Intrepidus Group
Insight

Mallory and Me: Setting up a Mobile Mallory Gateway

Posted: December 15, 2010 – 8:48 pm | Author: | Filed under: Mobile Security, Tools

Over the past few months, we have put Mallory through its paces. Scores of mobile applications have had their network streams MiTMd by Mallory. It has become one of a few important tools that we use on a daily basis. Because we use it so often, we sometimes forget that it may seem quite difficult to get up and running for the first time. Mallory is still actively developed. Improving the user experience from the initial code checkout to helping users “Mallorize” traffic is a key goal for the project. However, until then, this howto guide will suffice to get Mallory up and running for your testing needs.

This guide will explain how to get Mallory up and running (in this guide I use an EeePC). I also use a tethered Android device for a WAN connection, and have MiTM victims connect to the netbook over its WiFi connection. I will also be sharing how we use a tool called hostapd to make our EeePC look like an infrastructure mode WiFi access point, as opposed to an Ad-Hoc WiFi access point. Using this guide, you should be able to set up a mobile Mallory gateway in no time.

Step Zero: The Gear.

For this guide I will be using my EeePC 1000HE with Ubuntu 10.04 LTS installed on it as the reference design. Many netbooks/OS/WiFi card combos should work. I will also be using my Nexus One handset running Cyanogen Mod to provide the WAN connection. Feel free to leave comments below on your setup.

Step One: Downloading the dependencies.

The first step is to install the required libraries and packages required to run Mallory. The below apt-get commands should pull down and install all dependencies that are hosted by Ubuntu’s repositories. You can copy and paste the below apt-get commands into your terminal, and download all the dependencies at once. (Note that the last two packages are used for pre-packaged Mallory plug-ins. The paramiko package is used to MiTM SSH connections, and the imaging package is used to manipulate images within an HTTP response)

sudo apt-get install mercurial;
sudo apt-get install python-pyasn1;
sudo apt-get install python-netfilter;
sudo apt-get install libnetfilter-conntrack-dev;
sudo apt-get install python2.6-dev;
sudo apt-get install python-setuptools;
sudo easy_install pynetfilter_conntrack;
sudo apt-get install netfilter-extensions-source;
sudo apt-get install libnetfilter-conntrack3-dbg;
sudo apt-get install python-paramiko;
sudo apt-get install python-imaging;

You will also need to download and install the netfilter connection tracking package. We have tested Mallory with the below version of the package. We recommend using the below versions until we can confirm that an up to date version of the package is compatible with Mallory.

If you are installing Mallory on a 32-bit system, you will need to download the following package:

#If you are installing Mallory on a 32 bit machine
wget http://ubuntu.cs.utah.edu/ubuntu/pool/universe/libn/libnetfilter-conntrack/libnetfilter-conntrack1_0.0.99-1_i386.deb
sudo dpkg -i libnetfilter-conntrack1_0.0.99-1_i386.deb
#endif

If you are installing Mallory on a 64-bit system, you will need to download the following package:

#if you are installing Mallory on a 64 bit machine
wget http://ubuntu.cs.utah.edu/ubuntu/pool/universe/libn/libnetfilter-conntrack/libnetfilter-conntrack1_0.0.99-1_amd64.deb
sudo dpkg -i libnetfilter-conntrack1_0.0.99-1_amd64.deb
#endif

Step Two: Downloading and Installing hostapd

Before we start pulling down the Mallory code base, it is helpful to take a step back and install and configure hostapd. This step is not required for Mallory to run as a mobile gateway. (One can always set up an ad-hoc WiFi network.) To intall hostapd, run the following apt-get command:
sudo apt-get install hostapd

After installing hostapd, we need to setup the configuration file to get it up and running. The configuration file can be found at /etc/hostapd/hostapd.conf. Below is a sample of the configuration file I use. I only present the parameters that I changed. All other parameters were kept in their default state. Use your favorite editor to make the required changes.

# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for
# management frames); ath0 for madwifi<
interface=wlan0

# Driver interface type (hostap/wired/madwifi/prism54/test/none/nl80211/bsd);
# default: hostap). nl80211 is used with all Linux mac80211 drivers.
# Use driver=none if building hostapd as a standalone RADIUS server that does
# not control any wireless/wired driver.
driver=nl80211

# SSID to be used in IEEE 802.11 management frames
ssid=TestNet

# Static WEP key configuration
# The key number to use when transmitting.
# It must be between 0 and 3, and the corresponding key must be set.
wep_default_key=0

# The WEP keys to use.
wep_key0=AAAAA11111

Users with other WiFi cards, or drivers, might have to experiment with the “driver” and “interface” parameter. Internet searching for your specific card and driver should return a number of tutorials on getting hostapd running for your box. Again, please leave comments below with hostapd configuration settings for specific setups.

Step Three: Getting Mallory

Now that we have mercurial installed (Step One^) we can use the hg command to pull down the Mallory code base. Navigate to the directory where you want to download the Mallory code base and run the following command.
hg clone http://bitbucket.org/IntrepidusGroup/mallory
It should look something like this:

Step Four: Setting up the Gateway

We now have all the required code, packages, libraries, and mythical creatures in place to start Mallorizing victims (the leprechauns, fairies and ground unicorn horn came preinstall in 10.04). For pedagogical purposes, starting Mallory will be a two step process. It is important to understand that Mallory runs on a gateway, it is not a gateway in and of itself. Therefore we need to make sure our netbook is acting as a gateway for the clients before we start Mallory. This will ensure that any misconfigurations get caught early and are easy to trouble shoot.

Using the script below, your netbook will be converted into a lean mean routing machine. You will need to run this script as root. When prompted, you will need to enter the interface for the WAN and LAN link. For my setup, my tethered android handset provides internet connectivity to the netbook. This is done via interface usb0. Therefore usb0 will be my WAN link. The WiFi interface servicing the clients will be on wlan0. Therefore, wlan0 is my LAN interface. When prompted, the WAN link is usb0 and the LAN link is wlan0. You will need to use the approprite links for your setup. For example, if you are using an ethernet connection to obtain access to the internet, the WAN interface could be eth0.

#!/bin/sh
echo "Wan Interface: "
read wanInt
echo "Wifi Interface: "
read lanIn

echo "Stopping network manager"
/etc/init.d/NetworkManager* stop
echo "Stopping dnsmasq"
/etc/init.d/dnsmasq stop
echo "Bringing down lan interface"
ifconfig $lanInt down
echo "Starting hostapd"
hostapd -B /etc/hostapd/hostapd.conf
echo "Applying configs to lan interface"
ifconfig $lanInt 10.0.0.1 netmask 255.255.255.0
echo "Starting DHCP server"
dnsmasq --no-hosts --interface $lanInt --no-poll --except-interface=lo --listen-address=10.0.0.1 --dhcp-range=10.0.0.10,10.0.0.100,60m --dhcp-option=option:router,10.0.0.1 --dhcp-lease-max=50 --pid-file=/var/run/nm-dnsmasq-wlan0.pid

echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

echo "Turning on Natting"
iptables -t nat -A POSTROUTING -o $wanInt -j MASQUERADE
echo "Allowing ip forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Adding 4.2.2.1 to resolv.conf
echo "nameserver 4.2.2.1" >> /etc/resolv.conf
echo "GO GO gadget gateway"

After executing this script, you should be able to connect clients to our newly created WiFi network. This would also be a good time to test that the clients have internet connectivity. If this test fails, some trouble shooting is in order.

Things to double check would be:

  • Did you run the script as root (sudo)
  • Can the gateway get out to the internet (ping)
  • Does the LAN interface have an IP (ifconfig)
  • Is the DHCP server running (ps)
  • Are the DNS servers configured properly (cat /etc/resolv.conf)

Troubleshooting this step is slightly outside the scope of the post, however feel free to leave comments about any difficulties and we can try to help out.

Step Five: Starting Mallory

So we have our equipment, we downloaded the dependencies, we configured our conf files, and we had a short lesson on how to setup an Ubuntu gateway…sounds like its Mallorizing time. All that is left is to start Mallory and force our gateway to funnel all network streams into Mallory’s one listening socket. The iptables commands below will tell our gateway to forward all TCP and UDP streams originating from our lan (wlan0) into a local socket listening on port 20755. This is the port that Mallory is configured to listen on.

sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp -j REDIRECT --to-ports 20755
sudo iptables -t nat -A PREROUTING -i wlan0 -p udp -m udp -j REDIRECT --to-ports 20755

To start Mallory we need to run mallory.py as root. (Note: Mallory is not backdoored) This python file is located in the mallory/src directory. The command below should start Mallory as root.

sudo python ./mallory/src/mallory.py

After you run the above command, Mallory should be up and running. To test this out, connect a client to Mallory and visit an image heavy website. By default Mallory is configured to have the HTTP module enabled with the HTTP image flipping and image color inverting plugins enabled. You should see something like this (notice the two images are upside down and their colors are inverted).

By default Mallory is also configured to run the cookie hijacking plugin. Using the Mallory Cookie Editor plugin for chrome, you can copy a cookie captured by Mallory and apply it to your browser with one click. This would allow you to session hijack any HTTP session flowing through Mallory. If HTTPS MiTMing is turned on, sessions “secured” by HTTPS could be hijacked as well (provided the users click through the cert warnings). The Chrome plugin needs to run in a Chrome browser on the Mallory gateway itself. Below, you can see an example of the Mallory Cookie Editor for Chrome.

Step Six: What is next?

We have tcp streams flowing through Mallory, we see images being manipulated, and we are hijacking sessions of popular websites: what’s next. Well, Mallory, first and foremost is a testing tool. There is a variety of functionality in Mallory that can be unlocked with a few lines of code and configuration data. For example, MiTMing SSL streams of data, pausing and editing streams of data using the mallory graphical TCP stream debugger, quickly writing data manipulation routines that can automatically operate on streams of HTTP data (also controllable on the fly in the mallory GUI). All of this (and more) can easily be done with Mallory. In the near future, we will be posting tutorials on how to accomplish many tasks with Mallory. However, before we get there, this is the first step that must be completed. Once you have your setup that can flip images, you can start to dive head first into the world of Mallory!

-D1AB1069-

Both comments and trackbacks are currently closed.

20 Comments

  1. DCX
    Posted December 16, 2010 at 10:49 pm | Permalink

    Nice writeup. Two clarifications:

    1) Mallory DOES not work as an explicit proxy. It depends on pynetfilter_conntrack for a reason, which is essentially that if traffic doesn’t show up to Mallory courtesy of iptables, it’s going to crash and burn.

    2) Not only is Mallory backdoored, but there is evidence of defensive coding in the source!

    sslproto.py:34:
    # Canonicalize and white list filter the common name
    cn = re.sub(“[^*A-Za-z0-9-]+”, “.”, cn)

    # Execute the shell script that will create the certificate
    if not (os.path.exists(“./certs/” + cn + “.cer”)): #SSL
    ret = subprocess.call(['./cert.sh', cn])

    Good thing you guys whitelisted the CN, or lord knows what kind of fun we could have crafting evil CN’s to pwn Mallory boxes (which as you mentioned, run as root :)

  2. Posted December 17, 2010 at 12:15 am | Permalink

    Thank You :)

    Also, I think DCX meant to say *NOT* backdoored. Our original call in our earlier verisons/prototypes to our certificate creation script was just a little shady, but it is pretty safe now. We ultimately aim to yank this out completely and just replace certs on the fly and only have them in memory.

    The canonicalization regex combined with the subprocess module makes command execution via the shell script invocation (directly) pretty unlikely. The cert.sh script still has a bit of attack surface, it uses the common name as a parameter to create file names. We were just a little paranoid about that one, so the regex is pretty strict. You could possibly create a file name that is a bunch of periods. We still advocate this being used as a testing tool in a controlled environment, but hey if you trust users on it… =)

    And there is one small trick you can use with command line options to directly TCP forward traffic. The whole netfilter lookup piece is not used and it just dumbly forwards traffic from one ip:port (localhost:port) to some (destination:port), which is really uninteresting, but we already had all the required code to do it so I figured why not.

    Jeremy

  3. DCX
    Posted December 17, 2010 at 9:36 am | Permalink

    Yup… Meant to say “NOT backdoored” :)

  4. Posted December 19, 2010 at 1:18 pm | Permalink

    For Mallory to MITM SSL sessions from iPhone and Android apps, it must mean that those apps do not use certificates from a commercial CA to validate the identity of the server, right?

  5. DCX
    Posted December 20, 2010 at 9:43 am | Permalink

    No. To see those streams (without the user getting warnings) you need to import Mallory’s root CA certificate onto the trusted root store of the handset (or whatever device you’re testing).

    This will get you visibility to 99.999% of SSL traffic. The only edge cases will be those in which the apps you’re looking at are strictly validating (hardcoded) SSL certs rather than relying on the device’s trusted store.

  6. Aaron
    Posted January 13, 2011 at 10:39 am | Permalink

    How do I start an SLL-mitm using the internal self signed cert?

  7. Posted January 29, 2011 at 6:05 pm | Permalink

    First i would like to thank you for your pretty nice tool!

    One note please, line 5 of the gateway setup script should be:

    read lanInt

    The missing t leads to error messages…

  8. Posted January 30, 2011 at 12:45 am | Permalink

    Hello folks!

    Actually i managed to install Mallory and it works mostly like a charm. I hope that mallory can help me sniffing my mobile phone to see if it sends any confidential data, i am little bit paranoid and can’t trust much those advertisement and mining companies collection any sort of personal data. So how about using MITM with http and ssl… finally i found the place in the main file where i can enable https support. (Maybe that would be easier to handle in a global config file, however …)

    So then i fired up in Safari on my iphone an https page: https://www.paypal.com to see whats going on. Unfortunately i got this error shown in the debug logger:

    [*] [2011-01-30 05:42:05,656] ERROR:main: error connecting to remote
    Traceback (most recent call last):
    File “mallory.py”, line 316, in main
    protoinst=protoinst)
    File “mallory.py”, line 174, in configure_socket
    protoinst.configure_client_socket()
    File “/home/sie/workspaces/mardal/mallory/mallory/src/protocol/sslproto.py”, line 46, in configure_client_socket
    ssl_version=ssl.PROTOCOL_SSLv23)
    File “/usr/lib/python2.6/ssl.py”, line 350, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
    File “/usr/lib/python2.6/ssl.py”, line 118, in __init__
    self.do_handshake()
    File “/usr/lib/python2.6/ssl.py”, line 293, in do_handshake
    self._sslobj.do_handshake()
    SSLError: [Errno 1] _ssl.c:480: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
    (<class ‘ssl.SSLError’>, SSLError(1, ‘_ssl.c:480: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol’), <traceback object at 0x7f4cc8028d88>)

    Actually Safari asked me confirm the certificate from Mallory, i accepted but than nothing more happens. The page from paypal didn’t show up unfortunately. From what i found from python sources, it seems the other side isn’t speaking SSL, is that correct? Or maybe i am just missing another setting?

    Anyway, i would be very glad to here from you guys!

    However, hands up for your big effort and the brilliant work!

    Kind regards,

    Markus

  9. D1AB1069
    Posted February 3, 2011 at 10:27 am | Permalink

    Markus,

    Sorry about the delay in responding to this question. Its been pretty hectic around here. If you can send us a PCAP of the stream causing the error we can try to trouble shoot the problem and work on having you snooping on IPHONE apps in no time. Feel free to email me at firstname.lastname@intrepidusgroup.com. My name is below. ;)

    Raj Umadas

  10. Jason
    Posted February 8, 2011 at 8:42 pm | Permalink

    I have been trying to follow this post identically, even with the same OS version and hardware (close, I am using an Eee PC 1005HA). I am having some issues with the scripts. Especially the “Step Four: Setting up the Gateway” script.

    I am getting errors like “/etc/init.d/NetworkManager*: command not found”, “/etc/init.d/dnsmasq: command not found”, “Line 18: invalid/unknown driver ‘n180211′ 1 errors found in configuration file /etc/hostapd/hostapd.conf”, dnsmasq: command not found”

    Tried Ubuntu 10.04 LTS Server and Desktop installs. Could I have missed some pre-reqs? I did standard clean installs of each and tried this. I have also been trying to build an install script so I could give a presentation of Mallory at a local club.

    I also like to develop and after hearing your presentation at BH2010 (audios) I got pretty excited about the product and having the ability to develop plugins easily. Hope to hear something soon.

    Regards,

    Jason

  11. Posted February 11, 2011 at 10:31 am | Permalink

    Actually you miss to uncomment in mallory.py in the very end of the file a line to enable the https plugin. As i see you should be able to use also command line parameters, can’t say which one, but should work. Anyway, a look inside of mallory.py could help you.

  12. Vitalik
    Posted February 14, 2011 at 7:46 pm | Permalink

    Have anybody tryed to install it under BackTrack 4 R2? It can not find some of the dependencies, e.g. sudo apt-get install python2.6-dev etc.

  13. solotrek
    Posted February 17, 2011 at 10:15 pm | Permalink

    Hi, Got Mallory up and running, but really need some more info on how to use the GUI interface for data stream manipulation. I think you mentioned above “In the near future, we will be posting tutorials on how to accomplish many tasks with Mallory” I’d love to see some of these if any are ready to go? solotrek

  14. Olivier
    Posted February 22, 2011 at 11:45 am | Permalink

    Hi,

    I started testing mallory as I searched for a tool like that for years.

    I already started tweaking some things to give parameters to plugins from the command line (such as start SSLplugin on port xxx).

    I saw that you started to write an editor for HTTP. What about integrating scapy parser ?
    One of my use case is to test GIOP protocol that use eavily something approaching TLV (type length value). For that, I wrote a scapy protocol stack but I was missing the TCP Proxy with a Fancy GUI until now.

    For instance, you could load a given scapy protocol definition and map it to fields in the tree editor ?

  15. Christopher Tan
    Posted February 23, 2011 at 4:24 am | Permalink

    Hi,

    I have succesfully reached step 4, which is to use wlan0 as my “home network” and eth0 as my WAN, managed to get my “victim” online. However, the next few steps were pretty frustrating. Looking at Mallory log, it seems that either mallory didn’t forward the DNS lookup request or there is no response back from my ISP’s DNS server.

    sending data from (’10.0.0.10′, 50120) to (’10.0.0.1′, 53)
    Waiting for data
    Terminating thread for (10.0.0.10, 50120) No more data

    It seems to be some minute changes I got to make. I am not sure where.

    Anyone?

    Thanks.

  16. Rajendra Umadas
    Posted February 23, 2011 at 10:28 am | Permalink

    Hey Guys and Gals,

    I have set up a Google Group to hopefully make the tech support a little easier. Once things settle down, I will start to move over the relevant comments to the group. Hopefully this will also encourage the community to help troubleshoot some issues. The group can be found at https://groups.google.com/forum/#!forum/mallory-p….

    Thanks for the help,

    Raj

  17. Jui Kian
    Posted March 7, 2011 at 10:34 am | Permalink

    Hi All,

    I have been having trouble installing Mallory on my virtual machine. I have downloaded all the dependencies but when i tried to run Mallory, I was presented with this error message:

    Traceback (most recent call last):
    File “./mallory/src/mallory.py”, line 75, in <module>
    import ssl
    ImportError: No module named ssl

    Hope someone can guide me as to what i should do to fix this problem…

    Thanks in advance!

  18. Rajendra Umadas
    Posted March 7, 2011 at 10:59 am | Permalink

    I will move this over to the Google group. The response will be there.
    https://groups.google.com/forum/?hl=en#!forum/mal

    Raj

  19. Posted July 2, 2011 at 5:38 pm | Permalink

    Hey guys, Awk here from Pwnie Express. Would LOVE to get this working on the PwnPhone – a nokia n900 running maemo 5 linux.

    A lot of dependencies you have listed aren’t in the alternate maemo repositories, so it may be a while before I get this working. If you have any advice I’m all ears, would love to get this tool working on the phone. The PwnPhone image is also about to get released for free BTW.

    This tool will be on the pwnplugs soon….they do use the Ubuntu repositories so it should be no problem getting it installed there.

    Thanks for a great tool!

  20. DCX
    Posted July 14, 2011 at 6:32 pm | Permalink

    Just did a fresh install on Ubuntu 10.10 (x86/64)

    Need to add this to the deps:sudo aptitude install python-m2crypto

    /me heads over to the google group

One Trackback

  1. [...] This post was mentioned on Twitter by Jhaddix and alex knorr, Intrepidus Group. Intrepidus Group said: Mallory TCP/UDP transparent proxy setup guide now online – http://cot.ag/dKDaEm [...]

image

This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 24743 items have been purified.