Tuesday, July 11, 2017

ComTech - Fat\Thick client MiTM proxy interception for PT

Hello everyone
We all know how to intercept a request in a web application - simply activate your proxy, Fiddler or Burp suite and redirect your proxy setting to point to it. That's it.

But what about fat\thick clients applications?
When the client obeys the internet proxy settings, life is easy. You just set the proxy identically to a web application, and that's it.
=But what happens when it does not obey these settings? This is where things are starting to be complicated.

That first and fastest option to intercept requests is using the excellent Echo Mirage utility, which intercept network calls at the operating system level, and lets you change it. But in many cases, it won't work.
Another option is to configure your proxy as a reverse proxy. A proxy utility resides at the client side, and intercepts request before they leave the client's station. Reverse proxy on the other hand, pretends to be the server, and intercept the request after they leave the user's station (in theory of course - as you can set the reverse proxy in the same computer) but before reaching the real server.
They both intercept requests, its just a matter of where do you do it.

So you need to set your proxy as a reverse proxy (in burp you can also use invisible proxy in order to try to automatically forward the request to the right server), and then set your client to address the port of the proxy, so it can intercept the requests and move them forward to the real server.

If you have a clear-text configuration file - you can just change the server address very easily. If the client sends the address to the server hostname, you can just edit your hosts file and redirect everything to your proxy.
But what happens if your client connects to an IP address and cannot be changed easily? This is the hardest option of them all. In this case you need to either still change it somehow by reverse engineering the client (or decompile-recompile it, i'll talk about it next week), or you can use several tools such as Ettercap in order to perform arp poisoning attack, edit the communication and redirect it. Not an easy task.

And what if your communcation is not even HTTP communcation? Then you need to intercept it using binary proxy utilities such as the great TCP Catcher proxy.

Have fun!

Gil Cohen