Skip to main content

Man-in-the-Middle Example

Setup #

In order to have a website to send traffic to while technically complying with the law, I found the easiest way was to utilize a service called Railway to deploy your own instance of OWASP Juice Shop. OWASP Juice Shop is an intentionally vulnerable web application that is opened source and free to use for learning.

To deploy this application, visit the link here. You will need to login in order to deploy it, and this does require you to link you Github account to Railway.

Wait a few minutes after linking your account, or you may get an “Unable to locate Team” message in the next step.

After logging in, deploying the application is as simple as clicking the deploy button on the template page.

railway_deploy_screen.png

It may take a few minutes for the deployment to complete, but when it does, you’ll see a node in the middle of the screen like this:

railway_deployed_node.png

Selecting the node will open a side pane on the right of the screen containing information about the deployment.

railway_node_side_pane.png

Note down the url on the screen, you will need this later.

railway_url.png

You’re website to test with is now deployed and protected via TLS encryption

Encrypted Traffic Interception #

In order to make our lives easier in wireshark later, open a terminal and use the ping command to get the IP Address of the website. Note that you have to remove the “https://” and the trailing slash ("/")

ping juice-shop-production-bbcc.up.railway.app

Once you see successful traffic like this below, you can press CTL + C to quit the command.

ping_capture.png

Note down the IP Address that follows “bytes from” for example: “64 bytes from 66.33.22.52”, the IP Address is: 66.33.22.52

You can now open wireshark. If wireshark is not installed, you can install it using:

# Install it
sudo apt install -y wireshark

# Then run it
sudo wireshark

You’ll double-click the corresponding network adapter for your VM. Note this usually the top in the list.

wireshark_eth_selection.png

You may start to see traffic in the window if your machine is performing background actions.

We’ll want to apply a filter so we are only seeing traffic to and from our test website. This is why we collected the IP Address, in the “Apply a display filter” field, paste the following filter:

ip.dst_host==<ip address you collected> || ip.src_host==<ip address you collected>

# For example, this is my filter:
ip.dst_host==66.33.22.52 || ip.src_host==66.33.22.52

Press enter and all traffic should disappear

wireshark_filter_empty.png

Now open the web browser, and visit the website we deployed

juice_shop.png

Note that if this is the first time you’ve opened FireFox on the lab Virtual Machine I provided, you will need to turn off FoxyProxy, a browser extension used to route traffic through a proxy. To do so, click the extension icen in the top right, and click disabled instead of http. Click outside the extension to close it.

foxy_proxy_disable.png

You’ll start to see traffic flow through wireshark as you navigate around the site, however, if you click into the logs, you won’t be able to see any of the data.

wireshark_encrypted_traffic.png

This is because the data is encrypted using TLS Public Key Infrastructure.

You can now close Wireshark as we are done in the tool.

You can also close the web browser.

Decrypting Traffic with BurpSuite #

Burpsuite is a powerful web proxy often used for penetration testing on web applications. I’ve preinstalled it on your lab virtual machine. If you are using your own machine, you’ll need to figure out how to install from their website.

Open Burpsuite.

On your first launch, it may ask if you want to provide telemetry data, you can uncheck the box, but you do need click I agree on the terms of service.

On the Welcome to Burp Suite page, you can select “Temporary Project in Memory” and then click Next.

Select “Use Burp Defaults” and then click Start Burp.

Once it loads, navigate to the Proxy tab at the top of the screen, then Select HTTP history.

burp_proxy_HTTP_History.png

You can now open your web browser.

In the top right corner of the window is an extension called “Foxy Proxy” (if your on the Lab Virtual Machine I provided). Click it and ensure http is selected. Clicking out of the extension will close the extension settings.

foxy_proxy_http.png

Now when you try to navigate to the test website, you’ll get stopped with a certificate error:

certificate_error.png

This is because BurpSuite is intercepting the traffic, decrypting the traffic and trying to insert their own certificate into the chain. FireFox by default does not trust this certificate. This is a good thing for the average user because it requires them to go through more effort to visit insecure websites.

In order to get FireFox to trust the certificate, we’ll need to import the CA Certificate into the browser. We can do this by first downloading it by visiting http://burpsuite

burp_ca_page.png

Clicking CA Certificate in the top right corner will download a file called ‘cacert.der’

cacert.png

We can then open FireFox settings, and navigate to Privacy and Security

On that page, scroll down until you reach Certificates, and then click View Certificates. Under the Authorities tab, click import

certificate_manager.png

Select cacert.der from the downloads

cacert_downloads.png

Check the box for “Trust this CA to Identify Websites” and click Ok

Trust_this_cert.png

Click Ok again and you can close the settings tab.

Now when you go back to the tab with the juice shop web page, it will load normally

juice_shop_post_cert.png

Inside BurpSuite, you will also now see all traffic to the site in plaintext

burpsuite_traffic.png

With this access, you’d be able to intercept and even alter traffic going to the remote web server.