Sniffing HTTPS traffic of a virtualbox guest VM using mitmproxy
In this article I’ll show you how HTTPS traffic from a virtualbox guest vm can be routed through mitmproxy in order to sniff HTTPS traffic.
This might be useful, for example, if you wanted to figure out how a JSON API works that you know an application that you’ve installed uses.
In addition to virtualbox and mitmproxy, dnsmasq is also required on the host system. I’ll assume that all 3 applications are installed.
This article is written with a Linux host system in mind. It should also work for OS X users. Windows users are out of luck.
The Guest system doesn’t really matter.
Virtualbox (guest) configuration ¶
You’ll have to configure the guest system to use host-only networking.
You’ll need to:
- Create one host-only network adapter. (Usually called
- Configure the guest VM to use the host-only network adapter.
- Disable the internal Virtualbox DHCP on the host-only network adapter.
You can configure the host-only network adapter either in the GUI (
File - Preferences - Network) or via command-line.
You may also refer to 6.7 Host-only networking of the virtualbox manual. But the outlined steps below should be sufficient.
Host-only networking adapter ¶
First, let’s see if you’ve already got any existing adapters. They can be listed using:
VBoxManage list hostonlyifs
If the output is empty you don’t have any adapters yet. If that is the case create one. Otherwise skip this step but note the name of the adapter.
VBoxManage hostonlyif create
Next configure the IP of the host. This is not the IP the host system uses to connect to the internet, but rather a new IP with which the host system will communicate with the guest system.
VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0
Now if you run
VBoxManage list hostonlyifs again you should see something like:
Name: vboxnet0 GUID: 786f6276-656e-4074-8000-0a0027000000 DHCP: Disabled IPAddress: 192.168.56.1 NetworkMask: 255.255.255.0 IPV6Address: IPV6NetworkMaskPrefixLength: 0 HardwareAddress: 0a:00:27:00:00:00 MediumType: Ethernet Status: Up VBoxNetworkName: HostInterfaceNetworking-vboxnet0
If your output looks similar things are looking good!
Disable Virtualbox DHCP ¶
You’re going to use
dnsmasq as DHCP and DNS server for the guest machine. In
order for that to work you have to disable virtualbox’ internal DHCP server.
To see if the virtualbox DHCP is connected to
VBoxManage list dhcpservers
If the output is empty things are all good. In case you see something like this:
NetworkName: HostInterfaceNetworking-vboxnet0 IP: 192.168.56.101 NetworkMask: 255.255.255.0 lowerIPAddress: 192.168.56.102 upperIPAddress: 192.168.56.200 Enabled: Yes
You’ll have to remove the dhcp from the host-only adapter:
VBoxManage dhcpserver remove --ifname vboxnet0
Configure the guest VM to use host-only networking ¶
The final step in the virtualbox configuration is to change the networking settings of the guest system to use the host-only adapter:
VBoxManage modifyvm "VM machine name" --nic1 hostonly
Next up is dnsmasq.
The VM guest system should still be able to resolve hostnames, but since you’ve
just configured it to have host-only networking the host system must provide a
DNS service. So you’ll have to configure and start
In the following configuration
dnsmasq will act as a DHCP and DNS.
DNS requests are simply forwarded to the DNS server the host system uses.
domain-needed bogus-priv no-poll interface=vboxnet0 dhcp-range=192.168.56.101,192.168.56.200,96h dhcp-option=option:router,192.168.56.1 dhcp-option=option:dns-server,192.168.56.1
Make sure to replace
vboxnet0 with whatever you’ve used in the virtualbox
configuration and also change
192.168.56.1 if you used a different host ip in
the virtualbox host-only adapter configuration.
dnsmasq and launch the guest vm.
If everything works correctly the guest VM should receive an IP in the range of
192.168.56.101-192.168.56.200 and use
192.168.56.1 as gateway, DHCP server
and DNS server.
mitmproxy doesn’t need any configuration, you just have to launch it in transparent mode:
mitmproxy -T --host
So you’ve the guest vm and mitmproxy running, but mitmproxy still isn’t receiving any traffic and your guest vm is without internet.
To fix that you’ll have to route the traffic from the host-only adapter to mitmproxy using iptables magic:
sudo iptables -t nat -A PREROUTING \ -i vboxnet0 -p tcp --dport 80 -j REDIRECT --to-port 8080 sudo iptables -t nat -A PREROUTING \ -i vboxnet0 -p tcp --dport 443 -j REDIRECT --to-port 8080
(8080 is the default port mitmproxy is listening on)
At this point you should be able to open a browser in the guest system and open a website. If the website uses https you should receive a warning or an error because the certificate is invalid.
That’s the case because you’re now receiving a certificate that is generated by mitmproxy.
Any applications that use HTTPS should now behave as if you don’t have any internet connectivity. If they still work that should be a huge red flag because that means the applications doesn’t verify the certificate.
Trusting mitmproxy certificates ¶
Now, in order to sniff the traffic you’ll want the applications to trust the certificates generated by mitmproxy. In order to accomplish that the mitmproxy certificate has to be installed as trusted root CA.
mitm.it in the browser and download the certificate for your platform
and install it. See mitmproxy certificate installation
(On windows make sure to install it for all users (local machine) and select the store location on where to install the certificate. Place it into trusted root ca. Otherwise applications still won’t trust the certificate.)
If everything worked out you should now be apple to open an applications and use it as always and see traffic appearing in mitmproxy on the host system.