of traffic to be intercepted. By default there is a rule “Debug All” and I recommend you start with this default rule. If you can’t find it, go ahead and define one as per the screenshot below and click Apply Configuration
6. Go to Streams tab and click Intercept
8. All set! open Firefox on Alice’s machine and visit Google.com and you should see the traffic entries in the Streams tab
Ideally at this point try accessing your Flash or Applet, FTP or any other protocol that has some sort of client-server communication and you will be able to see the traffic.
Going through Mallory’s setup process is well worth the effort. I am hoping that it will be developed further.