mitmproxy Usage Example

Run mitmproxy listening (p) on port2139.

root@kali:~# mitmproxy -p 2139

Packages and Binaries:

mitmproxy

mitmproxy is an SSL-capable man-in-the-middle HTTP proxy. It provides a console interface that allows traffic flows to be inspected and edited on the fly.

Also shipped is mitmdump, the command-line version of mitmproxy, with the same functionality but without the frills. Think tcpdump for HTTP.

Features:

  • intercept and modify HTTP traffic on the fly
  • save HTTP conversations for later replay and analysis
  • replay both HTTP clients and servers
  • make scripted changes to HTTP traffic using Python
  • SSL interception certs generated on the fly

Installed size: 3.00 MB
How to install: sudo apt install mitmproxy

  • dpkg
  • fonts-font-awesome
  • python3
  • python3-asgiref
  • python3-blinker
  • python3-brotli
  • python3-certifi
  • python3-click
  • python3-cryptography
  • python3-flask
  • python3-h2
  • python3-hyperframe
  • python3-kaitaistruct
  • python3-ldap3
  • python3-msgpack
  • python3-openssl
  • python3-passlib
  • python3-pkg-resources
  • python3-protobuf
  • python3-publicsuffix2
  • python3-pyasn1
  • python3-pyparsing
  • python3-pyperclip
  • python3-ruamel.yaml
  • python3-sortedcontainers
  • python3-tornado
  • python3-urwid
  • python3-wsproto
mitmdump
root@kali:~# mitmdump -h
usage: mitmdump [options] [filter]

positional arguments:
  filter_args           Filter expression, equivalent to setting both the
                        view_filter and save_stream_filter options.

optional arguments:
  -h, --help            show this help message and exit
  --version             show version number and exit
  --options             Show all options and their default values
  --commands            Show all commands and their signatures
  --set option[=value]  Set an option. When the value is omitted, booleans are
                        set to true, strings and integers are set to None (if
                        permitted), and sequences are emptied. Boolean values
                        can be true, false or toggle.
  -q, --quiet           Quiet.
  -v, --verbose         Increase log verbosity.
  --mode MODE, -m MODE  Mode can be "regular", "transparent", "socks5",
                        "reverse:SPEC", or "upstream:SPEC". For reverse and
                        upstream proxy modes, SPEC is host specification in
                        the form of "http[s]://host[:port]".
  --no-anticache
  --anticache           Strip out request headers that might cause the server
                        to return 304-not-modified.
  --no-showhost
  --showhost            Use the Host header to construct URLs for display.
  --rfile PATH, -r PATH
                        Read flows from file.
  --scripts SCRIPT, -s SCRIPT
                        Execute a script. May be passed multiple times.
  --stickycookie FILTER
                        Set sticky cookie filter. Matched against requests.
  --stickyauth FILTER   Set sticky auth filter. Matched against requests.
  --save-stream-file PATH, -w PATH
                        Stream flows to file as they arrive. Prefix path with
                        + to append.
  --no-anticomp
  --anticomp            Try to convince servers to send us un-compressed data.
  --flow-detail LEVEL   The display detail level for flows in mitmdump: 0
                        (almost quiet) to 3 (very verbose). 0: shortened
                        request URL, response status code, WebSocket and TCP
                        message notifications. 1: full request URL with
                        response status code 2: 1 + HTTP headers 3: 2 + full
                        response content, content of WebSocket and TCP
                        messages.

Proxy Options:
  --listen-host HOST    Address to bind proxy to.
  --listen-port PORT, -p PORT
                        Proxy service port.
  --no-server, -n
  --server              Start a proxy server. Enabled by default.
  --ignore-hosts HOST   Ignore host and forward all traffic without processing
                        it. In transparent mode, it is recommended to use an
                        IP address (range), not the hostname. In regular mode,
                        only SSL traffic is ignored and the hostname should be
                        used. The supplied value is interpreted as a regular
                        expression and matched on the ip or the hostname. May
                        be passed multiple times.
  --allow-hosts HOST    Opposite of --ignore-hosts. May be passed multiple
                        times.
  --tcp-hosts HOST      Generic TCP SSL proxy mode for all hosts that match
                        the pattern. Similar to --ignore-hosts, but SSL
                        connections are intercepted. The communication
                        contents are printed to the log in verbose mode. May
                        be passed multiple times.
  --upstream-auth USER:PASS
                        Add HTTP Basic authentication to upstream proxy and
                        reverse proxy requests. Format: username:password.
  --proxyauth SPEC      Require proxy authentication. Format: "username:pass",
                        "any" to accept any user/pass combination, "@path" to
                        use an Apache htpasswd file, or
                        "ldap[s]:url_server_ldap:dn_auth:password:dn_subtree"
                        for LDAP authentication.
  --no-rawtcp
  --rawtcp              Enable/disable experimental raw TCP support. TCP
                        connections starting with non-ascii bytes are treated
                        as if they would match tcp_hosts. The heuristic is
                        very rough, use with caution. Disabled by default.
  --no-http2
  --http2               Enable/disable HTTP/2 support. HTTP/2 support is
                        enabled by default.

SSL:
  --certs SPEC          SSL certificates of the form "[domain=]path". The
                        domain may include a wildcard, and is equal to "*" if
                        not specified. The file at path is a certificate in
                        PEM format. If a private key is included in the PEM,
                        it is used, else the default key in the conf dir is
                        used. The PEM file should contain the full certificate
                        chain, with the leaf certificate as the first entry.
                        May be passed multiple times.
  --cert-passphrase PASS
                        Passphrase for decrypting the private key provided in
                        the --cert option.
  --no-ssl-insecure
  --ssl-insecure, -k    Do not verify upstream server SSL/TLS certificates.
  --key-size KEY_SIZE   TLS key size for certificates and CA.

Client Replay:
  --client-replay PATH, -C PATH
                        Replay client requests from a saved file. May be
                        passed multiple times.

Server Replay:
  --server-replay PATH, -S PATH
                        Replay server responses from a saved file. May be
                        passed multiple times.
  --no-server-replay-kill-extra
  --server-replay-kill-extra
                        Kill extra requests during replay.
  --no-server-replay-nopop
  --server-replay-nopop
                        Don't remove flows from server replay state after use.
                        This makes it possible to replay same response
                        multiple times.
  --no-server-replay-refresh
  --server-replay-refresh
                        Refresh server replay responses by adjusting date,
                        expires and last-modified headers, as well as
                        adjusting cookie expiration.

Map Remote:
  --map-remote PATTERN, -M PATTERN
                        Map remote resources to another remote URL using a
                        pattern of the form "[/flow-filter]/url-
                        regex/replacement", where the separator can be any
                        character. May be passed multiple times.

Map Local:
  --map-local PATTERN   Map remote resources to a local file using a pattern
                        of the form "[/flow-filter]/url-regex/file-or-
                        directory-path", where the separator can be any
                        character. May be passed multiple times.

Modify Body:
  --modify-body PATTERN, -B PATTERN
                        Replacement pattern of the form "[/flow-
                        filter]/regex/[@]replacement", where the separator can
                        be any character. The @ allows to provide a file path
                        that is used to read the replacement string. May be
                        passed multiple times.

Modify Headers:
  --modify-headers PATTERN, -H PATTERN
                        Header modify pattern of the form "[/flow-
                        filter]/header-name/[@]header-value", where the
                        separator can be any character. The @ allows to
                        provide a file path that is used to read the header
                        value string. An empty header-value removes existing
                        header-name headers. May be passed multiple times.


mitmproxy
root@kali:~# mitmproxy -h
usage: mitmproxy [options]

optional arguments:
  -h, --help            show this help message and exit
  --version             show version number and exit
  --options             Show all options and their default values
  --commands            Show all commands and their signatures
  --set option[=value]  Set an option. When the value is omitted, booleans are
                        set to true, strings and integers are set to None (if
                        permitted), and sequences are emptied. Boolean values
                        can be true, false or toggle.
  -q, --quiet           Quiet.
  -v, --verbose         Increase log verbosity.
  --mode MODE, -m MODE  Mode can be "regular", "transparent", "socks5",
                        "reverse:SPEC", or "upstream:SPEC". For reverse and
                        upstream proxy modes, SPEC is host specification in
                        the form of "http[s]://host[:port]".
  --no-anticache
  --anticache           Strip out request headers that might cause the server
                        to return 304-not-modified.
  --no-showhost
  --showhost            Use the Host header to construct URLs for display.
  --rfile PATH, -r PATH
                        Read flows from file.
  --scripts SCRIPT, -s SCRIPT
                        Execute a script. May be passed multiple times.
  --stickycookie FILTER
                        Set sticky cookie filter. Matched against requests.
  --stickyauth FILTER   Set sticky auth filter. Matched against requests.
  --save-stream-file PATH, -w PATH
                        Stream flows to file as they arrive. Prefix path with
                        + to append.
  --no-anticomp
  --anticomp            Try to convince servers to send us un-compressed data.
  --console-layout {horizontal,single,vertical}
                        Console layout.
  --no-console-layout-headers
  --console-layout-headers
                        Show layout component headers

Proxy Options:
  --listen-host HOST    Address to bind proxy to.
  --listen-port PORT, -p PORT
                        Proxy service port.
  --no-server, -n
  --server              Start a proxy server. Enabled by default.
  --ignore-hosts HOST   Ignore host and forward all traffic without processing
                        it. In transparent mode, it is recommended to use an
                        IP address (range), not the hostname. In regular mode,
                        only SSL traffic is ignored and the hostname should be
                        used. The supplied value is interpreted as a regular
                        expression and matched on the ip or the hostname. May
                        be passed multiple times.
  --allow-hosts HOST    Opposite of --ignore-hosts. May be passed multiple
                        times.
  --tcp-hosts HOST      Generic TCP SSL proxy mode for all hosts that match
                        the pattern. Similar to --ignore-hosts, but SSL
                        connections are intercepted. The communication
                        contents are printed to the log in verbose mode. May
                        be passed multiple times.
  --upstream-auth USER:PASS
                        Add HTTP Basic authentication to upstream proxy and
                        reverse proxy requests. Format: username:password.
  --proxyauth SPEC      Require proxy authentication. Format: "username:pass",
                        "any" to accept any user/pass combination, "@path" to
                        use an Apache htpasswd file, or
                        "ldap[s]:url_server_ldap:dn_auth:password:dn_subtree"
                        for LDAP authentication.
  --no-rawtcp
  --rawtcp              Enable/disable experimental raw TCP support. TCP
                        connections starting with non-ascii bytes are treated
                        as if they would match tcp_hosts. The heuristic is
                        very rough, use with caution. Disabled by default.
  --no-http2
  --http2               Enable/disable HTTP/2 support. HTTP/2 support is
                        enabled by default.

SSL:
  --certs SPEC          SSL certificates of the form "[domain=]path". The
                        domain may include a wildcard, and is equal to "*" if
                        not specified. The file at path is a certificate in
                        PEM format. If a private key is included in the PEM,
                        it is used, else the default key in the conf dir is
                        used. The PEM file should contain the full certificate
                        chain, with the leaf certificate as the first entry.
                        May be passed multiple times.
  --cert-passphrase PASS
                        Passphrase for decrypting the private key provided in
                        the --cert option.
  --no-ssl-insecure
  --ssl-insecure, -k    Do not verify upstream server SSL/TLS certificates.
  --key-size KEY_SIZE   TLS key size for certificates and CA.

Client Replay:
  --client-replay PATH, -C PATH
                        Replay client requests from a saved file. May be
                        passed multiple times.

Server Replay:
  --server-replay PATH, -S PATH
                        Replay server responses from a saved file. May be
                        passed multiple times.
  --no-server-replay-kill-extra
  --server-replay-kill-extra
                        Kill extra requests during replay.
  --no-server-replay-nopop
  --server-replay-nopop
                        Don't remove flows from server replay state after use.
                        This makes it possible to replay same response
                        multiple times.
  --no-server-replay-refresh
  --server-replay-refresh
                        Refresh server replay responses by adjusting date,
                        expires and last-modified headers, as well as
                        adjusting cookie expiration.

Map Remote:
  --map-remote PATTERN, -M PATTERN
                        Map remote resources to another remote URL using a
                        pattern of the form "[/flow-filter]/url-
                        regex/replacement", where the separator can be any
                        character. May be passed multiple times.

Map Local:
  --map-local PATTERN   Map remote resources to a local file using a pattern
                        of the form "[/flow-filter]/url-regex/file-or-
                        directory-path", where the separator can be any
                        character. May be passed multiple times.

Modify Body:
  --modify-body PATTERN, -B PATTERN
                        Replacement pattern of the form "[/flow-
                        filter]/regex/[@]replacement", where the separator can
                        be any character. The @ allows to provide a file path
                        that is used to read the replacement string. May be
                        passed multiple times.

Modify Headers:
  --modify-headers PATTERN, -H PATTERN
                        Header modify pattern of the form "[/flow-
                        filter]/header-name/[@]header-value", where the
                        separator can be any character. The @ allows to
                        provide a file path that is used to read the header
                        value string. An empty header-value removes existing
                        header-name headers. May be passed multiple times.

Filters:
  See help in mitmproxy for filter expression syntax.

  --intercept FILTER    Intercept filter expression.
  --view-filter FILTER  Limit the view to matching flows.


mitmweb
root@kali:~# mitmweb -h
usage: mitmweb [options]

optional arguments:
  -h, --help            show this help message and exit
  --version             show version number and exit
  --options             Show all options and their default values
  --commands            Show all commands and their signatures
  --set option[=value]  Set an option. When the value is omitted, booleans are
                        set to true, strings and integers are set to None (if
                        permitted), and sequences are emptied. Boolean values
                        can be true, false or toggle.
  -q, --quiet           Quiet.
  -v, --verbose         Increase log verbosity.
  --mode MODE, -m MODE  Mode can be "regular", "transparent", "socks5",
                        "reverse:SPEC", or "upstream:SPEC". For reverse and
                        upstream proxy modes, SPEC is host specification in
                        the form of "http[s]://host[:port]".
  --no-anticache
  --anticache           Strip out request headers that might cause the server
                        to return 304-not-modified.
  --no-showhost
  --showhost            Use the Host header to construct URLs for display.
  --rfile PATH, -r PATH
                        Read flows from file.
  --scripts SCRIPT, -s SCRIPT
                        Execute a script. May be passed multiple times.
  --stickycookie FILTER
                        Set sticky cookie filter. Matched against requests.
  --stickyauth FILTER   Set sticky auth filter. Matched against requests.
  --save-stream-file PATH, -w PATH
                        Stream flows to file as they arrive. Prefix path with
                        + to append.
  --no-anticomp
  --anticomp            Try to convince servers to send us un-compressed data.

Mitmweb:
  --no-web-open-browser
  --web-open-browser    Start a browser.
  --web-port PORT       Web UI port.
  --web-host HOST       Web UI host.

Proxy Options:
  --listen-host HOST    Address to bind proxy to.
  --listen-port PORT, -p PORT
                        Proxy service port.
  --no-server, -n
  --server              Start a proxy server. Enabled by default.
  --ignore-hosts HOST   Ignore host and forward all traffic without processing
                        it. In transparent mode, it is recommended to use an
                        IP address (range), not the hostname. In regular mode,
                        only SSL traffic is ignored and the hostname should be
                        used. The supplied value is interpreted as a regular
                        expression and matched on the ip or the hostname. May
                        be passed multiple times.
  --allow-hosts HOST    Opposite of --ignore-hosts. May be passed multiple
                        times.
  --tcp-hosts HOST      Generic TCP SSL proxy mode for all hosts that match
                        the pattern. Similar to --ignore-hosts, but SSL
                        connections are intercepted. The communication
                        contents are printed to the log in verbose mode. May
                        be passed multiple times.
  --upstream-auth USER:PASS
                        Add HTTP Basic authentication to upstream proxy and
                        reverse proxy requests. Format: username:password.
  --proxyauth SPEC      Require proxy authentication. Format: "username:pass",
                        "any" to accept any user/pass combination, "@path" to
                        use an Apache htpasswd file, or
                        "ldap[s]:url_server_ldap:dn_auth:password:dn_subtree"
                        for LDAP authentication.
  --no-rawtcp
  --rawtcp              Enable/disable experimental raw TCP support. TCP
                        connections starting with non-ascii bytes are treated
                        as if they would match tcp_hosts. The heuristic is
                        very rough, use with caution. Disabled by default.
  --no-http2
  --http2               Enable/disable HTTP/2 support. HTTP/2 support is
                        enabled by default.

SSL:
  --certs SPEC          SSL certificates of the form "[domain=]path". The
                        domain may include a wildcard, and is equal to "*" if
                        not specified. The file at path is a certificate in
                        PEM format. If a private key is included in the PEM,
                        it is used, else the default key in the conf dir is
                        used. The PEM file should contain the full certificate
                        chain, with the leaf certificate as the first entry.
                        May be passed multiple times.
  --cert-passphrase PASS
                        Passphrase for decrypting the private key provided in
                        the --cert option.
  --no-ssl-insecure
  --ssl-insecure, -k    Do not verify upstream server SSL/TLS certificates.
  --key-size KEY_SIZE   TLS key size for certificates and CA.

Client Replay:
  --client-replay PATH, -C PATH
                        Replay client requests from a saved file. May be
                        passed multiple times.

Server Replay:
  --server-replay PATH, -S PATH
                        Replay server responses from a saved file. May be
                        passed multiple times.
  --no-server-replay-kill-extra
  --server-replay-kill-extra
                        Kill extra requests during replay.
  --no-server-replay-nopop
  --server-replay-nopop
                        Don't remove flows from server replay state after use.
                        This makes it possible to replay same response
                        multiple times.
  --no-server-replay-refresh
  --server-replay-refresh
                        Refresh server replay responses by adjusting date,
                        expires and last-modified headers, as well as
                        adjusting cookie expiration.

Map Remote:
  --map-remote PATTERN, -M PATTERN
                        Map remote resources to another remote URL using a
                        pattern of the form "[/flow-filter]/url-
                        regex/replacement", where the separator can be any
                        character. May be passed multiple times.

Map Local:
  --map-local PATTERN   Map remote resources to a local file using a pattern
                        of the form "[/flow-filter]/url-regex/file-or-
                        directory-path", where the separator can be any
                        character. May be passed multiple times.

Modify Body:
  --modify-body PATTERN, -B PATTERN
                        Replacement pattern of the form "[/flow-
                        filter]/regex/[@]replacement", where the separator can
                        be any character. The @ allows to provide a file path
                        that is used to read the replacement string. May be
                        passed multiple times.

Modify Headers:
  --modify-headers PATTERN, -H PATTERN
                        Header modify pattern of the form "[/flow-
                        filter]/header-name/[@]header-value", where the
                        separator can be any character. The @ allows to
                        provide a file path that is used to read the header
                        value string. An empty header-value removes existing
                        header-name headers. May be passed multiple times.

Filters:
  See help in mitmproxy for filter expression syntax.

  --intercept FILTER    Intercept filter expression.


pathoc
root@kali:~# pathoc -h
usage: pathoc [-h] [--show-uas] [--version] [-c HOST:PORT] [--memo-limit N]
              [-m] [-n N] [-w N] [-r] [-t TIMEOUT] [--http2]
              [--http2-skip-connection-preface] [-s] [-C CLIENTCERT] [-i SNI]
              [--ciphers CIPHERS]
              [--ssl-version {all,secure,SSLv2,SSLv3,TLSv1,TLSv1_1,TLSv1_2}]
              [-I IGNORECODES] [-S] [-e] [-o] [-q] [-p] [-T] [-x]
              [--http2-framedump]
              host[:port] requests [requests ...]

A perverse HTTP client.

positional arguments:
  host[:port]           Host and port to connect to
  requests              Request specification, or path to a file containing
                        request specifcations

optional arguments:
  -h, --help            show this help message and exit
  --show-uas            Print user agent shortcuts and exit.
  --version             show program's version number and exit
  -c HOST:PORT          Issue an HTTP CONNECT to connect to the specified
                        host.
  --memo-limit N        Stop if we do not find a valid request after N
                        attempts.
  -m                    Remember specs, and never play the same one twice.
                        Note that this means requests have to be rendered in
                        memory, which means that large generated data can
                        cause issues.
  -n N                  Repeat N times. Pass -1 to repeat infinitely.
  -w N                  Wait N seconds between each request.
  -r                    Select a random request from those specified. If this
                        is not specified, requests are all played in sequence.
  -t TIMEOUT            Connection timeout
  --http2               Perform all requests over a single HTTP/2 connection.
  --http2-skip-connection-preface
                        Skips the HTTP/2 connection preface before sending
                        requests.

SSL:
  -s                    Connect with SSL
  -C CLIENTCERT         Path to a file containing client certificate and
                        private key
  -i SNI                SSL Server Name Indication
  --ciphers CIPHERS     SSL cipher specification
  --ssl-version {all,secure,SSLv2,SSLv3,TLSv1,TLSv1_1,TLSv1_2}
                        Set supported SSL/TLS versions. SSLv2, SSLv3 and 'all'
                        are INSECURE. Defaults to secure, which is TLS1.0+.

Controlling Output:
  Some of these options expand generated values for logging - if you're
  generating large data, use them with caution.

  -I IGNORECODES        Comma-separated list of response codes to ignore
  -S                    Show info on SSL connection
  -e                    Explain requests
  -o                    Oneshot - exit after first non-ignored response
  -q                    Print full request
  -p                    Print full response
  -T                    Ignore timeouts
  -x                    Output in hexdump format
  --http2-framedump     Output all received & sent HTTP/2 frames

pathod
root@kali:~# pathod -h
usage: pathod [-h] [--version] [-p PORT] [-l ADDRESS] [-a ANCHOR]
              [-c CRAFTANCHOR] [--confdir CONFDIR] [-d STATICDIR] [-D]
              [-t TIMEOUT] [--limit-size SIZELIMIT] [--nohang] [--nocraft]
              [--webdebug] [-s] [--cn CN] [-C] [--cert SPEC]
              [--ciphers CIPHERS] [--san SAN]
              [--ssl-version {all,secure,SSLv2,SSLv3,TLSv1,TLSv1_1,TLSv1_2}]
              [-e] [-f LOGFILE] [-q] [-r] [-x] [--http2-framedump]

A pathological HTTP/S daemon.

optional arguments:
  -h, --help            show this help message and exit
  --version             show program's version number and exit
  -p PORT               Port. Specify 0 to pick an arbitrary empty port.
                        (9999)
  -l ADDRESS            Listening address. (127.0.0.1)
  -a ANCHOR             Add an anchor. Specified as a string with the form
                        pattern=spec or pattern=filepath, where pattern is a
                        regular expression.
  -c CRAFTANCHOR        URL path specifying prefix for URL crafting commands.
                        (/p/)
  --confdir CONFDIR     Configuration directory. (~/.mitmproxy)
  -d STATICDIR          Directory for static files.
  -D                    Daemonize.
  -t TIMEOUT            Connection timeout
  --limit-size SIZELIMIT
                        Size limit of served responses. Understands size
                        suffixes, i.e. 100k.
  --nohang              Disable pauses during crafted response generation.
  --nocraft             Disable response crafting. If anchors are specified,
                        they still work.
  --webdebug            Debugging mode for the web app (dev only).

SSL:
  -s                    Run in HTTPS mode.
  --cn CN               CN for generated SSL certs. Default: b'pathod.net'
  -C                    Don't expect SSL after a CONNECT request.
  --cert SPEC           Add an SSL certificate. SPEC is of the form
                        "[domain=]path". The domain may include a wildcard,
                        and is equal to "*" if not specified. The file at path
                        is a certificate in PEM format. If a private key is
                        included in the PEM, it is used, else the default key
                        in the conf dir is used. Can be passed multiple times.
  --ciphers CIPHERS     SSL cipher specification
  --san SAN             Subject Altnernate Name to add to the server
                        certificate. May be passed multiple times.
  --ssl-version {all,secure,SSLv2,SSLv3,TLSv1,TLSv1_1,TLSv1_2}
                        Set supported SSL/TLS versions. SSLv2, SSLv3 and 'all'
                        are INSECURE. Defaults to secure, which is TLS1.0+.

Controlling Logging:
  Some of these options expand generated values for logging - if you're
  generating large data, use them with caution.

  -e                    Explain responses
  -f LOGFILE            Log to file.
  -q                    Log full request
  -r                    Log full response
  -x                    Log request/response in hexdump format
  --http2-framedump     Output all received & sent HTTP/2 frames

Updated on: 2021-Nov-26