What is MITM? How to Intercept HTTPS Traffic using MITM Proxy?

In this tutorial, I’ll illustrate HTTPS Traffic Interception using MITM Proxy i.e., Man In the Middle Proxy.

Normally, HTTPS encrypts all the HTTP Traffic meaning we cannot see the content of traffic in clear text.

Using MITM Proxy we can Intercept HTTPS traffic in clear text.

Before we dive in, Let’s understand MITM, MITM Proxy & it’s WorkFlow.

In cryptography and computer security, a man-in-the-middle, monster-in-the-middle, machine-in-the-middle or person-in-the-middle attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other.

• MITM Proxy is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing.

• It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols.

• You can prettify and decode a variety of message types ranging from HTML to Protobuf, intercept specific messages on-the-fly, modify them before they reach their destination, and replay them to a client or server later on.

There are two types of MITM Proxy WorkFlow

i. Explicit

ii. Transparent

These are explained below

In an explicit proxy configuration, the client (browser) is explicitly configured to use a proxy server, meaning the browser knows that all requests will go through a proxy. The browser is given the IP address and port number of the proxy service.

You could also use a Proxy Auto-Configuration (PAC) file to configure the browser to download the proxy settings from a Web server. When a user makes a request, the browser connects to the proxy service and sends the request.

The disadvantage to explicit proxy is that each desktop must be properly configured to use the proxy, which might not be feasible in a large organization.

As shown in above image, client is deliberately configured to use proxy.

A transparent proxy (also called inline proxy, intercepting proxy, or forced proxy) is a server that sits between your computer and the Internet and redirects your requests and responses without modifying them. A proxy server that does modify your requests and responses is defined as a non-transparent proxy.

As shown in above image, all the client requests are forced to passthrough proxy without their knowledge

Here we’ll use Explicit Proxy mode in order to Intercept HTTPS Traffic using MITM Proxy. In my case I’m using Ubuntu Linux, you can try this on any operating system.

Follow below mentioned steps to intercept HTTPS Traffic.

Step 1: Download MITM Proxy from below mentioned link

Link: https://mitmproxy.org/

Step 2: Extract file

iamvsm@SaraswatiRepository:~$ tar -xvzf mitmproxy-5.2-linux.tar.gz

Step 3: Run mitmweb

iamvsm@SaraswatiRepository:~$ ./mitmweb

Web server listening at http://127.0.0.1:8081/

/usr/bin/x-www-browser: /tmp/_MEIPqRkYw/libz.so.1: version `ZLIB_1.2.9' not found (required by /lib/x86_64-linux-gnu/libpng16.so.16)

Proxy server listening at http://*:8080

Step 4: Open browser type http://127.0.0.1:8081/ on address bar as shown in below image

Step 5: Open another browser & configure proxy information as 127.0.0.1:8080 as we are using explicit proxy. Image of browser proxy configuration is shown below

Step 6: Now we’ll enter login credentials on my demo website i.e., https://demo.saraswatirepository.com/admin Admin Console on browser configured with proxy.

Note: You will see certificate warning because MITM Proxy is intercepting HTTPS Traffic, click on Advanced, Accept Risk & Continue as shown in below image.

Step 7: After successful login, we will open MITM Web, Navigate to HTTP POST & check the Header Request Parameters as shown in below image

As you can see username & password in clear text eventhough we were using HTTPS.

Hence, this how we can intercept HTTPS Traffic using MITM Proxy & retrieve sensitive information like Credentials, Credit Card or Debit Card Numbers etc.

When you encounter certificate warning on your browser indicates their might MITM intercepting or sniffing your encrypted traffic.

So, don’t proceed unless you’re not sure about the authenticity of accessed resource.

In my upcoming tutorial I’ll explain methods to secure your website against MITM Attacks.