Sniffing HTTPS traffic of a virtualbox guest VM using mitmproxy

In this article I’ll show you how HTTPS traffic from a virtualbox guest vm can be routed through mitmproxy in order to sniff HTTPS traffic.

This might be useful, for example, if you wanted to figure out how a JSON API works that you know an application that you’ve installed uses.

In addition to virtualbox and mitmproxy, dnsmasq is also required on the host system. I’ll assume that all 3 applications are installed.

This article is written with a Linux host system in mind. It should also work for OS X users. Windows users are out of luck.

The Guest system doesn’t really matter.

Virtualbox (guest) configuration

You’ll have to configure the guest system to use host-only networking.

You’ll need to:

  • Create one host-only network adapter. (Usually called vboxnet0)
  • Configure the guest VM to use the host-only network adapter.
  • Disable the internal Virtualbox DHCP on the host-only network adapter.

You can configure the host-only network adapter either in the GUI (File - Preferences - Network) or via command-line.

You may also refer to 6.7 Host-only networking of the virtualbox manual. But the outlined steps below should be sufficient.

Host-only networking adapter

First, let’s see if you’ve already got any existing adapters. They can be listed using:

VBoxManage list hostonlyifs

If the output is empty you don’t have any adapters yet. If that is the case create one. Otherwise skip this step but note the name of the adapter.

VBoxManage hostonlyif create

Next configure the IP of the host. This is not the IP the host system uses to connect to the internet, but rather a new IP with which the host system will communicate with the guest system.

VBoxManage hostonlyif ipconfig vboxnet0 --ip 192.168.56.1 --netmask 255.255.255.0

Now if you run VBoxManage list hostonlyifs again you should see something like:

Name:            vboxnet0
GUID:            786f6276-656e-4074-8000-0a0027000000
DHCP:            Disabled
IPAddress:       192.168.56.1
NetworkMask:     255.255.255.0
IPV6Address:
IPV6NetworkMaskPrefixLength: 0
HardwareAddress: 0a:00:27:00:00:00
MediumType:      Ethernet
Status:          Up
VBoxNetworkName: HostInterfaceNetworking-vboxnet0

If your output looks similar things are looking good!

Disable Virtualbox DHCP

You’re going to use dnsmasq as DHCP and DNS server for the guest machine. In order for that to work you have to disable virtualbox’ internal DHCP server.

To see if the virtualbox DHCP is connected to vboxnet0 run:

VBoxManage list dhcpservers

If the output is empty things are all good. In case you see something like this:

NetworkName:    HostInterfaceNetworking-vboxnet0
IP:             192.168.56.101
NetworkMask:    255.255.255.0
lowerIPAddress: 192.168.56.102
upperIPAddress: 192.168.56.200
Enabled:        Yes

You’ll have to remove the dhcp from the host-only adapter:

VBoxManage dhcpserver remove --ifname vboxnet0

Configure the guest VM to use host-only networking

The final step in the virtualbox configuration is to change the networking settings of the guest system to use the host-only adapter:

VBoxManage modifyvm "VM machine name" --nic1 hostonly

dnsmasq

Next up is dnsmasq.

The VM guest system should still be able to resolve hostnames, but since you’ve just configured it to have host-only networking the host system must provide a DNS service. So you’ll have to configure and start dnsmasq.

In the following configuration dnsmasq will act as a DHCP and DNS. DNS requests are simply forwarded to the DNS server the host system uses.

/etc/dnsmasq.conf:

domain-needed
bogus-priv
no-poll

interface=vboxnet0

dhcp-range=192.168.56.101,192.168.56.200,96h
dhcp-option=option:router,192.168.56.1
dhcp-option=option:dns-server,192.168.56.1

Make sure to replace vboxnet0 with whatever you’ve used in the virtualbox configuration and also change 192.168.56.1 if you used a different host ip in the virtualbox host-only adapter configuration.

Next start dnsmasq and launch the guest vm.

If everything works correctly the guest VM should receive an IP in the range of 192.168.56.101-192.168.56.200 and use 192.168.56.1 as gateway, DHCP server and DNS server.

mitmproxy

mitmproxy doesn’t need any configuration, you just have to launch it in transparent mode:

mitmproxy -T --host

iptables

So you’ve the guest vm and mitmproxy running, but mitmproxy still isn’t receiving any traffic and your guest vm is without internet.

To fix that you’ll have to route the traffic from the host-only adapter to mitmproxy using iptables magic:

sudo iptables -t nat -A PREROUTING \
    -i vboxnet0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING \
    -i vboxnet0 -p tcp --dport 443 -j REDIRECT --to-port 8080

(8080 is the default port mitmproxy is listening on)

At this point you should be able to open a browser in the guest system and open a website. If the website uses https you should receive a warning or an error because the certificate is invalid.

That’s the case because you’re now receiving a certificate that is generated by mitmproxy.

Any applications that use HTTPS should now behave as if you don’t have any internet connectivity. If they still work that should be a huge red flag because that means the applications doesn’t verify the certificate.

Trusting mitmproxy certificates

Now, in order to sniff the traffic you’ll want the applications to trust the certificates generated by mitmproxy. In order to accomplish that the mitmproxy certificate has to be installed as trusted root CA.

Open mitm.it in the browser and download the certificate for your platform and install it. See mitmproxy certificate installation docs.

(On windows make sure to install it for all users (local machine) and select the store location on where to install the certificate. Place it into trusted root ca. Otherwise applications still won’t trust the certificate.)

If everything worked out you should now be apple to open an applications and use it as always and see traffic appearing in mitmproxy on the host system.

Thursday, December 31, 2015 » Linux Virtualbox mitmproxy dnsmasq