MITMing application with specific configs

[learnReverse]

I'm wondering what is the best possible way to MITM an application that uses TCP and unknown application layer(could be https) but if this application does not accept system's proxy configs thus impossible to use some known HTTP packet analysers such as Fiddler etc. I had in mind 2 approaches and was wondering how is it possible to execute them?
 

1. Create local DNS record that resolves to my own proxy server that im hosting localy. So the connection would go like APPLICATION->DNS_RESOLVE->MY_PROXY->TARGET->MY_PROXY->APPLICATION

2. Because applications dont accept system proxy settings, maybe i can create custom VPN and use that virtual network interface as main interface for communication and then just MITM it like that?

What other options do i have and are there maybe some more easier ones?

[NOP]

Wireshark should do what you need

[learnReverse]

I want to analyse requests on the fly and write some string checkers on them. I need to intercept it from my own process and not relay on some third party interception tool like Wireshark

[XOR0XA]

27 minutes ago, learnReverse said:

I want to analyse requests on the fly and write some string checkers on them. I need to intercept it from my own process and not relay on some third party interception tool like Wireshark

I believe that from your own process it is not possible without direct injection in some way, following the recommendation of NOP, in the past I did exactly the same thing, but I used the Charles Proxy tool, it has the ability to log only one application in particular, this may be an alternative to Wireshark or Fiddler.

Regards,

Edited March 12, 2021 by XOR0XA

[learnReverse]

1 hour ago, XOR0XA said:

I believe that from your own process it is not possible without direct injection in some way, following the recommendation of NOP, in the past I did exactly the same thing, but I used the Charles Proxy tool, it has the ability to log only one application in particular, this may be an alternative to Wireshark or Fiddler.

Regards,

How did you manage to hook onto a process from Charles Proxy and not have it globaly? I understood Charles works on same principle as Fiddler or any other http interception tools. It tracks all traffic that goes trough them? I mentioned previously that this app doesnt accept system's default proxy settings thus impossible to use tools such as this.

[NOP]

5 hours ago, learnReverse said:

I want to analyse requests on the fly and write some string checkers on them. I need to intercept it from my own process and not relay on some third party interception tool like Wireshark

Then you could code your own, wireshark uses WinPcap library, you could code whatever you need using that library so you dont have to code a driver too

Quote

For many years, WinPcap has been recognized as the industry-standard tool for link-layer network access in Windows environments, allowing applications to capture and transmit network packets bypassing the protocol stack, and including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

WinPcap consists of a driver that extends the operating system to provide low-level network access and a library that is used to easily access low-level network layers. This library also contains the Windows version of the well-known libpcap Unix API.

Thanks to its set of features, WinPcap has been the packet capture and filtering engine for many open source and commercial network tools, including protocol analyzers, network monitors, network intrusion detection systems, sniffers, traffic generators and network testers. Some of these networking tools, like Wireshark, Nmap, Snort, and ntop are known and used throughout the networking community.

Winpcap.org is also the home of WinDump, the Windows version of the popular tcpdump tool. WinDump can be used to watch, diagnose and save to disk network traffic according to various complex rules.

 

 

[learnReverse]

17 hours ago, NOP said:

Then you could code your own, wireshark uses WinPcap library, you could code whatever you need using that library so you dont have to code a driver too

 

What can i possibly do if i want to modify the packets instead and serve as a proxy in middle layer? What are my options considering the app itself doesnt accept system proxy settings? Can i do something like i mentioned in #1 or #2? What is the easiest option?

[NOP]

You can use that library to capture,receive and filter packets. Once you have what you need you can send modified packets, depending on what you want to do

The library is a driver which can capture any traffic going through your internet connection / network so no proxy needed

You use the libraries API to get / filter what you need

 

[Extreme Coders]

There's the WinDivert library which allows you do all of this. WinDivert is in C but there are bindings for bindings for Python & C#.

You can check the source code of Clumsy which uses utilizes WinDivert to selectively modify the packets. It's in C.

There's also the now discontinued flare-fakenet-ng which uses the Python bindings - pydivert.

https://reqrypt.org/windivert.html
http://jagt.github.io/clumsy/
https://github.com/fireeye/flare-fakenet-ng