Skip to main content

An easy to use, TCP and UDP level Man-in-the-middle framework intended for security researchers and practitioners.

Project description

An easy to use, TCP and UDP level Man-in-the-middle framework intended for security researchers and practitioners.

It provides a simple interface for creating and putting together mitm modules - so-called taps. They can be put together in a chain, individually taking care of just one part of one's inspection of modification needs. It uses the same interface for TCP and UDP taps, so modules can be reused if applicable.

This module does not take care of redirecting the traffic to it. It is intended to provide a lightweight but general purpose framework for implementing inspection or modification modules only. The users of this software need to take care getting traffic into it, e.g. by ARP-spoofing, iptables, etc.

Installation

PyITM can be easily installed from pypi with all dependencies via e.g. pip:

pip install pyitm

Usage

TBD

Examples

TCP:

See examples/example_tcp.py for implementation.

This example forwards HTTP traffic (actually, any TCP traffic) to a destination host/port given on the command line and will do the following tasks:

  • Log packets on stdout before and after modification
  • Update the "Host:" header to match the target (most webservers nowadays do not serve the correct page if it is not set properly)
  • Remove the "Accept-Encoding" header, so the response will not be gziped or deflated
  • Remove the "If-Modified-Since:" header, so the server will always send the full response

Running the example and opening the URL http://localhost:8081/ in a browser:

$ python examples/example_tcp.py neverssl.com 80
Listening on port 8081
[ORIGINAL][127.0.0.1:35028] intercepted connection established
[ORIGINAL][127.0.0.1:35028] > b'GET / HTTP/1.1\r\nHost: localhost:8081\r\nUser-Agent: Mozilla/5.0 [...]'
[MODIFIED][127.0.0.1:35028] > b'GET / HTTP/1.1\r\nHost: neverssl.com:80\r\nUser-Agent: Mozilla/5.0 [...]'
[ORIGINAL][127.0.0.1:35028] < b'HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Length: 2536[...]'
[MODIFIED][127.0.0.1:35028] < b'HTTP/1.1 200 OK\r\nContent-Type: text/html\r\nContent-Length: 2536[...]'
[ORIGINAL][127.0.0.1:35028] < b'<html>\n    <head>\n        <title>NeverSSL - helping you get online[...]'
[MODIFIED][127.0.0.1:35028] < b'<html>\n    <head>\n        <title>NeverSSL - helping you get online[...]'

UDP:

See examples/example_udp.py for implementation.

This example forwards DNS traffic (actually, any UDP traffic) to a destination host/port given on the command line and will do the following tasks:

  • Log packets on stdout before and after modification
  • In a packet, replace a given IP address with another one, both given as command line options

Running the example:

$ python examples/example_udp.py 192.168.1.1 46.38.239.190 127.0.0.1
Listening on port 53053

Connecting with a sample client:

$ dig -p53053 +short alles.anzünden.jetzt  @127.0.0.1
127.0.0.1

Tool output:

[ORIGINAL][127.0.0.1:48431] connection interception established
[ORIGINAL][127.0.0.1:48431] > b'\x90\xbf\x01 \x00\x01\x00\x00\x00\x00\x00\x01\x05alles\x0fxn--anznden-p2a\x05jetzt\x00\x00\x01\x00\x01\x00\x00)\x10\x00\x00\x00\x00\x00\x00\x0c\x00\n\x00\x08\xab-Rh\x1e\x9c2\xed'
[MODIFIED][127.0.0.1:48431] > b'\x90\xbf\x01 \x00\x01\x00\x00\x00\x00\x00\x01\x05alles\x0fxn--anznden-p2a\x05jetzt\x00\x00\x01\x00\x01\x00\x00)\x10\x00\x00\x00\x00\x00\x00\x0c\x00\n\x00\x08\xab-Rh\x1e\x9c2\xed'
[ORIGINAL][127.0.0.1:48431] < b'\x90\xbf\x81\x80\x00\x01\x00\x01\x00\x00\x00\x01\x05alles\x0fxn--anznden-p2a\x05jetzt\x00\x00\x01\x00\x01\xc0\x0c\x00\x01\x00\x01\x00\x00\x0bg\x00\x04.&\xef\xbe\x00\x00)\x02\x00\x00\x00\x00\x00\x00\x00'
[MODIFIED][127.0.0.1:48431] < b'\x90\xbf\x81\x80\x00\x01\x00\x01\x00\x00\x00\x01\x05alles\x0fxn--anznden-p2a\x05jetzt\x00\x00\x01\x00\x01\xc0\x0c\x00\x01\x00\x01\x00\x00\x0bg\x00\x04\x7f\x00\x00\x01\x00\x00)\x02\x00\x00\x00\x00\x00\x00\x00'

Interactive:

See examples/example_udp_interactive.py for implementation.

This example is very similar to example_udp.py but gives the user an interactive text console to change the tool's behaviour during runtime. It is intended to demonstrate how interaction with the taps during runtime can be implemented.

Project details


Release history Release notifications | RSS feed

This version

0.9

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pythonitm-0.9.tar.gz (7.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pythonitm-0.9-py3-none-any.whl (5.8 kB view details)

Uploaded Python 3

File details

Details for the file pythonitm-0.9.tar.gz.

File metadata

  • Download URL: pythonitm-0.9.tar.gz
  • Upload date:
  • Size: 7.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: python-requests/2.25.1

File hashes

Hashes for pythonitm-0.9.tar.gz
Algorithm Hash digest
SHA256 8faea1749d0f0fa669283a674aff2a02ba116a8df5f1667c4de7c423d00dfc32
MD5 d2d7f8b01aa6fcade78590276154cb07
BLAKE2b-256 32c8e56542c6505767988603ea50451e299f01223b835e7011bdb646e010349b

See more details on using hashes here.

File details

Details for the file pythonitm-0.9-py3-none-any.whl.

File metadata

  • Download URL: pythonitm-0.9-py3-none-any.whl
  • Upload date:
  • Size: 5.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: python-requests/2.25.1

File hashes

Hashes for pythonitm-0.9-py3-none-any.whl
Algorithm Hash digest
SHA256 04d44b70b3f48413655896c478b2258366e0d5fcdc1b2c11eed74f2ff13604e6
MD5 2e0c69e84558cf63a4aaf630d1df76eb
BLAKE2b-256 52e7463e02c6d1c01ffb8f5a2a9ee364f4a5140653526ef16891ce714bb864c2

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page