TP-Link Archer T2U Nano for TLS Traffic Interception

Overview

In this guide we’ll be going through the process of configuring an intercepting set-up using mitmproxy and a wireless network, to inspect, modify and monitor encrypted HTTPS traffic. This will allow for a simple way to analyse traffic on mobile handsets and IoT devices, with the only requirements is Wi-Fi support and the ability to install custom certificates.

mitmproxy is your swiss-army knife for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay web traffic such as HTTP/1, HTTP/2, WebSockets, or any other SSL/TLS-protected protocols. read more

A simple illustration of mitmproxy running in transparent mode under Debian Buster:

The communication process:

iPhone <==> Wi-Fi TAP  <==> mitmproxy <== (IP Forwarding) <==> Internet

Requirements

Software

There are several software packages required for this set-up. All of which can be downloaded through apt-get on most Linux based systems. As mentioned previously I’ll be using Debian Stretch, but the guide can be applied to other systems.

List of required packages:

• mitmpoxy – a HTTP traffic interception tool.
• dnsmasq - a lightweight DNS forwarder and DHCP service.
• hostapd – a utility used for creating the wireless access point.
• tcpdump – an all-round great packet capture utility.

To install all of the above:

sudo apt update
sudo apt install mitmproxy hostapd dnsmasq tcpdump

Hardware

And for hardware, the only requirement is having two network interface cards, one for providing Internet connectivity and the other for broadcasting the wireless access point. I’ll be using one I bought from Amazon a (TP-Link Archer T2U Nano AC600) which is cheap and supports 2.4GHz and 5GHz natively on Linux systems, and my MacBook Pro’s built-in wireless card.

Drivers

The TP-Link Archer T2U Nano AC600 WiFi adapter requires additional effort while installing on Linux. The only driver that worked was realtek-rtl88xxau-dkms version 5.2.20.2~20190617 available on here.

git clone https://gitlab.com/kalilinux/packages/realtek-rtl88xxau-dkms
cd realtek-rtl88xxau-dkms
sudo ./dkms-install.sh 

To check if the driver installed properly, plug in your USB adapter and ensure pass-through is enabled within the virtualization software. In my case, VMware Fusion (Menu > Virtual Machine > USB & Bluetooth).

Run the following inside the virtual machine ip a:

There should be two network interface cards, one called ens33 which will provide access to the Internet, and the other interface we just created called wlxd037XXXXXXXX will be configured as our wireless access point to use with mitmproxy.

Configure

Networking

Ensure the newly created network interface has a static IP address and a gateway address. This will point to the Dnsmasq service in the step next. Use the following network configuration and replace network interfaces to suite your own. A reboot may be required.

Network configuration file: /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug ens33
iface ens33 inet dhcp

# The secondary network interface
allow-hotplug wlxd037XXXXXXXX
iface wlxd037XXXXXXXX inet static
        address 10.0.0.254/24
        netmask 255.255.255.0
        gateway 10.0.0.254

IP Forwarding and IPtables

Start by enabling IP forwarding and add masquerade rules with IPtables to route and redirect specific network traffic to mitmproxy. This will be persistent.

Edit the main system config: /etc/sysctl.conf and uncomment this line:

net.ipv4.ip_forward=1

Apply the following rules to IPTables (replace to suit your wireless interface):

sudo iptables -t nat -A PREROUTING -i wlxd037XXXXXXXX -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i wlxd037XXXXXXXX -p tcp --dport 443 -j REDIRECT --to-port 8080

Dnsmasq

To make devices have their own IP addresses assigned automatically, a DHCP server is required. Dnsmasq is a lightweight DNS forwarder and DHCP server suitable for small networks. This makes sense otherwise we would need to manually assign addresses.

Create and modify the configuration file: /etc/dnsmasq.conf and replace it with:

# Wireless Interception Interface
interface=wlxd037XXXXXXXX

# DHCP server and range for assigning IP addresses
dhcp-range=10.0.0.1,10.0.0.100,96h

# Broadcast gateway and DNS server information
dhcp-option=option:router,10.0.0.254
dhcp-option=option:dns-server,10.0.0.254

Hostapd

And finally, create the wireless network with Hostapd. This wireless network will operate under the 2.4GHz frequency (channel 7) and will be able to forward traffic onto the primary interface.

Create a new configuration file: /etc/hostapd/hostapd.conf

interface=wlxd037XXXXXXXX
driver=nl80211
ssid=TAP
hw_mode=g
channel=7
ht_capab=[HT40][SHORT-GI-20]
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=gimme_the_loot
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP
rsn_pairwise=CCMP

To use the 5GHz band with TP-Link adapter the Hostapd configuration file needs to be changed and driver needs to be loaded with:

modprobe -r 88XXau && modprobe 88XXau rtw_vht_enable=2

mitmproxy

Saving TLS master keys to a file while running mitmproxy. With this file Wireshark is able to decrypt TLS traffic. See the Wireshark wiki for more information. Modify your .bashrc file and export the environment variable:

export SSLKEYLOGFILE="$HOME/sslkeylogfile.txt"

tcpdump

When you want to capture all network traffic from an interface and you do not want to intercept or modify the flow. You need to flush the previous IPTables rules and apply a new rule.

To flush all IPTable rules within the nat table:

sudo iptables -t nat -F

And add a new rule to masquerade traffic to the Internet interface:

sudo iptables -t nat -A  POSTROUTING -o ens33 -j MASQUERADE

After that you can run a tcpdump packet capture:

sudo tcpdump -i <interface> -s 65535 -w <file>

Launching

First, start the DNSmasq server:

• sudo systemctl start dnsmasq

Next, start the Hostapd service:

• sudo systemctl start hostapd

Finally, start the mitmproxy for example in transparent mode:

• mitmproxy --mode transparent --showhost

iPhone

Here is an example of monitoring traffic using an iPhone device. First, connect to the wireless network created by Hostapd as you would to a regular Wi-Fi network.

Then, open a browser and navigate to http://mitm.it (make sure mitmproxy is running). Download the certificate for your device type and hit allow.

Next, go to Settings > General > Profile > mitmproxy > Install Profile. When installed, go back to the main Settings again General > About > Certificate Trust Settings and enable full trust for root certificate.

Fixes

There appears to be an issue with mitmproxy packages on Debian (Stretch and Buster). When visiting the http://mitm.it/ to download certificates, the page does not display the links properly. Leaving the user to manually browse site on devices.

• http://mitm.it/cert/pem – Android & iOS
• http://mitm.it/cert/p12 – Windows

Or find and edit the file /usr/lib/python3/dist-packages/mitmproxy/addons/onboardingapp/templates/layouts.html and replace:

<link href="/static/bootstrap.min.css" rel="stylesheet">
<link href="/static/font-awesome.min.css" rel="stylesheet">

With:

<link href="//stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" rel="stylesheet">
<link href="//stackpath.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet">

Resources

A list of useful resources:

• How to use Transparent mode in VMs
• Running a Man-in-the-middle proxy on a Raspberry pi 3
• Raspberry Pi as Wireless Access Point
• Four ways to Bypass Certificate Pinning on Android
• Bypass SSL Pinning Android