HTTP MITM tool

[KDN]

HI all,

lets say I have a program that is activated online, you enter a serial number and the application makes an http post with the serial number to their server,  and the server responds back (lets keep it stupidly simple) with either 'accepted' or 'rejected'

What I want to do is make a small exe that listens to all http requests, can match against the url and maybe some post values then spoofs the response back to always be accepted.

I know this might seem really stupid, and why I wouldn't just patch the original program, but this is something I have been looking at for a while with no success I think it will be fun to try. I can do exactly this with programs like charles or burp proxy but I want to make it automated in a standalone exe.

Does anyone know of anything even similar I could start with?

 

thanks!!

[SkyProud]

No, it's not stupid. I've met a real case which use a server simulator to response the valid license status.

However, the server simulator is obfuscated. I guess it used some code from the server side which was stolen by social engineering.

It depends on the complexity of the server response. If it's just a boolean value in json, then it's quite simple to fake.

However, if it is some serial which you have to be validated in the client side again, maybe you have to reverse the client validation.

[KDN]

thanks for the response, well I have used this method myself for real stuff, one example was a fully working 30 day trial, the server would respond with a license file during the trial and at the end of the trial the server would respond with "Trial has expired" in the http body, so all I did was take a copy of trial license file, change the url in the application to be my own server and I had a never ending trial.

 

The reason I'm now looking for a standalone exe to do this is so I can avoid making any changes to the original application. 

[SkyProud]

Well, I can only say that if the original application hard-codes the server IP address inside it, and makes HTTPS request to the server,

then MITM seems to be practically impossible. That's what my application does in this case.

Yeah, if it's just some url you could edit /etc/hosts to resolve the url locally with the fake DNS record,

however, that is because the application has "Loophole" to be made use of.

[quosego]

Try setting your system proxy settings and use burp proxy and add the burp ca to your certificate store. This will route the traffic through burp which can intercept and edit the request. If that doesn't work you can set it to invisible mode and modify your host file so that the the server address point to your burp proxy.

Should work fine, most apps don't have certificate pinning and will accept the burp cert.

https://portswigger.net/burp

Good luck.

[Kurapica]

Before coding your own server to do that, try to capture the response from their server when it says "accepted" using HTTP debugger

and using the same tool, you can intercept when you application asks the server "am I good to go" and reply back from within your machine

HTTP debugger has a tool to manipulate responses when a certain request is made

[ewwink]

if you don't want to directly patch the app maybe create loader to patch it in memory. for creating your own proxy interceptor you can use fiddlercore or Titanium-Web-Proxy.

[ForlaxPy]

if you're familiar with c# you can use fiddlerCore and easily code a program that auto get these http requests and eitehr redirect them to somewhere else or change the response. Here is a demo on the usage of it http://fiddler.wikidot.com/fiddlercore-demo

 

[initpwn]

It'd good if you could elaborate much more. (like target platform, coding language, etc)

Anyway, to avoid  MITM you'd need to implement TLS in your project which enables a "secure communication" between devices over network.

NB: Don't ever forget to encrypt the license file. Also don't forget to make it more difficult to reverse compile your executable by use of a obfuscator or similar.