Wireless Gateway & Transparent Proxy for Mobile Security Assessments

December 21, 2011

Introduction

In a typical run-time web application security assessment, we often use an HTTP proxy to intercept and manipulate client-server traffic. For web applications, configuring browser settings to get proxying started is pretty straightforward. However, for mobile applications, mobile platforms/operating systems (e.g. Android, BlackBerry) do not necessarily support proxying application traffic natively.

This guide will show you how to turn your laptop into a wireless gateway that can be used to transparently proxy, using common HTTP proxy tools, application traffic from any device connected to you over Wi-Fi.

Pre-Requisites

We will be setting this up in Ubuntu. The main software packages that are needed are as follows:

  1. Hostapd — user space daemon for access points
  2. Dnsmasq — lightweight DNS and DHCP server
  3. Iptables — user space admin tool for IPv4 packet filtering and NAT

To set up the wireless gateway, we will need a wireless adapter with which a (software) wireless AP can be set up. In terms of hardware, the most important requirement is that the wireless adapter must have Linux drivers that work with hostapd — hostapd supports Host AP, madwifi, and mac80211-based drivers. Also make sure that the drivers implement AP (or master) mode — this can be checked with iw wireless configuration tool (e.g iw list). In terms of USB wireless adapters, we’ve found that devices with chipsets supported by ath9k_htc seem to work pretty well with hostapd 0.7.3 for our purposes. We’ve also tried with devices/chipsets supported by rt2800usb, but while a software AP can successfully be started up, results were less than optimal. For laptop wireless chipsets, we’ve be successful with rtl8192se devices.

Of course, the device you want to proxy has to be able to connect over Wi-Fi.

Hostapd Configuration

The first task is to write a configuration file to instruct hostapd what the wireless AP settings should be. Hostapd comes with a default configuration file at /etc/hostapd/hostapd.conf, which you can modify to your liking. Below is a simple sample configuration file we used. In our case, wlan0 is the wireless adapter interface, and nl80211 is for all Linux mac80211 drivers. Don’t forget to change your passphrase.

# Wireless interface
###########################
interface=wlan0
driver=nl80211
# Wireless environment
###########################
ssid=MYSSID
hw_mode=g
channel=6
# WPA Encryption
###########################
auth_algs=3
wpa=3
wpa_passphrase=mypassword
wpa_key_mgmt=WPA-PSK

Gateway Setup

The next step is to set up the wireless gateway using a script such as the one below. This will start hostapd with the configuration file we just set up, start a DHCP server (dnsmasq) for wireless clients, and get NAT routing going using iptables.

#!/bin/sh
echo "Interface with internet connectivity: "
read iInf
echo "Wireless interface: "
read wInf
echo "Stopping network manager ..."
service network-manager stop
echo "Stopping dnsmasq ..."
service dnsmasq stop
echo "Bringing down wireless interface ..."
ifconfig $wInf down
echo "Starting hostapd ..."
hostapd -dd -B ./hostapd/hostapd.conf
echo "Configuring wireless interface ..."
ifconfig $wInf 10.0.0.1 netmask 255.255.255.0
echo "Starting dnsmasq as DHCP server ..."
dnsmasq --no-hosts --interface $wInf --except-interface=lo --listen-address=10.0.0.1
--dhcp-range=10.0.0.10,10.0.0.50,60m --dhcp-option=option:router,10.0.0.1 --dhcp-lease-max=25
--pid-file=/var/run/nm-dnsmasq-wlan.pid
echo "Stopping firewall and allowing everyone ..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
echo "Enabling NAT ..."
iptables -t nat -A POSTROUTING -o $iInf -j MASQUERADE
echo "Enabling IP forwarding ..."
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Wireless gateway setup is complete"

After this stage, if everything went well, clients should be able to connect to this newly setup wireless gateway and have internet connectivity. If you bring up Wireshark and capture on the wireless interface, you should see traffic from your device at 10.0.0.x (or IP address in whatever DHCP range you set with dnsmasq above) to the intended destinations.

Transparent Proxy

Now that the wireless gateway is set up, we proceed to get set up for transparently proxying HTTP traffic from the connected clients. We first need to use iptables to forward TCP traffic from ports 80 and 443 (or whatever port your application needs) to the local port where the proxy is listening on (e.g. 8080).

iptables -t nat -A PREROUTING -i $inf -p tcp --dport 80 -j REDIRECT --to-ports $toPort
iptables -t nat -A PREROUTING -i $inf -p tcp --dport 443 -j REDIRECT --to-port $toPort

The following is a sample script that takes care of both setting up the wireless gateway and fowarding HTTP traffic from TCP ports 80 and 443 to a port of your choice.

Below are some additional setup steps for three commonly used proxies:

Burp Suite

For Burp Suite, you need to make sure that the proxy listener has “support invisible proxying for non-proxy-aware clients” enabled, and “listen on loopback interface only” disabled.

Charles

For the Charles proxy, you simply need to enable transparent HTTP proxying in the Proxy Settings.

OWASP ZAP

In the OWASP Zed Attack Proxy, you need to set the local proxy on the address of the wireless gateway (e.g. 10.0.0.1), and choose a port of your choice.

Additional Notes

If you’re looking into proxying more than just HTTP, Mallory allows you to transparently proxy all TCP and UDP traffic.

If you’re looking for an all-in-one hardware device that will do more than just proxying, the WiFi Pineapple Router will allow you to set up your own WiFi honey-pot hotspot.

Previous Article
Mobile Security Presentation from Cloud Seminar Day
Mobile Security Presentation from Cloud Seminar Day

Today, Yuk Fai Chan and I presented “Bust a Cap in a Mobile App” at the CTE Solutions Cloud Seminar Day. Th...

Next Article
Bust a Cap in an Android App at Sector 2011
Bust a Cap in an Android App at Sector 2011

Last Tuesday, Patrick Szeto and I presented “Bust a Cap in a Mobile App” at SecTor, our talk about pentesti...

×

Schedule a live demo

First Name
Last Name
Company Name
!
Thank you!
Error - something went wrong!