Over the past few months, we have put Mallory through its paces. Scores of mobile applications have had their network streams MiTMd by Mallory. It has become one of a few important tools that we use on a daily basis. Because we use it so often, we sometimes forget that it may seem quite difficult to get upand running for the first time. Mallory is still actively developed. Improving the user experience from the initial code checkout to helping users “Mallorize” traffic is a key goal for the project. However, until then, this howto guide will suffice to get Mallory up and running for your testing needs.
This guide will explain how to get Mallory up and running (in this guide I use an EeePC). I also use a tethered Android device for a WAN connection, and have MiTM victims connect to the netbook over its WiFi connection. I will also be sharing how we use a tool called hostapd to make our EeePC look like an infrastructure mode WiFi access point, as opposed to an Ad-Hoc WiFi access point. Using this guide, you should be able to set up a mobile Mallory gateway in no time.
Step Zero: The Gear.
For this guide I will be using my EeePC 1000HE with Ubuntu 10.04 LTS installed on it as the reference design. Many netbooks/OS/WiFi card combos should work. I will also be using my Nexus One handset running Cyanogen Modto provide the WAN connection. Feel free to leave comments below on your setup.
Step One: Downloading the dependencies.
The first step is to install the required libraries and packages required to run Mallory. The below apt-get commands should pull down and install all dependencies that are hosted by Ubuntu’s repositories. You can copy and paste the below apt-get commands into your terminal, and download all the dependencies at once. (Note that the last two packages are used for pre-packaged Mallory plug-ins. The paramiko package is used to MiTM SSH connections, and the imaging package is used to manipulate images within an HTTP response)
sudo apt-get install mercurial; sudo apt-get install python-pyasn1; sudo apt-get install python-netfilter; sudo apt-get install libnetfilter-conntrack-dev; sudo apt-get install python2.6-dev; sudo apt-get install python-setuptools; sudo easy_install pynetfilter_conntrack; sudo apt-get install netfilter-extensions-source; sudo apt-get install libnetfilter-conntrack3-dbg; sudo apt-get install python-paramiko; sudo apt-get install python-imaging;
You will also need to download and install the netfilter connection tracking package. We have tested Mallory with the below version of the package. We recommend using the below versions until we can confirm that an up to date version of the package is compatible with Mallory.
If you are installing Mallory on a 32-bit system, you will need to download the following package:
#If you are installing Mallory on a 32 bit machine wget http://ubuntu.cs.utah.edu/ubuntu/pool/universe/libn/libnetfilter-conntrack/libnetfilter-conntrack1_0.0.99-1_i386.deb sudo dpkg -i libnetfilter-conntrack1_0.0.99-1_i386.deb #endif
If you are installing Mallory on a 64-bit system, you will need to download the following package:
#if you are installing Mallory on a 64 bit machine wget http://ubuntu.cs.utah.edu/ubuntu/pool/universe/libn/libnetfilter-conntrack/libnetfilter-conntrack1_0.0.99-1_amd64.deb sudo dpkg -i libnetfilter-conntrack1_0.0.99-1_amd64.deb #endif
Step Two: Downloading and Installing hostapd
Before we start pulling down the Mallory code base, it is helpful to take a step back and install and configure hostapd. This step is not required for Mallory to run as a mobile gateway. (One can always set up an ad-hoc WiFi network.) To intall hostapd, run the following apt-get command:
sudo apt-get install hostapd
After installing hostapd, we need to setup the configuration file to get it up and running. The configuration file can be found at /etc/hostapd/hostapd.conf. Below is a sample of the configuration file I use. I only present the parameters that I changed. All other parameters were kept in their default state. Use your favorite editor to make the required changes.
# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for # management frames); ath0 for madwifi< interface=wlan0 # Driver interface type (hostap/wired/madwifi/prism54/test/none/nl80211/bsd); # default: hostap). nl80211 is used with all Linux mac80211 drivers. # Use driver=none if building hostapd as a standalone RADIUS server that does # not control any wireless/wired driver. driver=nl80211 # SSID to be used in IEEE 802.11 management frames ssid=TestNet # Static WEP key configuration # The key number to use when transmitting. # It must be between 0 and 3, and the corresponding key must be set. wep_default_key=0 # The WEP keys to use. wep_key0=AAAAA11111
Users with other WiFi cards, or drivers, might have to experiment with the “driver” and “interface” parameter. Internet searching for your specific card and driver should return a number of tutorials on getting hostapd running for your box. Again, please leave comments below with hostapd configuration settings for specific setups.
Step Three: Getting Mallory
Now that we have mercurial installed (Step One^) we can use the hg command to pull down the Mallory code base. Navigate to the directory where you want to download the Mallory code base and run the following command.
hg clone http://bitbucket.org/IntrepidusGroup/mallory
It should look something like this:
Step Four: Setting up the Gateway
We now have all the required code, packages, libraries, and mythical creatures in place to start Mallorizing victims (the leprechauns, fairies and ground unicorn horn came preinstall in 10.04). For pedagogical purposes, starting Mallory will be a two step process. It is important to understand that Mallory runs on a gateway, it is not a gateway in and of itself. Therefore we need to make sure our netbook is acting as a gateway for the clients before we start Mallory. This will ensure that any misconfigurations get caught early and are easy to trouble shoot.
Using the script below, your netbook will be converted into a lean mean routing machine. You will need to run this script as root. When prompted, you will need to enter the interface for the WAN and LAN link. For my setup, my tethered android handset provides internet connectivity to the netbook. This is done via interface usb0. Therefore usb0 will be my WAN link. The WiFi interface servicing the clients will be on wlan0. Therefore, wlan0 is my LAN interface. When prompted, the WAN link is usb0 and the LAN link is wlan0. You will need to use the approprite links for your setup. For example, if you are using an ethernet connection to obtain access to the internet, the WAN interface could be eth0.
#!/bin/sh echo "Wan Interface: " read wanInt echo "Wifi Interface: " read lanIn echo "Stopping network manager" /etc/init.d/NetworkManager* stop echo "Stopping dnsmasq" /etc/init.d/dnsmasq stop echo "Bringing down lan interface" ifconfig $lanInt down echo "Starting hostapd" hostapd -B /etc/hostapd/hostapd.conf echo "Applying configs to lan interface" ifconfig $lanInt 10.0.0.1 netmask 255.255.255.0 echo "Starting DHCP server" dnsmasq --no-hosts --interface $lanInt --no-poll --except-interface=lo --listen-address=10.0.0.1 --dhcp-range=10.0.0.10,10.0.0.100,60m --dhcp-option=option:router,10.0.0.1 --dhcp-lease-max=50 --pid-file=/var/run/nm-dnsmasq-wlan0.pid echo "Stopping firewall and allowing everyone..." iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT echo "Turning on Natting" iptables -t nat -A POSTROUTING -o $wanInt -j MASQUERADE echo "Allowing ip forwarding" echo 1 > /proc/sys/net/ipv4/ip_forward echo "Adding 4.2.2.1 to resolv.conf echo "nameserver 4.2.2.1" >> /etc/resolv.conf echo "GO GO gadget gateway"
After executing this script, you should be able to connect clients to our newly created WiFi network. This would also be a good time to test that the clients have internet connectivity. If this test fails, some trouble shooting is in order.
Things to double check would be:
- Did you run the script as root (sudo)
- Can the gateway get out to the internet (ping)
- Does the LAN interface have an IP (ifconfig)
- Is the DHCP server running (ps)
- Are the DNS servers configured properly (cat /etc/resolv.conf)
Troubleshooting this step is slightly outside the scope of the post, however feel free to leave comments about any difficulties and we can try to help out.
Step Five: Starting Mallory
So we have our equipment, we downloaded the dependencies, we configured our conf files, and we had a short lesson on how to setup an Ubuntu gateway…sounds like its Mallorizing time. All that is left is to start Mallory and force our gateway to funnel all network streams into Mallory’s one listening socket. The iptables commands below will tell our gateway to forward all TCP and UDP streams originating from our lan (wlan0) into a local socket listening on port 20755. This is the port that Mallory is configured to listen on.
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp -m tcp -j REDIRECT --to-ports 20755 sudo iptables -t nat -A PREROUTING -i wlan0 -p udp -m udp -j REDIRECT --to-ports 20755
To start Mallory we need to run mallory.py as root. (Note: Mallory is not backdoored) This python file is located in the mallory/src directory. The command below should start Mallory as root.
sudo python ./mallory/src/mallory.py
After you run the above command, Mallory should be up and running. To test this out, connect a client to Mallory and visit an image heavy website. By default Mallory is configured to have the HTTP module enabled with the HTTP image flipping and image color inverting plugins enabled. You should see something like this (notice the two images are upside down and their colors are inverted).<
By default Mallory is also configured to run the cookie hijacking plugin. Using the Mallory Cookie Editor plugin for chrome, you can copy a cookie captured by Mallory and apply it to your browser with one click. This would allow you to session hijack any HTTP session flowing through Mallory. If HTTPS MiTMing is turned on, sessions “secured” by HTTPS could be hijacked as well (provided the users click through the cert warnings). The Chrome plugin needs to run in a Chrome browser on the Mallory gateway itself. Below, you can see an example of the Mallory Cookie Editor for Chrome.
Step Six: What is next?
We have tcp streams flowing through Mallory, we see images being manipulated, and we are hijacking sessions of popular websites: what’s next. Well, Mallory, first and foremost is a testing tool. There is a variety of functionality in Mallory that can be unlocked with a few lines of code and configuration data. For example, MiTMing SSL streams of data, pausing and editing streams of data using the mallory graphical TCP stream debugger, quickly writing data manipulation routines that can automatically operate on streams of HTTP data (also controllable on the fly in the mallory GUI). All of this (and more) can easily be done with Mallory. In the near future, we will be posting tutorials on how to accomplish many tasks with Mallory. However, before we get there, this is the first step that must be completed. Once you have your setup that can flip images, you can start to dive head first into the world of Mallory!
-D1AB1069-
