@OOf L FddlmZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlmZddlmZddlmZddlmZddlmZddlZddlmZdd lmZd Zd Zej8eZd;d Zd._MIB_TCP6TABLE_OWNER_PID dwNumEntriestableN)rLrMrNryrzr{ror|sizesr_MIB_TCP6TABLE_OWNER_PIDrs* V__22 3 +d2 3 rrry Structure)rrs` rMIB_TCP6TABLE_OWNER_PIDrs  6#3#3 $ %%rceZdZdejj fdefdejj fdefdejj fdejj fgZy)MIB_TCPROW_OWNER_PIDrvrprrrsrurwN)rLrMrNryrzr{IN4_ADDRr|rPrrrrsa FOO))* ! --. " ../ --. HrrcHGfddtj}|S)NcNeZdZdejj fdeWzfgZy)7MIB_TCPTABLE_OWNER_PID.._MIB_TCPTABLE_OWNER_PIDrrN)rLrMrNryrzr{rr|rsr_MIB_TCPTABLE_OWNER_PIDrs* V__22 3 *T1 2 rrr)rrs` rMIB_TCPTABLE_OWNER_PIDrs  &"2"2 # $$rc:eZdZdZdZdZdZdZdZdZ dZ y ) TcpConnectionTableic2t|j|_tjj |j|_t|j|_tjj |j|_ i|_ yr ) rDEFAULT_TABLE_SIZE_tcpryrzr{ _tcp_sizer_tcp6 _tcp6_size_mapr%s rr'zTcpConnectionTable.__init__se*4+B+BC ..t/F/FG,T-D-DE  ////0G0GH rc |j|Sr )rr&items r __getitem__zTcpConnectionTable.__getitem__syyrc6|jjSr )r__iter__r%s rrzTcpConnectionTable.__iter__syy!!##rc6|jjSr )r__len__r%s rrzTcpConnectionTable.__len__syy  ""rcRi|_|j|jyr )r _refresh_ipv4 _refresh_ipv6r%s rrefreshzTcpConnectionTable.refreshs!   rctjjjtj|j tj|j dtjtd}|dk(r|j jd|j jD]s}tjtjt|j}tj|j }|j"|j$||f<uy|t&k(r5t)|j j*|_|j-yt/d|z)NFrz2[IPv4] Unknown GetExtendedTcpTable return code: %s)rywindlliphlpapiGetExtendedTcpTablebyrefrrr0r1TCP_TABLE_OWNER_PID_CONNECTIONSrr inet_ntopbytesrphtonsrrrwrERROR_INSUFFICIENT_BUFFERrvaluerrBr&retrowlocal_ip local_ports rrz TcpConnectionTable._refresh_ipv4s mm$$88 LL # LL (  NN +   !8yy'?)?)?@ D!++FNNE#//>&&( ( zzS   s ?::?) r^!Callable[[pydivert.Packet], None]rrYrzpydivert.Layerrz pydivert.Flagr_r`)r_zpydivert.Packet | None)rLrMrNdaemonrOrLayerNETWORKr'rrrrrirjs@rrr si F!! !) 6 6 1        $ rrc>eZdZUded< dfd ZdZxZS) RedirectLocalzset[int] trusted_pidsct|_t|_||_t ||j|yr )rtcp_connectionssetrredirect_requestrdr'r^)r&rrrhs rr'zRedirectLocal.__init__=s5 23E 0 f-rc6|j|jf}||jvr|jj|jj |d}||j vr|j |y|jj|dy)NTrecalculate_checksum) src_addrsrc_portrrgetrrrsend)r&rclientr\s rr^zRedirectLocal.handleEs//6??3 -- -  ( ( *""&&vt4 d'' '  ! !& ) NN  T  Br)rrrrYr_r`)rLrMrNrOr'r^rirjs@rrr:s,. A.KN. .Crrc6eZdZUdZdZded<dZd dZd dZy) ClientServerMapzA thread-safe LRU dict.iz ClassVar[int]connection_cache_sizechtj|_tj|_yr )r#Lock_lock collections OrderedDictrr%s rr'zClientServerMap.__init___s ^^% ++- rcd|j5|j|cdddS#1swYyxYwr )rrrs rrzClientServerMap.__getitem__cs) ZZ #99T? # # #s&/cZ|j5||j|<|jj|t|j|jkDr>|jj dt|j|jkDr>dddy#1swYyxYw)NF)rr move_to_endlenrpopitem)r&keyrs r __setitem__zClientServerMap.__setitem__gs} ZZ )"DIIcN II ! !# &dii.4#=#== !!%(dii.4#=#== ) ) )s B B!!B*N)r TConnectionr_r)rrrrr_r`) rLrMrNrarrOr'rrrPrrrrZs!+0=0.#)rrceZdZUdZdZded<dZded<ded<ded <d ed <d ed <ded< d ddZedZ dZ dZ ddZ ddZ ejddZy)r)a Transparent Windows Proxy for mitmproxy based on WinDivert/PyDivert. This module can be used to redirect both traffic that is forwarded by the host and traffic originating from the host itself. Requires elevated (admin) privileges. Can be started separately by manually running the file. How it works: (1) First, we intercept all packages that match our filter. We both consider traffic that is forwarded by the OS (WinDivert's NETWORK_FORWARD layer) as well as traffic sent from the local machine (WinDivert's NETWORK layer). In the case of traffic from the local machine, we need to exempt packets sent from the proxy to not create a redirect loop. To accomplish this, we use Windows' GetExtendedTcpTable syscall and determine the source application's PID. For each intercepted package, we 1. Store the source -> destination mapping (address and port) 2. Remove the package from the network (by not reinjecting it). 3. Re-inject the package into the local network stack, but with the destination address changed to the proxy. (2) Next, the proxy receives the forwarded packet, but does not know the real destination yet (which we overwrote with the proxy's address). On Linux, we would now call getsockopt(SO_ORIGINAL_DST). We now access the redirect module's API (see APIRequestHandler), submit the source information and get the actual destination back (which we stored in 1.1). (3) The proxy now establishes the upstream connection as usual. (4) Finally, the proxy sends the response back to the client. To make it work, we need to change the packet's source address back to the original destination (using the mapping from 1.1), to which the client believes it is talking to. Limitations: - We assume that ephemeral TCP ports are not re-used for multiple connections at the same time. The proxy will fail if an application connects to example.com and example.org from 192.168.0.42:4242 simultaneously. This could be mitigated by introducing unique "meta-addresses" which mitmproxy sees, but this would remove the correct client info from mitmproxy. NzRedirectLocal | NonelocalzRedirect | NoneforwardrresponseicmprZ proxy_portrYrrrXc||_|xs d|dtd|_t|_t |_t|_t|ttft|_ tj|jj|_d|j _|r>t%|j&|jt(j*j,|_|r%t1|j&|j|_t%|j4d||_t%ddt(j8j: |_y) Nztcp.DstPort != z and tcp.DstPort != z and tcp.DstPort < 49152)targetTzoutbound and tcp.SrcPort == cyr rP)_s rz+TransparentProxy.__init__..srrr)rr5rr ipv4_addressr ipv6_addressrrXrSr4rRapir#Thread serve_forever api_threadrrrrrNETWORK_FORWARDrrrredirect_responserFlagDROPr)r&rrrrs rr'zTransparentProxy.__init__s%  m  ,@AR@SSkl )N)O!0!2 $&78:K $**$((2H2HI!% #%%t{{HNN4R4RDL &t'<'O*PQ (*I OO  rc:|jj|jj|jj|jr|jj|j r|j jyyr )rrrrrrr%s rrzTransparentProxy.startsc    << LL   :: JJ    rc8|jr|jj|jr|jj|jj|jj|j jyr )rrrrrrr%s rrzTransparentProxy.shutdowns` :: JJ   ! << LL ! ! #    rc|j|jf}|j|jf|j|<|j t jk(r |jsJ|j|_nn|j t jk(rF|jst|j|_ |jsJ|j|_n td|j|_tjj j"|_|j&j(j+|y)NzUnknown address family)rrdst_addrdst_portrXaddress_familyr0r1rrrr rBrrconsts DirectionINBOUND directionrrrr&rrs rrz!TransparentProxy.redirect_requests//6??3*0//6??)Kv&  FNN 2$$ $$"//FO  " "foo 5$$$1&//$B!$$ $$"//FO78 8//#??44<< $$V,rc|j|jf} |j|\|_|_|j |jjj|dy#t $rtd|YAwxYw)zy If the proxy responds to the client, let the client believe the target server sent the packets. z4Warning: Previously unseen connection from proxy to FrN) rrrXrrrecalculate_checksumsr[printrrrrs rrz"TransparentProxy.redirect_responses //6??3 +/3/E/Ef/M ,FOV_  ( ( * $$V%$H  S HQ R SsA..BBc#JK|jr%|jjj| d|jr&|jjj|yy#|jr&|jjj|wwxYwwr )rraddremove)r&r\s rrWzTransparentProxy.exemptsu :: JJ # # ' ' , 4 zz ''..s3tzz ''..s3s2B#A,3B#,4B  B#)TTz'tcp.DstPort == 80 or tcp.DstPort == 443) rboolrr rrZrz str | Noner_r`)rzpydivert.Packet)r\rZ)rLrMrNrarrOrr' classmethodr*rrrr contextlibcontextmanagerrWrPrrr)r)os&P#'E &#G_# NO K&&F *O*O*O *O  *O  *OX  -2I 44rr)__main__cyr rPrPrrclir&%s rz--local/--no-localTz Redirect the host's own traffic.)defaulthelpz--forward/--no-forwardz.Redirect traffic that's forwarded by the host.z--filterWINDIVERT_FILTERz#Custom WinDivert interception rule.)typemetavarr(z-pz --proxy-port8080rz#The port mitmproxy is listening on.)r*r+r'r(c tdi|}|jtdtd|j t j d#t $r)td|jtdYywxYw)zRedirect flows to mitmproxy.z * Redirection active.z Filter: r=z * Shutting down...z * Shut down.NrP)r)rrrtimesleepKeyboardInterruptr)optionsproxys rredirectr3)sx2!+7+  &( ELL>*+ # 1   # ' ( NN  / " #sA/B B ct}|j|jD]\\}}}t|d|d|y)z1List all TCP connections and the associated PIDs.:z -> N)rritemsr) connectionsrIrJr\s rr7r7NsQ)* *002 +OJR RD$tC5) * +r)r IO[bytes]r_r)rr8r_r`)D __future__rcollections.abcrr"ctypes.wintypesryrloggingr7r?r0 socketserverr#r.rtypingrrrrpydivert.constsrmitmproxy.net.local_ipr r r4r5 getLoggerrLrrrrStreamRequestHandlerrRThreadingMixIn TCPServerrSrc_ubyterxrrrorrrrabcMappingrrrrrCrYrZrrr)clickgroupr&commandoptionr3r7rPrrrLsE"   $/0   8 $ $1$1N 99<# ++\-C-C#! >>B  >>A  F,, & 6++%#$D00DN-y-`CHC:CHo ))*p4p4f zU[[]   [[]U\\d1SU\\  = U\\ " 2  U\\   2  #  . # [[]++Eir