-
Notifications
You must be signed in to change notification settings - Fork 78
Mallory_Minimal_Guide
This virtual machine was released and discussed on the Feb 17th, 2011 webinar.
The username and password for the virtual machine is "mallory" (no quotes).
The very first step is to create a mallory directory and move everything in /home/mallory into the mallory directory.
Mallory minimal comes with mallory cloned right to the home directory, which will be confusing later on. The resultant directory structure should be a directory.
Your networking devices may get renumbered. Make sure your virtual machine has the ethernet interfaces you want (configured using your VMWare software). You need at least one "Bridged" networking device. Next, run
And figure out which Ethernet devices you have. The output looks something like this:
Then run
If you don't see your eth* devices go ahead and bring them up with
Then, for your bridged network adapter you can run
This will get your virtual machine an IP address.
For the Mallory Minimal (MM) VM you will want a Linux desktop environment. If you plan on using Mallory a lot consider keeping a copy of the plain Mallory_Minimal box and one you set up for GUI purposes. You then have the option of connecting the GUI box to a still minimal VM or running everything in a "all in one VM setup". It keeps things simple. However, the combined approach is the easiest and meets many needs. We will assume the "one virtual machine" approach with a small "catch up" section if you desire to separate the systems the GUI and Mallory are running on. Keep a clean copy of the Mallory VM in case something goes awry.
This installs a great number of packages and is an easy approach to setting up a comfortable desktop environment. At this point you want to give the VM 512MB of RAM, not 256MB of RAM. This will probably take a while.
Once you have done this, it can be useful to install VMware Tools. This is not strictly required, but it can greatly improve the behavior of the virtual machine. Generally you click around in the VMware GUI under the "Virtual Machine" menu and tell VMware to "Install VMware Tools". For Ubuntu this mounts an ISO and you copy the tools from that device.
To run commands launch your terminal from Applications->Accessories->Terminal.
You need to put the actual file name for the VMware tools tarball (.tar.gz)
Accept all defaults. If you have not done this before read the text for where the uninstaller lives, etc. Reboot the MM VM. Once this is done your VM will have proper video drivers and behave nicely. Don't forget to remove the files from your desktop. You can also use the GUI tools and just go to Places menu (on Ubuntu Desktop) and use the traditional GUI approach to get the files on your desktop.
You will neeed Python QT4, pyqt4.
We are almost there, now. First we need to update Mallory
Inside of your mallory directory run the command to update the repository.
Finally, in the src directory run
and Mallory should come to life. Do not background Mallory.
Now we can connect the GUI to mallory. In the src directory run
You should see something like:
That means everything is working. Before we can actually MiTM traffic a few more steps are required. Namely the networking setup, which is often tricky as it requires situational iptables commands.
First you must decide what you will be performing MiTM on. It is recommended you bridge at least one ethernet device. Bridging means connecting a virtual machine ethernet device directly to your network and having it get an IP address from your local DHCP server. You then have two viable (quick) options to MiTM traffic. You can setup a second, "Host Only" ethernet device (we will call it eth2) and then perform MiTM on ALL traffic on that device. Alternatively you can elect to performin MiTM on a VPN client, which is by far the easiest technique to MiTM your mobile devices, such as an iPad. Note: In the host only setup it is assumed your other virtual machines use the MM VM as the gateway (so you must statically assign IP addresses, and gateways. Be sure to give a DNS server, such as the public google DNS server at 8.8.8.8).
Regardless the commands are exactly the same.
Next go to the mallory/scripts directory. If you ran you should see a script config_mallory_webinar.sh. Edit this script. There are four variables at the top. These variables are to provide a method of setting up the required iptables rules. Your bridged interface will be the one with an IP address on your "home" network. The hostonly interface, which you would use to MiTM other virtual machines, will have a VMware assigned IP address. And your ppp0 and ppp1 devices give you room to MiTM two VPN clients. If you have more, just setup iptables rules for each additional ppp client you need to support. Run to determine how many ppp devices / VPN sessions you have.
Once you have edited the script to point to the proper ethernet devices run it:
If you run into trouble the script has some good iptables commands to reset the iptables rules and start over.
Setting up a PPTP VPN on devices is out of scope, but is generally straightforward and found under the settings / configuration for the device.
Once you have MiTM traffic flowing the GUI can be configured and tested.
To tune the GUI go to the rules tab and remove all rules but "default" (if you ran , this should be done automatically). If you want traffic to be in the debugger there must be a "debug" rule for it (not a "Muck" rule or "Nothing" rule). Then go to mallory.py file and edit it. If you like a GUI editor you can open mallory.py in gedit. Be VERY careful editing this file to preserve the tabs (Python is picky about tabs). At the bottom comment out all of the mallory.configure_protocol lines. Mallory will then use the base TCP handler for all traffic. This will let the GUI debugger access it. Kill mallory (CTRL+C), and then run again. Click the "Intercept" and "Auto Send" buttons in the GUI. Traffic should now be flowing with the GUI.
In many cases it is useful to keep the MM VM small and run the GUI on a separate machine. The minimum port needed to run the debugger is port 20757. The security model in Mallory is, "If you are not on the local host, I don't like you. If you are on the local host, I like you". So you must use SSH and forward ports. You need port 20757 and 20758 to have the GUI fully functional. Port 20758 is not required as it is just for the objects tab and the HTTP protocol. To accomplish this use:
This forwards local ports 20757 and 20758 to mallory local 20757 and 20758.
You could also forward X server calls from MM to your remote machine in order to launch the GUI on a remote machine.
and then
You will want to change the password for the PPTPD clients and possibly add more users. Check . The format is:
The first mallory is the username. pptpd stays the same (server name). The second mallory is the password. The * lets it work for all IP addresses. Add a new line with the same format for more users.
PPTPD Listens on TCP port 1723.