Networking
MITM setup
Connect both ethernet adopters to laptop, turn on bridged networking in vm config, make sure you see both with ip link as eth1and eth2 where eth0is the virtual device bridging to the host machine. Make note of which eth is plugged into which switch port and which you want to be on the VLAN. In this case I have eth1as the internet interface and eth2as the VLAN interface.
Log into UniFi, make a VLAN, assign it to the port for the device under test and your eth2port. In this case I called it VLAN ID 30 but gave it 192.168.2.1/24 which is bad hygiene tbqh but I was figuring it out. Make sure to turn DHCP mode to None so we can be the DHCP server.
Enable ipv4 forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo sysctl -w net.ipv4.ip_forward=1
# Optionally, save after restart
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.confSet up DHCP, I'm not doing DNS in this case because I didn't care but this is where you would if you need it. Start by setting up your static IP for the gateway (you).
sudo ip addr add 192.168.2.1/24 dev eth2
sudo ip link set eth2 upNow configure dnsmasq, don't forget to back up your config first.
# Interface to listen on
interface=eth2
# DHCP range and options
dhcp-range=192.168.2.10,192.168.2.100,12h
dhcp-option=3,192.168.2.1 # Gateway
dhcp-option=6,192.168.2.1 # DNS server (Kali)
# DNS settings
domain-needed
bogus-priv
no-resolv
server=1.1.1.1Then (re)start dnsmasq
sudo systemctl enable dnsmasq
sudo systemctl restart dnsmasqThe Big iptables Section
Flush your rules (don't do this blindly)
sudo iptables -F
sudo iptables -t nat -F
sudo iptables -XSet default policies (optional) to drop forwarded traffic by default. If you're redoing this a second time and have problems start by not doing this.
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPTTurn on forwarding between interfaces
# Allow traffic from VLAN (eth2) to Internet (eth1)
sudo iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
# Allow return traffic
sudo iptables -A FORWARD -i eth1 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPTTurn on NAT (for Internet access from VLAN)
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADESince we're using mitmproxywe need to redirect http traffic to it, if traffic is transmitted on different port you'll need to adjust. Also make sure to change the --to-portto mitmproxy's port if like me you frequently have something on 8080already.
# HTTP
sudo iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j REDIRECT --to-port 8080
# HTTPS
sudo iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 443 -j REDIRECT --to-port 8080Check your work
sudo iptables -L -v -n
sudo iptables -t nat -L -v -nUse the MITM
Start mitmproxyor mitmweb for the first time to get the cert, it'll be dropped at ~/.mitmproxy/mitmproxy-ca-cert.pem and of course you'll need to load it onto the device under test.
For future reference, Matt Brown has a bunch of helper scripts at https://github.com/nmatt0/mitmtools which are great references.
Last updated