diff options
Diffstat (limited to 'doc-src/tutorials')
| -rw-r--r-- | doc-src/tutorials/30second.html | 61 | ||||
| -rw-r--r-- | doc-src/tutorials/gamecenter.html | 119 | ||||
| -rw-r--r-- | doc-src/tutorials/index.py | 7 | ||||
| -rw-r--r-- | doc-src/tutorials/leaderboard.png | bin | 448368 -> 0 bytes | |||
| -rw-r--r-- | doc-src/tutorials/one.png | bin | 141443 -> 0 bytes | |||
| -rw-r--r-- | doc-src/tutorials/supermega.png | bin | 92889 -> 0 bytes | |||
| -rw-r--r-- | doc-src/tutorials/transparent-dhcp.html | 53 | ||||
| -rw-r--r-- | doc-src/tutorials/transparent-dhcp/step1_proxy.png | bin | 246413 -> 0 bytes | |||
| -rw-r--r-- | doc-src/tutorials/transparent-dhcp/step1_vbox_eth0.png | bin | 28237 -> 0 bytes | |||
| -rw-r--r-- | doc-src/tutorials/transparent-dhcp/step1_vbox_eth1.png | bin | 28765 -> 0 bytes | |||
| -rw-r--r-- | doc-src/tutorials/transparent-dhcp/step2_proxied_vm.png | bin | 36775 -> 0 bytes |
11 files changed, 0 insertions, 240 deletions
diff --git a/doc-src/tutorials/30second.html b/doc-src/tutorials/30second.html deleted file mode 100644 index fe9581c5..00000000 --- a/doc-src/tutorials/30second.html +++ /dev/null @@ -1,61 +0,0 @@ - -My local cafe is serviced by a rickety and unreliable wireless network, -generously sponsored with ratepayers' money by our city council. After -connecting, you are redirected to an SSL-protected page that prompts you for a -username and password. Once you've entered your details, you are free to enjoy -the intermittent dropouts, treacle-like speeds and incorrectly configured -transparent proxy. - -I tend to automate this kind of thing at the first opportunity, on the theory -that time spent now will be more than made up in the long run. In this case, I -might use [Firebug](http://getfirebug.com/) to ferret out the form post -parameters and target URL, then fire up an editor to write a little script -using Python's [urllib](http://docs.python.org/library/urllib.html) to simulate -a submission. That's a lot of futzing about. With mitmproxy we can do the job -in literally 30 seconds, without having to worry about any of the details. -Here's how. - -## 1. Run mitmdump to record our HTTP conversation to a file. - -<pre class="terminal"> -> mitmdump -w wireless-login -</pre> - -## 2. Point your browser at the mitmdump instance. - -I use a tiny Firefox addon called [Toggle -Proxy](https://addons.mozilla.org/en-us/firefox/addon/toggle-proxy-51740/) to -switch quickly to and from mitmproxy. I'm assuming you've already [configured -your browser with mitmproxy's SSL certificate -authority](http://mitmproxy.org/doc/ssl.html). - -## 3. Log in as usual. - - -And that's it! You now have a serialized version of the login process in the -file wireless-login, and you can replay it at any time like this: - -<pre class="terminal"> -> mitmdump -c wireless-login -</pre> - -## Embellishments - -We're really done at this point, but there are a couple of embellishments we -could make if we wanted. I use [wicd](http://wicd.sourceforge.net/) to -automatically join wireless networks I frequent, and it lets me specify a -command to run after connecting. I used the client replay command above and -voila! - totally hands-free wireless network startup. - -We might also want to prune requests that download CSS, JS, images and so -forth. These add only a few moments to the time it takes to replay, but they're -not really needed and I somehow feel compelled to trim them anyway. So, we fire up -the mitmproxy console tool on our serialized conversation, like so: - -<pre class="terminal"> -> mitmproxy -r wireless-login -</pre> - -We can now go through and manually delete (using the __d__ keyboard shortcut) -everything we want to trim. When we're done, we use __w__ to save the -conversation back to the file. diff --git a/doc-src/tutorials/gamecenter.html b/doc-src/tutorials/gamecenter.html deleted file mode 100644 index af11b5bb..00000000 --- a/doc-src/tutorials/gamecenter.html +++ /dev/null @@ -1,119 +0,0 @@ - -## The setup - -In this tutorial, I'm going to show you how simple it is to creatively -interfere with Apple Game Center traffic using mitmproxy. To set things up, -install the [mitmproxy root certificate](@!urlTo("certinstall.html")!@). Then -start mitmproxy on your desktop, and confige the iPhone to use it as a proxy. - - -## Taking a look at the Game Center traffic - -Lets take a first look at the Game Center traffic. The game I'll use in this -tutorial is [Super Mega -Worm](http://itunes.apple.com/us/app/super-mega-worm/id388541990?mt=8) - a -great little retro-apocalyptic sidescroller for the iPhone: - -<center> - <img class="img-responsive" src="@!urlTo('tutorials/supermega.png')!@"/> -</center> - -After finishing a game (take your time), watch the traffic flowing through -mitmproxy: - -<center> - <img class="img-responsive" src="@!urlTo('tutorials/one.png')!@"/> -</center> - -We see a bunch of things we might expect - initialisation, the retrieval of -leaderboards and so forth. Then, right at the end, there's a POST to this -tantalising URL: - -<pre> -https://service.gc.apple.com/WebObjects/GKGameStatsService.woa/wa/submitScore -</pre> - -The contents of the submission are particularly interesting: - -<!--(block|syntax("xml"))--> -<plist version="1.0"> - <dict> - <key>scores</key> - <array> - <dict> - <key>category</key> - <string>SMW_Adv_USA1</string> - <key>context</key> - <integer>0</integer> - <key>score-value</key> - <integer>0</integer> - <key>timestamp</key> - <integer>1363515361321</integer> - </dict> - </array> - </dict> -</plist> -<!--(end)--> - -This is a [property list](http://en.wikipedia.org/wiki/Property_list), -containing an identifier for the game, a score (55, in this case), and a -timestamp. Looks pretty simple to mess with. - - -## Modifying and replaying the score submission - -Lets edit the score submission. First, select it in mitmproxy, then press -__enter__ to view it. Make sure you're viewing the request, not the response - -you can use __tab__ to flick between the two. Now press __e__ for edit. You'll -be prompted for the part of the request you want to change - press __r__ for -raw body. Your preferred editor (taken from the EDITOR environment variable) will -now fire up. Lets bump the score up to something a bit more ambitious: - -<!--(block|syntax("xml"))--> -<plist version="1.0"> - <dict> - <key>scores</key> - <array> - <dict> - <key>category</key> - <string>SMW_Adv_USA1</string> - <key>context</key> - <integer>0</integer> - <key>score-value</key> - <integer>2200272667</integer> - <key>timestamp</key> - <integer>1363515361321</integer> - </dict> - </array> - </dict> -</plist> -<!--(end)--> - -Save the file and exit your editor. - -The final step is to replay this modified request. Simply press __r__ for -replay. - -## The glorious result and some intrigue - -<center> - <img class="img-responsive" src="@!urlTo('tutorials/leaderboard.png')!@"/> -</center> - -And that's it - according to the records, I am the greatest Super Mega Worm -player of all time. - -There's a curious addendum to this tale. When I first wrote this tutorial, all -the top competitors' scores were the same: 2,147,483,647 (this is no longer the -case, beacause there are now so many fellow cheaters using this tutorial). If -you think that number seems familiar, you're right: it's 2^31-1, the maximum -value you can fit into a signed 32-bit int. Now let me tell you another -peculiar thing about Super Mega Worm - at the end of every game, it submits -your highest previous score to the Game Center, not your current score. This -means that it stores your highscore somewhere, and I'm guessing that it reads -that stored score back into a signed integer. So, if you _were_ to cheat by the -relatively pedestrian means of modifying the saved score on your jailbroken -phone, then 2^31-1 might well be the maximum score you could get. Then again, -if the game itself stores its score in a signed 32-bit int, you could get the -same score through perfect play, effectively beating the game. So, which is it -in this case? I'll leave that for you to decide. diff --git a/doc-src/tutorials/index.py b/doc-src/tutorials/index.py deleted file mode 100644 index 3bfe7c12..00000000 --- a/doc-src/tutorials/index.py +++ /dev/null @@ -1,7 +0,0 @@ -from countershape import Page - -pages = [ - Page("30second.html", "Client playback: a 30 second example"), - Page("gamecenter.html", "Setting highscores on Apple's GameCenter"), - Page("transparent-dhcp.html", "Transparently proxify virtual machines") -] diff --git a/doc-src/tutorials/leaderboard.png b/doc-src/tutorials/leaderboard.png Binary files differdeleted file mode 100644 index c1be8df5..00000000 --- a/doc-src/tutorials/leaderboard.png +++ /dev/null diff --git a/doc-src/tutorials/one.png b/doc-src/tutorials/one.png Binary files differdeleted file mode 100644 index 78a636cf..00000000 --- a/doc-src/tutorials/one.png +++ /dev/null diff --git a/doc-src/tutorials/supermega.png b/doc-src/tutorials/supermega.png Binary files differdeleted file mode 100644 index d416f71f..00000000 --- a/doc-src/tutorials/supermega.png +++ /dev/null diff --git a/doc-src/tutorials/transparent-dhcp.html b/doc-src/tutorials/transparent-dhcp.html deleted file mode 100644 index 6c648c0d..00000000 --- a/doc-src/tutorials/transparent-dhcp.html +++ /dev/null @@ -1,53 +0,0 @@ -This walkthrough illustrates how to set up transparent proxying with mitmproxy. We use VirtualBox VMs with an Ubuntu proxy machine in this example, but the general principle can be applied to other setups. - -1. **Configure VirtualBox Network Adapters for the proxy machine** - The network setup is simple: `internet <--> proxy vm <--> (virtual) internal network`. - For the proxy machine, *eth0* represents the outgoing network. *eth1* is connected to the internal network that will be proxified, using a static ip (192.168.3.1). - <hr>VirtualBox configuration: - <img class="img-responsive" src="@!urlTo('tutorials/transparent-dhcp/step1_vbox_eth0.png')!@"/><br><br> - <img class="img-responsive" src="@!urlTo('tutorials/transparent-dhcp/step1_vbox_eth1.png')!@"/> - <br>Proxy VM: - <img class="img-responsive" src="@!urlTo('tutorials/transparent-dhcp/step1_proxy.png')!@"/> - <hr> -2. **Configure DHCP and DNS** - We use dnsmasq to provide DHCP and DNS in our internal network. - Dnsmasq is a lightweight server designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale - network. - - - Before we get to that, we need to fix some Ubuntu quirks: - **Ubuntu >12.04** runs an internal dnsmasq instance (listening on loopback only) by default - <a href="https://www.stgraber.org/2012/02/24/dns-in-ubuntu-12-04/">[1]</a>. For our use case, this needs to be - disabled by changing <br>`dns=dnsmasq` to `#dns=dnsmasq` in */etc/NetworkManager/NetworkManager.conf* - and running `sudo restart network-manager` afterwards. - - Now, dnsmasq can be be installed and configured: - `sudo apt-get install dnsmasq` - Replace */etc/dnsmasq.conf* with the following configuration: - <pre>\# Listen for DNS requests on the internal network - interface=eth1 - \# Act as a DHCP server, assign IP addresses to clients - dhcp-range=192.168.3.10,192.168.3.100,96h - \# Broadcast gateway and dns server information - dhcp-option=option:router,192.168.3.1 - dhcp-option=option:dns-server,192.168.3.1 - </pre> - Apply changes: - `sudo service dnsmasq restart` - <hr> - Your proxied machine's network settings should now look similar to this: - <img class="img-responsive" src="@!urlTo('tutorials/transparent-dhcp/step2_proxied_vm.png')!@"/> - <hr> - -3. **Set up traffic redirection to mitmproxy** - To redirect traffic to mitmproxy, we need to add two iptables rules: - <pre class="terminal"> - iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \ - -j REDIRECT --to-port 8080 - iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 \ - -j REDIRECT --to-port 8080 - </pre> - -4. If required, <a href="@!urlTo('certinstall.html')!@">install the mitmproxy - certificates on the test device</a>. - -5. Finally, we can run <code>mitmproxy -T</code>. - The proxied machine cannot to leak any data outside of HTTP or DNS requests. diff --git a/doc-src/tutorials/transparent-dhcp/step1_proxy.png b/doc-src/tutorials/transparent-dhcp/step1_proxy.png Binary files differdeleted file mode 100644 index a0c94484..00000000 --- a/doc-src/tutorials/transparent-dhcp/step1_proxy.png +++ /dev/null diff --git a/doc-src/tutorials/transparent-dhcp/step1_vbox_eth0.png b/doc-src/tutorials/transparent-dhcp/step1_vbox_eth0.png Binary files differdeleted file mode 100644 index 4b7b4e9b..00000000 --- a/doc-src/tutorials/transparent-dhcp/step1_vbox_eth0.png +++ /dev/null diff --git a/doc-src/tutorials/transparent-dhcp/step1_vbox_eth1.png b/doc-src/tutorials/transparent-dhcp/step1_vbox_eth1.png Binary files differdeleted file mode 100644 index b994d4cb..00000000 --- a/doc-src/tutorials/transparent-dhcp/step1_vbox_eth1.png +++ /dev/null diff --git a/doc-src/tutorials/transparent-dhcp/step2_proxied_vm.png b/doc-src/tutorials/transparent-dhcp/step2_proxied_vm.png Binary files differdeleted file mode 100644 index 2046cc57..00000000 --- a/doc-src/tutorials/transparent-dhcp/step2_proxied_vm.png +++ /dev/null |
