Capturing https traffic on a headless server

April 23, 2019

Recently I needed to view the full HTTP GET and POST methods for a python application hosted on a headless server. I ended up using a tool call mitmproxy. This post will cover getting mitmproxy set up on a linux server and viewing the HTTP GET/POST requests on your local machine via a web interface.

Prerequisite

You will need Python 3.6 and screen

yum install -y https://centos7.iuscommunity.org/ius-release.rpm
yum update
yum install -y python36u python36u-libs python36u-devel python36u-pip screen

Setup

You will need to install mitmproxy

python36 -m ensurepip --default-pip
python36 -m pip install mitmproxy

Running mitmproxy

I recommend running mitmproxy in a screen session so that when you logoff it is still running

Start screen session

screen -S mitm

Start mitmproxy web

Stary mitmproxy by running mitmweb. By Default this will listen on 127.0.0.1:8081.

mitmweb

result:

Web server listening at http://127.0.0.1:8081/
No web browser found. Please open a browser and point it to http://127.0.0.1:8081/
Proxy server listening at http://*:8080
127.0.0.1:43746: clientconnect
127.0.0.1:43746: clientdisconnect
127.0.0.1:54664: clientconnect

Detach Screen

Now that you have mitmproxy running, you should detach the screen with the following key combination:

WHILE HOLDING CTRL, PRESS A and then D

output:

[detached from 28475.mitm]

Reattaching screen

Determine which screen mitm is on:

screen -list

Reattach the screen

screen -r 28475.mitm

Modifying your ssh config to tunnel traffic

Edit file ~/.ssh/config

Host foo # this is the "friendly" name of your server
    # ssh user
    User foo 

    # IP address of server
    Hostname 10.1.1.10 

    # prevent terminal messages about socket connection errors
    LogLevel QUIET

    # forward remote socket 127.0.0.1:8081 (remote machine)
    # to local socket 127.0.0.1:40081 (your machine)
    LocalForward 40081 localhost:8081

    # key file used to ssh to server
    IdentityFile ~/.ssh/bar.pem 

SSH to server

Now you can run the following command to ssh to the friendly name of your server

ssh foo

Configure Server to use Proxy

Refer to your O/S specific documentation here. You should set applications or the O/S to use 127.0.0.1:8080.

View mitmproxy website

This will allow you to see the captured traffic. Using a web browser open up “http://127.0.0.1:40081”