class WinDivertAsyncTestCase(BaseTestCase):
def setUp(self):
super(WinDivertAsyncTestCase, self).setUp()
# Initialize the fake tcp server
self.server = FakeTCPServerIPv4(("127.0.0.1", 0), EchoUpperTCPHandler)
filter = "outbound and tcp.DstPort == %d and tcp.PayloadLength > 0" % self.server.server_address[
1]
self.driver = WinDivert(os.path.join(self.driver_dir, "WinDivert.dll"))
self.driver.register()
self.handle = self.driver.open_handle(filter=filter)
self.server_thread = threading.Thread(target=self.server.serve_forever)
self.server_thread.start()
# Initialize the fake tcp client
self.text = "Hello World!"
self.client = FakeTCPClient(self.server.server_address,
self.text.encode("UTF-8"))
self.client_thread = threading.Thread(target=self.client.send)
self.client_thread.start()
def test_async_pass_through(self):
"""
"""
def callback(*args):
self.handle._send_async(*args)
if not self.handle.driver.is_legacy_driver():
for future in self.handle._receive_async(callback=callback):
if not future.is_complete():
pass
else:
break
self.client_thread.join(timeout=10)
self.assertEqual(self.text.upper(),
self.client.response.decode("UTF-8"))
else:
self.assertRaises(MethodUnsupportedException,
self.handle._receive_async,
callback=callback)
def tearDown(self):
try:
self.handle.close()
except:
pass
self.server.shutdown()
self.server.server_close()
super(WinDivertAsyncTestCase, self).tearDown()
class WinDivertAsyncTestCase(BaseTestCase):
def setUp(self):
super(WinDivertAsyncTestCase, self).setUp()
# Initialize the fake tcp server
self.server = FakeTCPServerIPv4(("127.0.0.1", 0), EchoUpperTCPHandler)
filter = "outbound and tcp.DstPort == %d and tcp.PayloadLength > 0" % self.server.server_address[1]
self.driver = WinDivert(os.path.join(self.driver_dir, "WinDivert.dll"))
self.driver.register()
self.handle = self.driver.open_handle(filter=filter)
self.server_thread = threading.Thread(target=self.server.serve_forever)
self.server_thread.start()
# Initialize the fake tcp client
self.text = "Hello World!"
self.client = FakeTCPClient(self.server.server_address, self.text.encode("UTF-8"))
self.client_thread = threading.Thread(target=self.client.send)
self.client_thread.start()
def test_async_pass_through(self):
"""
"""
def callback(*args):
self.handle._send_async(*args)
if not self.handle.driver.is_legacy_driver():
for future in self.handle._receive_async(callback=callback):
if not future.is_complete():
pass
else:
break
self.client_thread.join(timeout=10)
self.assertEqual(self.text.upper(), self.client.response.decode("UTF-8"))
else:
self.assertRaises(MethodUnsupportedException, self.handle._receive_async, callback=callback)
def tearDown(self):
try:
self.handle.close()
except:
pass
self.server.shutdown()
self.server.server_close()
super(WinDivertAsyncTestCase, self).tearDown()
class TransparentProxy(object):
"""
Transparent Windows Proxy for mitmproxy based on WinDivert/PyDivert.
Requires elevated (admin) privileges. Can be started separately by manually running the file.
This module can be used to intercept and redirect all traffic that is forwarded by the user's machine and
traffic sent from the machine itself.
How it works:
(1) First, we intercept all packages that match our filter (destination port 80 and 443 by default).
We both consider traffic that is forwarded by the OS (WinDivert's NETWORK_FORWARD layer) as well as traffic
sent from the local machine (WinDivert's NETWORK layer). In the case of traffic from the local machine, we need to
distinguish between traffc sent from applications and traffic sent from the proxy. To accomplish this, we use
Windows' GetTcpTable2 syscall to determine the source application's PID.
For each intercepted package, we
1. Store the source -> destination mapping (address and port)
2. Remove the package from the network (by not reinjecting it).
3. Re-inject the package into the local network stack, but with the destination address changed to the proxy.
(2) Next, the proxy receives the forwarded packet, but does not know the real destination yet (which we overwrote
with the proxy's address). On Linux, we would now call getsockopt(SO_ORIGINAL_DST), but that unfortunately doesn't
work on Windows. However, we still have the correct source information. As a workaround, we now access the forward
module's API (see APIRequestHandler), submit the source information and get the actual destination back (which the
forward module stored in (1.3)).
(3) The proxy now establish the upstream connection as usual.
(4) Finally, the proxy sends the response back to the client. To make it work, we need to change the packet's source
address back to the original destination (using the mapping from (1.3)), to which the client believes he is talking
to.
Limitations:
- No IPv6 support. (Pull Requests welcome)
- TCP ports do not get re-used simulateously on the client, i.e. the proxy will fail if application X
connects to example.com and example.org from 192.168.0.42:4242 simultaneously. This could be mitigated by
introducing unique "meta-addresses" which mitmproxy sees, but this would remove the correct client info from
mitmproxy.
"""
def __init__(
self,
mode="both",
redirect_ports=(80, 443),
custom_filter=None,
proxy_addr=False,
proxy_port=8080,
api_host="localhost",
api_port=PROXY_API_PORT,
cache_size=65536,
):
"""
:param mode: Redirection operation mode: "forward" to only redirect forwarded packets, "local" to only redirect
packets originating from the local machine, "both" to redirect both.
:param redirect_ports: if the destination port is in this tuple, the requests are redirected to the proxy.
:param custom_filter: specify a custom WinDivert filter to select packets that should be intercepted. Overrides
redirect_ports setting.
:param proxy_addr: IP address of the proxy (IP within a network, 127.0.0.1 does not work). By default,
this is detected automatically.
:param proxy_port: Port the proxy is listenting on.
:param api_host: Host the forward module API is listening on.
:param api_port: Port the forward module API is listening on.
:param cache_size: Maximum number of connection tuples that are stored. Only relevant in very high
load scenarios.
"""
if proxy_port in redirect_ports:
raise ValueError("The proxy port must not be a redirect port.")
if not proxy_addr:
# Auto-Detect local IP.
# https://stackoverflow.com/questions/166506/finding-local-ip-addresses-using-pythons-stdlib
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80))
proxy_addr = s.getsockname()[0]
s.close()
self.mode = mode
self.proxy_addr, self.proxy_port = proxy_addr, proxy_port
self.connection_cache_size = cache_size
self.client_server_map = OrderedDict()
self.api = APIServer(self, (api_host, api_port), APIRequestHandler)
self.api_thread = threading.Thread(target=self.api.serve_forever)
self.api_thread.daemon = True
self.driver = WinDivert()
self.driver.register()
self.request_filter = custom_filter or " or ".join(("tcp.DstPort == %d" % p) for p in redirect_ports)
self.request_forward_handle = None
self.request_forward_thread = threading.Thread(target=self.request_forward)
self.request_forward_thread.daemon = True
self.addr_pid_map = dict()
self.trusted_pids = set()
self.tcptable2 = MIB_TCPTABLE2(0)
self.tcptable2_size = DWORD(0)
self.request_local_handle = None
self.request_local_thread = threading.Thread(target=self.request_local)
self.request_local_thread.daemon = True
# The proxy server responds to the client. To the client,
# this response should look like it has been sent by the real target
self.response_filter = "outbound and tcp.SrcPort == %d" % proxy_port
self.response_handle = None
self.response_thread = threading.Thread(target=self.response)
self.response_thread.daemon = True
self.icmp_handle = None
@classmethod
def setup(cls):
# TODO: Make sure that server can be killed cleanly. That's a bit difficult as we don't have access to
# controller.should_exit when this is called.
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_unavailable = s.connect_ex(("127.0.0.1", PROXY_API_PORT))
if server_unavailable:
proxifier = TransparentProxy()
proxifier.start()
def start(self):
self.api_thread.start()
# Block all ICMP requests (which are sent on Windows by default).
# In layman's terms: If we don't do this, our proxy machine tells the client that it can directly connect to the
# real gateway if they are on the same network.
self.icmp_handle = self.driver.open_handle(filter="icmp", layer=Layer.NETWORK, flags=Flag.DROP)
self.response_handle = self.driver.open_handle(filter=self.response_filter, layer=Layer.NETWORK)
self.response_thread.start()
if self.mode == "forward" or self.mode == "both":
self.request_forward_handle = self.driver.open_handle(
filter=self.request_filter, layer=Layer.NETWORK_FORWARD
)
self.request_forward_thread.start()
if self.mode == "local" or self.mode == "both":
self.request_local_handle = self.driver.open_handle(filter=self.request_filter, layer=Layer.NETWORK)
self.request_local_thread.start()
def shutdown(self):
if self.mode == "local" or self.mode == "both":
self.request_local_handle.close()
if self.mode == "forward" or self.mode == "both":
self.request_forward_handle.close()
self.response_handle.close()
self.icmp_handle.close()
self.api.shutdown()
def recv(self, handle):
"""
Convenience function that receives a packet from the passed handler and handles error codes.
If the process has been shut down, (None, None) is returned.
"""
try:
raw_packet, metadata = handle.recv()
return self.driver.parse_packet(raw_packet), metadata
except WindowsError, e:
if e.winerror == 995:
return None, None
else:
raise
class WinDivertTCPDataCaptureTestCase(BaseTestCase):
"""
Tests capturing TCP traffic with payload
"""
def setUp(self):
super(WinDivertTCPDataCaptureTestCase, self).setUp()
# Initialize the fake tcp server
self.server = FakeTCPServerIPv4(("127.0.0.1", 0), EchoUpperTCPHandler)
filter = "outbound and tcp.DstPort == %d and tcp.PayloadLength > 0" % self.server.server_address[
1]
self.driver = WinDivert(os.path.join(self.driver_dir, "WinDivert.dll"))
self.driver.register()
self.handle = self.driver.open_handle(filter=filter)
self.server_thread = threading.Thread(target=self.server.serve_forever)
self.server_thread.start()
# Initialize the fake tcp client
self.text = "Hello World!"
self.client = FakeTCPClient(self.server.server_address,
self.text.encode("UTF-8"))
self.client_thread = threading.Thread(target=self.client.send)
self.client_thread.start()
def test_packet_metadata(self):
"""
Tests if metadata is right
"""
raw_packet, metadata = self.handle.recv()
self.assertTrue(metadata.is_outbound())
self.assertTrue(metadata.is_loopback())
def test_pass_through_tuple(self):
"""
Tests receiving and resending data
"""
self.handle.send(self.handle.recv())
self.client_thread.join(timeout=10)
self.assertEqual(self.text.upper(),
self.client.response.decode("UTF-8"))
def test_pass_through_no_tuple(self):
"""
Tests receiving and resending data. Sends using 2 arguments instead of tuple
"""
raw_packet, meta = self.handle.recv()
self.handle.send(raw_packet, meta)
self.client_thread.join(timeout=10)
self.assertEqual(self.text.upper(),
self.client.response.decode("UTF-8"))
def test_pass_through_packet(self):
"""
Tests receiving and resending data. Sends using an higher level packet object
"""
self.handle.send(self.handle.receive())
self.client_thread.join(timeout=10)
self.assertEqual(self.text.upper(),
self.client.response.decode("UTF-8"))
def test_parse_packet(self):
"""
Tests parsing packets to intercept the payload
"""
raw_packet, metadata = self.handle.recv()
packet = self.driver.parse_packet(raw_packet)
self.assertEqual("{}:{}".format(packet.dst_addr, packet.dst_port),
"{}:{}".format(*self.server.server_address))
self.assertEqual(self.text.encode("UTF-8"), packet.payload)
def test_parse_packet_meta(self):
"""
Tests parsing packets to intercept the payload and store meta in result
"""
raw_packet, metadata = self.handle.recv()
packet = self.driver.parse_packet(raw_packet, metadata)
self.assertEqual("%s:%d" % (packet.dst_addr, packet.dst_port),
"%s:%d" % self.server.server_address)
self.assertEqual(self.text.encode("UTF-8"), packet.payload)
self.assertEqual(packet.meta, metadata)
def test_dump_data(self):
"""
Tests receiving, print and resending data
"""
raw_packet, metadata = self.handle.recv()
packet = self.handle.driver.parse_packet(raw_packet)
self.assertEqual(raw_packet[len(packet.payload) * -1:],
packet.raw[len(packet.payload) * -1:])
self.handle.send((raw_packet, metadata))
self.client_thread.join(timeout=10)
self.assertEqual(self.text.upper(),
self.client.response.decode("UTF-8"))
def test_raw_packet_from_captured(self):
"""
Tests reconstructing raw packet from a captured one
"""
raw_packet1, metadata = self.handle.recv()
packet = self.handle.driver.parse_packet(raw_packet1)
raw_packet2 = packet.raw
self.assertEqual(hexlify(raw_packet1), hexlify(raw_packet2))
def test_raw_packet_len(self):
"""
Tests reconstructing raw packet from a captured and modified one
"""
raw_packet1, metadata = self.handle.recv()
packet1 = self.handle.driver.parse_packet(raw_packet1)
packet1.dst_port = 80
packet1.dst_addr = "10.10.10.10"
raw_packet2 = packet1.raw
self.assertEqual(len(raw_packet1), len(raw_packet2))
def test_packet_checksum(self):
"""
Tests checksum without changes
"""
raw_packet1, metadata = self.handle.recv()
raw_packet2 = self.handle.driver.calc_checksums(raw_packet1)
self.assertEqual(hexlify(raw_packet1), hexlify(raw_packet2))
def test_packet_checksum_recalc(self):
"""
Tests checksum with changes
"""
raw_packet1, metadata = self.handle.recv()
packet = self.handle.driver.parse_packet(raw_packet1)
packet.dst_port = 80
packet.dst_addr = "10.10.10.10"
raw_packet2 = self.handle.driver.calc_checksums(packet.raw)
self.assertNotEqual(hexlify(raw_packet1), hexlify(raw_packet2))
def test_packet_reconstruct_checksummed(self):
"""
Tests reconstruction of a packet after checksum calculation
"""
raw_packet1, metadata = self.handle.recv()
packet1 = self.handle.driver.parse_packet(raw_packet1)
packet1.dst_port = 80
packet1.dst_addr = "10.10.10.10"
raw_packet2 = self.handle.driver.calc_checksums(packet1.raw)
packet2 = self.handle.driver.parse_packet(raw_packet2)
self.assertEqual(packet1.dst_port, packet2.dst_port)
self.assertEqual(packet1.dst_addr, packet2.dst_addr)
self.assertNotEqual(hexlify(raw_packet1), hexlify(raw_packet2))
self.assertEqual(len(raw_packet1), len(packet2.raw))
def test_packet_to_string(self):
"""
Tests string conversions
"""
packet = self.handle.receive()
self.assertIn(str(packet.tcp_hdr), str(packet))
self.assertIn(str(packet.ipv4_hdr), str(packet))
self.assertEqual(packet.tcp_hdr.raw.decode("UTF-8"),
repr(packet.tcp_hdr))
self.handle.send(packet)
def test_packet_repr(self):
"""
Tests repr conversion
"""
packet = self.handle.receive()
self.assertEqual(repr(packet), hexlify(packet.raw).decode("UTF-8"))
self.handle.send(packet)
def test_modify_address(self):
"""
Tests address changing
"""
packet = self.handle.receive()
current = packet.ipv4_hdr.DstAddr
packet.dst_addr = "10.0.2.15"
self.assertEqual(packet.ipv4_hdr.DstAddr, 251789322)
packet.ipv4_hdr.DstAddr = current
self.assertEqual(packet.dst_addr, "127.0.0.1")
self.handle.send(packet)
def test_modify_port(self):
"""
Tests port changing
"""
packet = self.handle.receive()
current = packet.tcp_hdr.DstPort
packet.dst_port = 23
self.assertEqual(packet.tcp_hdr.DstPort, 5888)
packet.tcp_hdr.DstPort = current
self.assertEqual(packet.dst_port, self.server.server_address[1])
self.handle.send(packet)
def test_send_wrong_args(self):
"""
Tests send with wrong number of arguments
"""
packet = self.handle.receive()
self.assertRaises(ValueError, self.handle.send, "test")
def tearDown(self):
try:
self.handle.close()
except Exception as e:
pass
self.server.shutdown()
self.server.server_close()
super(WinDivertTCPDataCaptureTestCase, self).tearDown()
class TransparentProxy(object):
"""
Transparent Windows Proxy for mitmproxy based on WinDivert/PyDivert.
Requires elevated (admin) privileges. Can be started separately by manually running the file.
This module can be used to intercept and redirect all traffic that is forwarded by the user's machine.
This does NOT include traffic sent from the machine itself, which cannot be accomplished by this approach for
technical reasons (we cannot distinguish between requests made by the proxy or by regular applications. Altering the
destination the proxy is seeing to some meta address does not work with TLS as the address doesn't match the
signature.)
How it works:
(1) First, we intercept all packages that are forwarded by the OS (WinDivert's NETWORK_FORWARD layer) and whose
destination port matches our filter (80 and 443 by default).
For each intercepted package, we
1. Store the source -> destination mapping (address and port)
2. Remove the package from the network (by not reinjecting it).
3. Re-inject the package into the local network stack, but with the destination address changed to the proxy.
(2) Next, the proxy receives the forwarded packet, but does not know the real destination yet (which we overwrote
with the proxy's address). On Linux, we would now call getsockopt(SO_ORIGINAL_DST), but that unfortunately doesn't
work on Windows. However, we still have the correct source information. As a workaround, we now access the forward
module's API (see APIRequestHandler), submit the source information and get the actual destination back (which the
forward module stored in (1.3)).
(3) The proxy now establish the upstream connection as usual.
(4) Finally, the proxy sends the response back to the client. To make it work, we need to change the packet's source
address back to the original destination (using the mapping from (1.3)), to which the client believes he is talking
to.
"""
def __init__(self,
redirect_ports=(80, 443),
proxy_addr=False, proxy_port=8080,
api_host="localhost", api_port=PROXY_API_PORT,
cache_size=65536):
"""
:param redirect_ports: if the destination port is in this tuple, the requests are redirected to the proxy.
:param proxy_addr: IP address of the proxy (IP within a network, 127.0.0.1 does not work). By default,
this is detected automatically.
:param proxy_port: Port the proxy is listenting on.
:param api_host: Host the forward module API is listening on.
:param api_port: Port the forward module API is listening on.
:param cache_size: Maximum number of connection tuples that are stored. Only relevant in very high
load scenarios.
"""
if not proxy_addr:
# Auto-Detect local IP.
# https://stackoverflow.com/questions/166506/finding-local-ip-addresses-using-pythons-stdlib
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80))
proxy_addr = s.getsockname()[0]
s.close()
self.client_server_map = OrderedDict()
self.proxy_addr, self.proxy_port = proxy_addr, proxy_port
self.connection_cache_size = cache_size
self.api_server = APIServer((api_host, api_port), APIRequestHandler)
self.api_server.proxifier = self
self.api_server_thread = threading.Thread(target=self.api_server.serve_forever)
self.api_server_thread.daemon = True
arch = "amd64" if platform.architecture()[0] == "64bit" else "x86"
self.driver = WinDivert(os.path.join(os.path.dirname(__file__), "..", "contrib",
"windivert", arch, "WinDivert.dll"))
self.driver.register()
filter_forward = " or ".join(
("tcp.DstPort == %d" % p) for p in redirect_ports)
self.handle_forward = self.driver.open_handle(filter=filter_forward, layer=Layer.NETWORK_FORWARD)
self.forward_thread = threading.Thread(target=self.redirect)
self.forward_thread.daemon = True
filter_local = "outbound and tcp.SrcPort == %d" % proxy_port
self.handle_local = self.driver.open_handle(filter=filter_local, layer=Layer.NETWORK)
self.local_thread = threading.Thread(target=self.adjust_source)
self.local_thread.daemon = True
self.handle_icmp = self.driver.open_handle(filter="icmp", layer=Layer.NETWORK, flags=Flag.DROP)
@classmethod
def setup(cls, options):
# TODO: Make sure that server can be killed cleanly. That's a bit difficult as we don't have access to
# controller.should_exit when this is called.
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_unavailable = s.connect_ex(("127.0.0.1", PROXY_API_PORT))
if server_unavailable:
proxifier = TransparentProxy(proxy_addr=options.addr, proxy_port=options.port)
proxifier.start()
def start(self):
self.api_server_thread.start()
self.local_thread.start()
self.forward_thread.start()
def shutdown(self):
self.handle_forward.close()
self.handle_local.close()
self.handle_icmp.close()
self.api_server.shutdown()
def recv(self, handle):
"""
Convenience function that receives a packet from the passed handler and handles error codes.
If the process has been shut down, (None, None) is returned.
"""
try:
raw_packet, metadata = handle.recv()
return self.driver.parse_packet(raw_packet), metadata
except WindowsError, e:
if e.winerror == 995:
return None, None
else:
raise e
class TransparentProxy(object):
"""
Transparent Windows Proxy for mitmproxy based on WinDivert/PyDivert.
Requires elevated (admin) privileges. Can be started separately by manually running the file.
This module can be used to intercept and redirect all traffic that is forwarded by the user's machine and
traffic sent from the machine itself.
How it works:
(1) First, we intercept all packages that match our filter (destination port 80 and 443 by default).
We both consider traffic that is forwarded by the OS (WinDivert's NETWORK_FORWARD layer) as well as traffic
sent from the local machine (WinDivert's NETWORK layer). In the case of traffic from the local machine, we need to
distinguish between traffc sent from applications and traffic sent from the proxy. To accomplish this, we use
Windows' GetTcpTable2 syscall to determine the source application's PID.
For each intercepted package, we
1. Store the source -> destination mapping (address and port)
2. Remove the package from the network (by not reinjecting it).
3. Re-inject the package into the local network stack, but with the destination address changed to the proxy.
(2) Next, the proxy receives the forwarded packet, but does not know the real destination yet (which we overwrote
with the proxy's address). On Linux, we would now call getsockopt(SO_ORIGINAL_DST), but that unfortunately doesn't
work on Windows. However, we still have the correct source information. As a workaround, we now access the forward
module's API (see APIRequestHandler), submit the source information and get the actual destination back (which the
forward module stored in (1.3)).
(3) The proxy now establish the upstream connection as usual.
(4) Finally, the proxy sends the response back to the client. To make it work, we need to change the packet's source
address back to the original destination (using the mapping from (1.3)), to which the client believes he is talking
to.
Limitations:
- No IPv6 support. (Pull Requests welcome)
- TCP ports do not get re-used simulateously on the client, i.e. the proxy will fail if application X
connects to example.com and example.org from 192.168.0.42:4242 simultaneously. This could be mitigated by
introducing unique "meta-addresses" which mitmproxy sees, but this would remove the correct client info from
mitmproxy.
"""
def __init__(self,
mode="both",
redirect_ports=(80, 443), custom_filter=None,
proxy_addr=False, proxy_port=8080,
api_host="localhost", api_port=PROXY_API_PORT,
cache_size=65536):
"""
:param mode: Redirection operation mode: "forward" to only redirect forwarded packets, "local" to only redirect
packets originating from the local machine, "both" to redirect both.
:param redirect_ports: if the destination port is in this tuple, the requests are redirected to the proxy.
:param custom_filter: specify a custom WinDivert filter to select packets that should be intercepted. Overrides
redirect_ports setting.
:param proxy_addr: IP address of the proxy (IP within a network, 127.0.0.1 does not work). By default,
this is detected automatically.
:param proxy_port: Port the proxy is listenting on.
:param api_host: Host the forward module API is listening on.
:param api_port: Port the forward module API is listening on.
:param cache_size: Maximum number of connection tuples that are stored. Only relevant in very high
load scenarios.
"""
if proxy_port in redirect_ports:
raise ValueError("The proxy port must not be a redirect port.")
if not proxy_addr:
# Auto-Detect local IP.
# https://stackoverflow.com/questions/166506/finding-local-ip-addresses-using-pythons-stdlib
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80))
proxy_addr = s.getsockname()[0]
s.close()
self.mode = mode
self.proxy_addr, self.proxy_port = proxy_addr, proxy_port
self.connection_cache_size = cache_size
self.client_server_map = OrderedDict()
self.api = APIServer(self, (api_host, api_port), APIRequestHandler)
self.api_thread = threading.Thread(target=self.api.serve_forever)
self.api_thread.daemon = True
self.driver = WinDivert()
self.driver.register()
self.request_filter = custom_filter or " or ".join(
("tcp.DstPort == %d" %
p) for p in redirect_ports)
self.request_forward_handle = None
self.request_forward_thread = threading.Thread(
target=self.request_forward)
self.request_forward_thread.daemon = True
self.addr_pid_map = dict()
self.trusted_pids = set()
self.tcptable2 = MIB_TCPTABLE2(0)
self.tcptable2_size = DWORD(0)
self.request_local_handle = None
self.request_local_thread = threading.Thread(target=self.request_local)
self.request_local_thread.daemon = True
# The proxy server responds to the client. To the client,
# this response should look like it has been sent by the real target
self.response_filter = "outbound and tcp.SrcPort == %d" % proxy_port
self.response_handle = None
self.response_thread = threading.Thread(target=self.response)
self.response_thread.daemon = True
self.icmp_handle = None
@classmethod
def setup(cls):
# TODO: Make sure that server can be killed cleanly. That's a bit difficult as we don't have access to
# controller.should_exit when this is called.
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_unavailable = s.connect_ex(("127.0.0.1", PROXY_API_PORT))
if server_unavailable:
proxifier = TransparentProxy()
proxifier.start()
def start(self):
self.api_thread.start()
# Block all ICMP requests (which are sent on Windows by default).
# In layman's terms: If we don't do this, our proxy machine tells the client that it can directly connect to the
# real gateway if they are on the same network.
self.icmp_handle = self.driver.open_handle(
filter="icmp",
layer=Layer.NETWORK,
flags=Flag.DROP)
self.response_handle = self.driver.open_handle(
filter=self.response_filter,
layer=Layer.NETWORK)
self.response_thread.start()
if self.mode == "forward" or self.mode == "both":
self.request_forward_handle = self.driver.open_handle(
filter=self.request_filter,
layer=Layer.NETWORK_FORWARD)
self.request_forward_thread.start()
if self.mode == "local" or self.mode == "both":
self.request_local_handle = self.driver.open_handle(
filter=self.request_filter,
layer=Layer.NETWORK)
self.request_local_thread.start()
def shutdown(self):
if self.mode == "local" or self.mode == "both":
self.request_local_handle.close()
if self.mode == "forward" or self.mode == "both":
self.request_forward_handle.close()
self.response_handle.close()
self.icmp_handle.close()
self.api.shutdown()
def recv(self, handle):
"""
Convenience function that receives a packet from the passed handler and handles error codes.
If the process has been shut down, (None, None) is returned.
"""
try:
raw_packet, metadata = handle.recv()
return self.driver.parse_packet(raw_packet), metadata
except WindowsError as e:
if e.winerror == 995:
return None, None
else:
raise
def fetch_pids(self):
ret = windll.iphlpapi.GetTcpTable2(
byref(
self.tcptable2), byref(
self.tcptable2_size), 0)
if ret == ERROR_INSUFFICIENT_BUFFER:
self.tcptable2 = MIB_TCPTABLE2(self.tcptable2_size.value)
self.fetch_pids()
elif ret == 0:
for row in self.tcptable2.table[:self.tcptable2.dwNumEntries]:
local = (
socket.inet_ntoa(struct.pack('L', row.dwLocalAddr)),
socket.htons(row.dwLocalPort)
)
self.addr_pid_map[local] = row.dwOwningPid
else:
raise RuntimeError("Unknown GetTcpTable2 return code: %s" % ret)
def request_local(self):
while True:
packet, metadata = self.recv(self.request_local_handle)
if not packet:
return
client = (packet.src_addr, packet.src_port)
if client not in self.addr_pid_map:
self.fetch_pids()
# If this fails, we most likely have a connection from an external client to
# a local server on 80/443. In this, case we always want to proxy
# the request.
pid = self.addr_pid_map.get(client, None)
if pid not in self.trusted_pids:
self._request(packet, metadata)
else:
self.request_local_handle.send((packet.raw, metadata))
def request_forward(self):
"""
Redirect packages to the proxy
"""
while True:
packet, metadata = self.recv(self.request_forward_handle)
if not packet:
return
self._request(packet, metadata)
def _request(self, packet, metadata):
# print(" * Redirect client -> server to proxy")
# print("%s:%s -> %s:%s" % (packet.src_addr, packet.src_port, packet.dst_addr, packet.dst_port))
client = (packet.src_addr, packet.src_port)
server = (packet.dst_addr, packet.dst_port)
if client in self.client_server_map:
# Force re-add to mark as "newest" entry in the dict.
del self.client_server_map[client]
while len(self.client_server_map) > self.connection_cache_size:
self.client_server_map.popitem(False)
self.client_server_map[client] = server
packet.dst_addr, packet.dst_port = self.proxy_addr, self.proxy_port
metadata.direction = Direction.INBOUND
packet = self.driver.update_packet_checksums(packet)
# Use any handle thats on the NETWORK layer - request_local may be
# unavailable.
self.response_handle.send((packet.raw, metadata))
def response(self):
"""
Spoof source address of packets send from the proxy to the client
"""
while True:
packet, metadata = self.recv(self.response_handle)
if not packet:
return
# If the proxy responds to the client, let the client believe the target server sent the packets.
# print(" * Adjust proxy -> client")
client = (packet.dst_addr, packet.dst_port)
server = self.client_server_map.get(client, None)
if server:
packet.src_addr, packet.src_port = server
else:
print("Warning: Previously unseen connection from proxy to %s:%s." % client)
packet = self.driver.update_packet_checksums(packet)
self.response_handle.send((packet.raw, metadata))
class WinDivertTCPDataCaptureTestCase(BaseTestCase):
"""
Tests capturing TCP traffic with payload
"""
def setUp(self):
super(WinDivertTCPDataCaptureTestCase, self).setUp()
# Initialize the fake tcp server
self.server = FakeTCPServerIPv4(("127.0.0.1", 0), EchoUpperTCPHandler)
filter = "outbound and tcp.DstPort == %d and tcp.PayloadLength > 0" % self.server.server_address[1]
self.driver = WinDivert(os.path.join(self.driver_dir, "WinDivert.dll"))
self.driver.register()
self.handle = self.driver.open_handle(filter=filter)
self.server_thread = threading.Thread(target=self.server.serve_forever)
self.server_thread.start()
# Initialize the fake tcp client
self.text = "Hello World!"
self.client = FakeTCPClient(self.server.server_address, self.text.encode("UTF-8"))
self.client_thread = threading.Thread(target=self.client.send)
self.client_thread.start()
def test_packet_metadata(self):
"""
Tests if metadata is right
"""
raw_packet, metadata = self.handle.recv()
self.assertTrue(metadata.is_outbound())
self.assertTrue(metadata.is_loopback())
def test_pass_through_tuple(self):
"""
Tests receiving and resending data
"""
self.handle.send(self.handle.recv())
self.client_thread.join(timeout=10)
self.assertEqual(self.text.upper(), self.client.response.decode("UTF-8"))
def test_pass_through_no_tuple(self):
"""
Tests receiving and resending data. Sends using 2 arguments instead of tuple
"""
raw_packet, meta = self.handle.recv()
self.handle.send(raw_packet, meta)
self.client_thread.join(timeout=10)
self.assertEqual(self.text.upper(), self.client.response.decode("UTF-8"))
def test_pass_through_packet(self):
"""
Tests receiving and resending data. Sends using an higher level packet object
"""
self.handle.send(self.handle.receive())
self.client_thread.join(timeout=10)
self.assertEqual(self.text.upper(), self.client.response.decode("UTF-8"))
def test_parse_packet(self):
"""
Tests parsing packets to intercept the payload
"""
raw_packet, metadata = self.handle.recv()
packet = self.driver.parse_packet(raw_packet)
self.assertEqual("{}:{}".format(packet.dst_addr, packet.dst_port),
"{}:{}".format(*self.server.server_address))
self.assertEqual(self.text.encode("UTF-8"), packet.payload)
def test_parse_packet_meta(self):
"""
Tests parsing packets to intercept the payload and store meta in result
"""
raw_packet, metadata = self.handle.recv()
packet = self.driver.parse_packet(raw_packet, metadata)
self.assertEqual("%s:%d" % (packet.dst_addr, packet.dst_port),
"%s:%d" % self.server.server_address)
self.assertEqual(self.text.encode("UTF-8"), packet.payload)
self.assertEqual(packet.meta, metadata)
def test_dump_data(self):
"""
Tests receiving, print and resending data
"""
raw_packet, metadata = self.handle.recv()
packet = self.handle.driver.parse_packet(raw_packet)
self.assertEqual(raw_packet[len(packet.payload) * -1:],
packet.raw[len(packet.payload) * -1:])
self.handle.send((raw_packet, metadata))
self.client_thread.join(timeout=10)
self.assertEqual(self.text.upper(), self.client.response.decode("UTF-8"))
def test_raw_packet_from_captured(self):
"""
Tests reconstructing raw packet from a captured one
"""
raw_packet1, metadata = self.handle.recv()
packet = self.handle.driver.parse_packet(raw_packet1)
raw_packet2 = packet.raw
self.assertEqual(hexlify(raw_packet1), hexlify(raw_packet2))
def test_raw_packet_len(self):
"""
Tests reconstructing raw packet from a captured and modified one
"""
raw_packet1, metadata = self.handle.recv()
packet1 = self.handle.driver.parse_packet(raw_packet1)
packet1.dst_port = 80
packet1.dst_addr = "10.10.10.10"
raw_packet2 = packet1.raw
self.assertEqual(len(raw_packet1), len(raw_packet2))
def test_packet_checksum(self):
"""
Tests checksum without changes
"""
raw_packet1, metadata = self.handle.recv()
raw_packet2 = self.handle.driver.calc_checksums(raw_packet1)
self.assertEqual(hexlify(raw_packet1), hexlify(raw_packet2))
def test_packet_checksum_recalc(self):
"""
Tests checksum with changes
"""
raw_packet1, metadata = self.handle.recv()
packet = self.handle.driver.parse_packet(raw_packet1)
packet.dst_port = 80
packet.dst_addr = "10.10.10.10"
raw_packet2 = self.handle.driver.calc_checksums(packet.raw)
self.assertNotEqual(hexlify(raw_packet1), hexlify(raw_packet2))
def test_packet_reconstruct_checksummed(self):
"""
Tests reconstruction of a packet after checksum calculation
"""
raw_packet1, metadata = self.handle.recv()
packet1 = self.handle.driver.parse_packet(raw_packet1)
packet1.dst_port = 80
packet1.dst_addr = "10.10.10.10"
raw_packet2 = self.handle.driver.calc_checksums(packet1.raw)
packet2 = self.handle.driver.parse_packet(raw_packet2)
self.assertEqual(packet1.dst_port, packet2.dst_port)
self.assertEqual(packet1.dst_addr, packet2.dst_addr)
self.assertNotEqual(hexlify(raw_packet1), hexlify(raw_packet2))
self.assertEqual(len(raw_packet1), len(packet2.raw))
def test_packet_to_string(self):
"""
Tests string conversions
"""
packet = self.handle.receive()
self.assertIn(str(packet.tcp_hdr), str(packet))
self.assertIn(str(packet.ipv4_hdr), str(packet))
self.assertEqual(packet.tcp_hdr.raw.decode("UTF-8"), repr(packet.tcp_hdr))
self.handle.send(packet)
def test_packet_repr(self):
"""
Tests repr conversion
"""
packet = self.handle.receive()
self.assertEqual(repr(packet), hexlify(packet.raw).decode("UTF-8"))
self.handle.send(packet)
def test_modify_address(self):
"""
Tests address changing
"""
packet = self.handle.receive()
current = packet.ipv4_hdr.DstAddr
packet.dst_addr = "10.0.2.15"
self.assertEqual(packet.ipv4_hdr.DstAddr, 251789322)
packet.ipv4_hdr.DstAddr = current
self.assertEqual(packet.dst_addr, "127.0.0.1")
self.handle.send(packet)
def test_modify_port(self):
"""
Tests port changing
"""
packet = self.handle.receive()
current = packet.tcp_hdr.DstPort
packet.dst_port = 23
self.assertEqual(packet.tcp_hdr.DstPort, 5888)
packet.tcp_hdr.DstPort = current
self.assertEqual(packet.dst_port, self.server.server_address[1])
self.handle.send(packet)
def test_send_wrong_args(self):
"""
Tests send with wrong number of arguments
"""
packet = self.handle.receive()
self.assertRaises(ValueError, self.handle.send, "test")
def tearDown(self):
try:
self.handle.close()
except Exception as e:
pass
self.server.shutdown()
self.server.server_close()
super(WinDivertTCPDataCaptureTestCase, self).tearDown()
class TransparentProxy(object):
"""
Transparent Windows Proxy for mitmproxy based on WinDivert/PyDivert.
Requires elevated (admin) privileges. Can be started separately by manually running the file.
This module can be used to intercept and redirect all traffic that is forwarded by the user's machine.
This does NOT include traffic sent from the machine itself, which cannot be accomplished by this approach for
technical reasons (we cannot distinguish between requests made by the proxy or by regular applications. Altering the
destination the proxy is seeing to some meta address does not work with TLS as the address doesn't match the
signature.)
How it works:
(1) First, we intercept all packages that are forwarded by the OS (WinDivert's NETWORK_FORWARD layer) and whose
destination port matches our filter (80 and 443 by default).
For each intercepted package, we
1. Store the source -> destination mapping (address and port)
2. Remove the package from the network (by not reinjecting it).
3. Re-inject the package into the local network stack, but with the destination address changed to the proxy.
(2) Next, the proxy receives the forwarded packet, but does not know the real destination yet (which we overwrote
with the proxy's address). On Linux, we would now call getsockopt(SO_ORIGINAL_DST), but that unfortunately doesn't
work on Windows. However, we still have the correct source information. As a workaround, we now access the forward
module's API (see APIRequestHandler), submit the source information and get the actual destination back (which the
forward module stored in (1.3)).
(3) The proxy now establish the upstream connection as usual.
(4) Finally, the proxy sends the response back to the client. To make it work, we need to change the packet's source
address back to the original destination (using the mapping from (1.3)), to which the client believes he is talking
to.
"""
def __init__(self,
redirect_ports=(80, 443),
proxy_addr=False, proxy_port=8080,
api_host="localhost", api_port=PROXY_API_PORT,
cache_size=65536):
"""
:param redirect_ports: if the destination port is in this tuple, the requests are redirected to the proxy.
:param proxy_addr: IP address of the proxy (IP within a network, 127.0.0.1 does not work). By default,
this is detected automatically.
:param proxy_port: Port the proxy is listenting on.
:param api_host: Host the forward module API is listening on.
:param api_port: Port the forward module API is listening on.
:param cache_size: Maximum number of connection tuples that are stored. Only relevant in very high
load scenarios.
"""
if not proxy_addr:
# Auto-Detect local IP.
# https://stackoverflow.com/questions/166506/finding-local-ip-addresses-using-pythons-stdlib
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("8.8.8.8", 80))
proxy_addr = s.getsockname()[0]
s.close()
self.client_server_map = OrderedDict()
self.proxy_addr, self.proxy_port = proxy_addr, proxy_port
self.connection_cache_size = cache_size
self.api_server = APIServer((api_host, api_port), APIRequestHandler)
self.api_server.proxifier = self
self.api_server_thread = threading.Thread(target=self.api_server.serve_forever)
self.api_server_thread.daemon = True
arch = "amd64" if platform.architecture()[0] == "64bit" else "x86"
self.driver = WinDivert(os.path.join(os.path.dirname(__file__), "..", "contrib",
"windivert", arch, "WinDivert.dll"))
self.driver.register()
filter_forward = " or ".join(
("tcp.DstPort == %d" % p) for p in redirect_ports)
self.handle_forward = self.driver.open_handle(filter=filter_forward, layer=Layer.NETWORK_FORWARD)
self.forward_thread = threading.Thread(target=self.redirect)
self.forward_thread.daemon = True
filter_local = "outbound and tcp.SrcPort == %d" % proxy_port
self.handle_local = self.driver.open_handle(filter=filter_local, layer=Layer.NETWORK)
self.local_thread = threading.Thread(target=self.adjust_source)
self.local_thread.daemon = True
self.handle_icmp = self.driver.open_handle(filter="icmp", layer=Layer.NETWORK, flags=Flag.DROP)
@classmethod
def setup(cls):
# TODO: Make sure that server can be killed cleanly. That's a bit difficult as we don't have access to
# controller.should_exit when this is called.
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_unavailable = s.connect_ex(("127.0.0.1", PROXY_API_PORT))
if server_unavailable:
proxifier = TransparentProxy()
proxifier.start()
def start(self):
self.api_server_thread.start()
self.local_thread.start()
self.forward_thread.start()
def shutdown(self):
self.handle_forward.close()
self.handle_local.close()
self.handle_icmp.close()
self.api_server.shutdown()
def recv(self, handle):
"""
Convenience function that receives a packet from the passed handler and handles error codes.
If the process has been shut down, (None, None) is returned.
"""
try:
raw_packet, metadata = handle.recv()
return self.driver.parse_packet(raw_packet), metadata
except WindowsError, e:
if e.winerror == 995:
return None, None
else:
raise