kubetap icon indicating copy to clipboard operation
kubetap copied to clipboard

Published 20 hours ago verified publisher icon soluble-ai

Mitmproxy TCP Interception

Open Syndlex opened this issue 4 years ago • 5 comments

Description

I tried the Tcp Raw option of mitmproyx and its not working. I don't know if this should be a feature request or a bug report.

Kubectl commands to create reproducable environment / deployment

I enabled rawtcp in the option menu of mitmweb. and added ".*" to tcp_hosts According to https://github.com/mitmproxy/mitmproxy/issues/2595 this should work. Do you have a idea to get rawtcp mode working?

The

Screenshots or other information

This are the deployments and the service I use:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ncl
  labels:
    app: netcatlistener
spec:
  replicas: 1
  revisionHistoryLimit: 1
  selector:
    matchLabels:
      app: netcatlistener
  template:
    metadata:
      labels:
        app: netcatlistener
    spec:
      containers:
        - args:
            - "-lk"
            - "8888"
          image: subfuzion/netcat
          imagePullPolicy: IfNotPresent
          name: ncl
          tty: true
          stdin: true
          ports:
            - containerPort: 8888
              name: listenerport
      nodeName: k8s-worker-1

---

apiVersion: v1
kind: Service
metadata:
  name: ncservice
spec:
  clusterIP: 10.103.53.167
  ports:
    - name: nctcp
      port: 8888
      protocol: TCP
      targetPort: 8888
    - name: ncudp
      port: 8888
      protocol: UDP
      targetPort: 8888
  selector:
    app: netcatlistener
  sessionAffinity: None
  type: ClusterIP

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ncs
spec:
  replicas: 1
  revisionHistoryLimit: 1
  selector:
    matchLabels:
      app: netcatsend
  template:
    metadata:
      labels:
        app: netcatsend
    spec:
      containers:
        - args:
            - "-v"
            - "10.103.53.167"
            - "8888"
          image: subfuzion/netcat
          imagePullPolicy: IfNotPresent
          name: ncs
          tty: true
          stdin: true
      nodeName: k8s-worker-1

Syndlex avatar Jul 22 '20 15:07 Syndlex

I'm going to actually close this as a dupe, as this is essentially a different version of https://github.com/soluble-ai/kubetap/issues/2. Re: the raw option you tried, kubetap uses mitmweb and not mitmproxy, which may or may not be the issue here.

Eriner avatar Jul 22 '20 16:07 Eriner

1.

mitmweb and mitmproxy is the same program with just a nother interface https://docs.mitmproxy.org/stable/tools-mitmweb/ The link was for reference what I configured in mitmweb

This should work since there are the same codebase. The option for reference is: https://mitmproxy.readthedocs.io/en/v2.0.2/features/tcpproxy.html

2.

Traffic capturing is something different I specifically need tcp traffic proxying. Capturing can not intercept and change segments.

I am currently writing my master thesis about this topic. A clear - we will not support the rawtcp option from mitmproxy/mitmweb would be enough.

Syndlex avatar Jul 22 '20 17:07 Syndlex

Ah, I actually did not know that mitmproxy offered this feature in the web UI. I am going to close #2 in favor of this.

The issue you reference in the OP has a comment that references modes: https://docs.mitmproxy.org/stable/concepts-modes/

Kubetap currently only uses the reverse mode, though this is configurable (but will currently return an error): https://github.com/soluble-ai/kubetap/blob/836da3baa8401d55a8b3e360a10e74dd45caeae9/cmd/kubectl-tap/mitmproxy.go#L181

Perhaps try commenting out these errors and adding the configuration line for a compatible mode.

Happy to accept a PR if you find a solution!

Eriner avatar Jul 22 '20 19:07 Eriner

So I fiddled around and read some more of the documentation and issues from mitmproxy

tcpraw is in a experimental state (https://docs.mitmproxy.org/stable/concepts-options/#available-options search for rawtcp option) and can not intersect traffic at the moment. (That's what i am after)

I tested locally cause its faster and came to the same conclusion as the skotti in https://github.com/mitmproxy/mitmproxy/issues/2595 That this is not working at the moment. I tested with the new 5.2 version of mitmproxy.

for Reference here are the commands i used.

# Terminal 1. Starting proxy listen on port 8887 proxying to localhost 8888 enable rawtcp and allow all tcp hosts
mitmweb -p 8887 --mode reverse:localhost:8888 --tcp-hosts '.*' --rawtcp 
# Terminal 2.  netcat listen on 8888 for segments
nc -lv 8888
# Terminal 3. connect to the proxy on port 8887 
nc -v localhost 8887

Connecting is working but Segments never arrive at the destination. Additional note I use the openbsd version of Netcat here.

@Eriner reverse mode is basically the only option here. We do want to proxy all traffic to a server (pod) Maybe Transparent mode is a option but this could be very complicated to be implemented. I think.

Syndlex avatar Jul 23 '20 12:07 Syndlex

@Syndlex Let me know if you're able to get this to work or find a good alternative!

Eriner avatar Jul 23 '20 21:07 Eriner