diff --git a/docs/src/content/addons-commands.md b/docs/src/content/addons-commands.md index f689d763f..7fd7db4f6 100644 --- a/docs/src/content/addons-commands.md +++ b/docs/src/content/addons-commands.md @@ -23,16 +23,16 @@ Let's begin with a simple example. To see this example in action, start mitmproxy console with the addon loaded: -{{< highlight bash >}} +```bash > mitmproxy -s ./examples/addons/commands-simple.py -{{< /highlight >}} +``` Now, make sure the event log is showing, and then execute the command at the prompt (started by typing ":"): -{{< highlight none>}} +``` :myaddon.inc -{{< /highlight >}} +``` Notice that tab completion works - our addon command has complete parity with builtin commands. There are a few things to note about this example: @@ -67,28 +67,28 @@ filters]({{< relref addons-options >}}) available. Let's try it out. Start by loading the addon into mitmproxy and sending some traffic through so we have flows to work with: -{{< highlight bash >}} +```bash > mitmproxy -s ./examples/addons/commands-flows.py -{{< /highlight >}} +``` We can now invoke our toy command in various ways. Let's begin by running it just on the currently focused flow: -{{< highlight none >}} +``` :myaddon.addheader @focus -{{< /highlight >}} +``` We can also invoke it on all flows: -{{< highlight none >}} +``` :myaddon.addheader @all -{{< /highlight >}} +``` Or only flows from **google.com**: -{{< highlight none >}} +``` :myaddon.addheader ~d google.com -{{< /highlight >}} +``` What's more, we can trivially bind these commands to keyboard shortcuts within mitmproxy if we plan to use them frequently. Flow selectors combined with @@ -107,9 +107,9 @@ Our command calculates a histogram of the domains in the specified set of flows, and writes it to a path which is specified as the second argument to the command. Try invoking it like this: -{{< highlight none >}} +``` :myaddon.histogram @all /tmp/xxx -{{< /highlight >}} +``` Notice that mitmproxy provides tab completion both for the flow specification and the path. diff --git a/docs/src/content/addons-options.md b/docs/src/content/addons-options.md index 930847d02..14c913d08 100644 --- a/docs/src/content/addons-options.md +++ b/docs/src/content/addons-options.md @@ -28,15 +28,15 @@ allows addons declare options and commands. In this case, the addon adds a single `addheader` option with type `bool`. Let's try this out by running the script in mitmproxy console: -{{< highlight bash >}} +```bash > mitmproxy -s ./examples/addons/options-simple.py -{{< /highlight >}} +``` You can now use CURL to make a request through the proxy like this: -{{< highlight bash >}} +```bash > env http_proxy=http://localhost:8080 curl -I http://google.com -{{< /highlight >}} +``` If you run this request immediately, you'll notice that no count header is added. This is because our default value for the option was `false`. Press `O` @@ -45,22 +45,22 @@ mitmproxy knows this is a boolean, and lets you toggle the value between true and false. Set the value to `true`, and you should see a result something like this: -{{< highlight bash >}} +```bash > env http_proxy=http://localhost:8080 curl -I http://google.com HTTP/1.1 301 Moved Permanently Location: http://www.google.com/ Content-Length: 219 count: 1 -{{< /highlight >}} +``` When this addon is loaded, the `addheader` setting is available in the persistent [YAML configuration file]({{< relref "concepts-options" >}}). You can also over-ride the value directly from the command-line for any of the tools using the `--set` flag: -{{< highlight bash >}} +```bash mitmproxy -s ./examples/addons/options-simple.py --set addheader=true -{{< /highlight >}} +``` ## Handling configuration updates @@ -85,11 +85,11 @@ called with our default value (`None`), and then later with an updated value if the option is changed. If we try to load the script with an incorrect value, we now see an error: -{{< highlight none >}} +``` > mitmdump -s ./examples/addons/options-configure.py --set addheader=1000 Loading script: ./examples/addons/options-configure.py /Users/cortesi/mitmproxy/mitmproxy/venv/bin/mitmdump: addheader must be <= 100 -{{< /highlight >}} +``` ## Supported Types diff --git a/docs/src/content/addons-overview.md b/docs/src/content/addons-overview.md index bfde7f275..cc35eaa28 100644 --- a/docs/src/content/addons-overview.md +++ b/docs/src/content/addons-overview.md @@ -34,9 +34,9 @@ command-line is to use [pydoc](https://docs.python.org/3/library/pydoc.html). Here, for example, is a command that shows the API documentation for the mitmproxy's HTTP flow classes: -{{< highlight bash >}} +```bash pydoc mitmproxy.http -{{< /highlight >}} +``` You will be referring to the mitmproxy API documentation frequently, so keep **pydoc** or an equivalent handy. @@ -54,9 +54,9 @@ Take it for a spin and make sure that it does what it's supposed to, by loading it into your mitmproxy tool of choice. We'll use mitmpdump in these examples, but the flag is identical for all tools: -{{< highlight bash >}} +```bash > mitmdump -s ./anatomy.py -{{< /highlight >}} +``` Here are a few things to note about the code above: diff --git a/docs/src/content/concepts-certificates.md b/docs/src/content/concepts-certificates.md index cf3447c7b..64d33a9dd 100644 --- a/docs/src/content/concepts-certificates.md +++ b/docs/src/content/concepts-certificates.md @@ -47,9 +47,9 @@ documentation for some common platforms. The mitmproxy CA cert is located in - [Windows](https://web.archive.org/web/20160612045445/http://windows.microsoft.com/en-ca/windows/import-export-certificates-private-keys#1TC=windows-7) - [Windows (automated)](https://technet.microsoft.com/en-us/library/cc732443.aspx) -{{< highlight bash >}} +```bash certutil -addstore root mitmproxy-ca-cert.cer -{{< / highlight >}} +``` - [Mac OS X](https://support.apple.com/kb/PH20129) - [Ubuntu/Debian]( https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate/94861#94861) @@ -117,26 +117,26 @@ file roughly looks like this: For example, you can generate a certificate in this format using these instructions: -{{< highlight bash >}} +```bash openssl genrsa -out cert.key 2048 # (Specify the mitm domain as Common Name, e.g. \*.google.com) openssl req -new -x509 -key cert.key -out cert.crt cat cert.key cert.crt > cert.pem -{{< / highlight >}} +``` Now, you can run mitmproxy with the generated certificate: **For all domain names** -{{< highlight bash >}} +```bash mitmproxy --cert *=cert.pem -{{< / highlight >}} +``` **For specific domain names** -{{< highlight bash >}} +```bash mitmproxy --cert *.example.com=cert.pem -{{< / highlight >}} +``` **Note:** `*.example.com` is for all the subdomains. You can also use `www.example.com` for a particular subdomain. diff --git a/docs/src/content/concepts-commands.md b/docs/src/content/concepts-commands.md index 46d762092..6ff6bfc99 100644 --- a/docs/src/content/concepts-commands.md +++ b/docs/src/content/concepts-commands.md @@ -27,9 +27,9 @@ browser (by default accessible with the `C` key binding). Many of mitmproxy's commands take flows as arguments. For instance, the signature for the client replay commands looks like this: -{{< highlight none >}} +``` replay.client [flow] -{{< /highlight >}} +``` That means that it expects a sequence of one or more flows. This is where [flow @@ -40,23 +40,23 @@ invoking commands. Fire up mitmproxy console, and intercept some traffic so we have flows to work with. Now type the following command: -{{< highlight none >}} +``` :replay.client @focus -{{< /highlight >}} +``` Make sure you try using tab completion for the command name and the flow specification. The `@focus` specifiers expands to the currently focused flow, so you should see this flow replay. However, replay can take any number of flows. Try the following command: -{{< highlight none >}} +``` :replay.client @all -{{< /highlight >}} +``` Now you should see all flows replay one by one. We have the full power of the mitmproxy filter language at our disposal here, so we could also, for example, just replay flows for a specific domain: -{{< highlight none >}} +``` :replay.client "~d google.com" -{{< /highlight >}} +``` diff --git a/docs/src/content/concepts-howmitmproxyworks.md b/docs/src/content/concepts-howmitmproxyworks.md index d747d71c3..e8d41cb0d 100644 --- a/docs/src/content/concepts-howmitmproxyworks.md +++ b/docs/src/content/concepts-howmitmproxyworks.md @@ -25,9 +25,9 @@ usually reliable. In the simplest possible interaction with mitmproxy, a client connects directly to the proxy, and makes a request that looks like this: -{{< highlight http >}} +```http GET http://example.com/index.html HTTP/1.1 -{{< / highlight >}} +``` This is a proxy GET request - an extended form of the vanilla HTTP GET request that includes a schema and host specification, and it includes @@ -47,9 +47,9 @@ The process for an explicitly proxied HTTPS connection is quite different. The client connects to the proxy and makes a request that looks like this: -{{< highlight http >}} +```http CONNECT example.com:443 HTTP/1.1 -{{< / highlight >}} +``` A conventional proxy can neither view nor manipulate a TLS-encrypted data stream, so a CONNECT request simply asks the proxy to open a pipe @@ -91,9 +91,9 @@ blush, it seems that the CONNECT request above gives us all we need - in this example, both of these values are "example.com". But what if the client had initiated the connection as follows: -{{< highlight http >}} +```http CONNECT 10.1.1.1:443 HTTP/1.1 -{{< / highlight >}} +``` Using the IP address is perfectly legitimate because it gives us enough information to initiate the pipe, even though it doesn't reveal the @@ -182,9 +182,9 @@ server - [iptables](http://www.netfilter.org/) on Linux or client has initiated the connection, it makes a vanilla HTTP request, which might look something like this: -{{< highlight http >}} +```http GET /index.html HTTP/1.1 -{{< / highlight >}} +``` Note that this request differs from the explicit proxy variation, in that it omits the scheme and hostname. How, then, do we know which diff --git a/docs/src/content/howto-ignoredomains.md b/docs/src/content/howto-ignoredomains.md index 9a337ebad..660288f82 100644 --- a/docs/src/content/howto-ignoredomains.md +++ b/docs/src/content/howto-ignoredomains.md @@ -60,7 +60,7 @@ method to do so: becomes \\.) and use this as your ignore pattern: -{{< highlight none >}} +``` >>> mitmdump -v 127.0.0.1:50588: clientconnect 127.0.0.1:50588: request @@ -70,11 +70,11 @@ method to do so: -> example.com:443 ^C >>> mitmproxy --ignore-hosts ^example\.com:443$ -{{< /highlight >}} +``` Here are some other examples for ignore patterns: -{{< highlight none >}} +``` # Exempt traffic from the iOS App Store (the regex is lax, but usually just works): --ignore-hosts apple.com:443 # "Correct" version without false-positives: @@ -87,17 +87,17 @@ Here are some other examples for ignore patterns: --ignore-hosts 17\.178\.96\.59:443 # IP address range: --ignore-hosts 17\.178\.\d+\.\d+:443 -{{< / highlight >}} +``` This option can also be used to whitelist some domains through negative lookahead expressions. However, ignore patterns are always matched against the IP address of the target before being matched against its domain name. Thus, the pattern must allow any IP addresses using an expression like `^(?![0-9\.]+:)` in order for domains whitelisting to work. Here are examples of such patterns: -{{< highlight none >}} +``` # Ignore everything but example.com and mitmproxy.org (not subdomains): --ignore-hosts '^(?![0-9\.]+:)(?!example\.com:)(?!mitmproxy\.org:)' # Ignore everything but example.com and its subdomains: --ignore-hosts '^(?![0-9\.]+:)(?!([^\.:]+\.)*example\.com:)' -{{< / highlight >}} +``` **Footnotes** diff --git a/docs/src/content/howto-install-system-trusted-ca-android.md b/docs/src/content/howto-install-system-trusted-ca-android.md index 2b41dcbdd..8feb47aa3 100644 --- a/docs/src/content/howto-install-system-trusted-ca-android.md +++ b/docs/src/content/howto-install-system-trusted-ca-android.md @@ -23,22 +23,22 @@ Please note, that apps can decide to ignore the system certificate store and mai ## 2. Rename certificate Enter your certificate folder -{{< highlight bash >}} +```bash cd ~/.mitmproxy/ -{{< / highlight >}} +``` - CA Certificates in Android are stored by the name of their hash, with a '0' as extension - Now generate the hash of your certificate -{{< highlight bash >}} +```bash openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.cer | head -1 -{{< / highlight >}} +``` Lets assume, the output is `c8450d0d` We can now copy `mitmproxy-ca-cert.cer` to `c8450d0d.0` and our system certificate is ready to use -{{< highlight bash >}} +```bash cp mitmproxy-ca-cert.cer c8450d0d.0 -{{< / highlight >}} +``` ## 3. Insert certificate into system certificate store @@ -50,37 +50,37 @@ Note, that Android 9 (API LEVEL 28) was used to test the following steps and tha - Keep in mind, that the **emulator will load a clean system image when starting without `-writable-system` option**. - This means you always have to start the emulator with `-writable-system` option in order to use your certificate -{{< highlight bash >}} +```bash emulator -avd -writable-system -{{< / highlight >}} +``` - Restart adb as root -{{< highlight bash >}} +```bash adb root -{{< / highlight >}} +``` - Get write access to `/system` on the device - In earlier versions (API LEVEL < 28) of Android you have to use `adb shell "mount -o rw,remount /system"` -{{< highlight bash >}} +```bash adb shell "mount -o rw,remount /" -{{< / highlight >}} +``` - Push your certificate to the system certificate store and set file permissions -{{< highlight bash >}} +```bash adb push c8450d0d.0 /system/etc/security/cacerts adb shell "chmod 664 /system/etc/security/cacerts/c8450d0d.0" -{{< / highlight >}} +``` ## 4. Reboot device and enjoy decrypted TLS traffic - Reboot your device. - You CA certificate should now be system trusted -{{< highlight bash >}} +```bash adb reboot -{{< / highlight >}} +``` **Remember**: You **always** have to start the emulator using the `-writable-system` option in order to use your certificate diff --git a/docs/src/content/howto-transparent-vms.md b/docs/src/content/howto-transparent-vms.md index f251bc445..63732c273 100644 --- a/docs/src/content/howto-transparent-vms.md +++ b/docs/src/content/howto-transparent-vms.md @@ -16,9 +16,9 @@ Internal Network* setup can be applied to other setups. First, we have to find out under which name Ubuntu has mapped our network interfaces. You can find this information with: -{{< highlight bash >}} +```bash ip link -{{< / highlight >}} +``` Usually with Ubuntu and Virtualbox, **eth0** or **enp0s3** (Ubuntu 15.10 and newer) is connected to the internet and **eth1** or **enp0s8** (Ubuntu 15.10 and newer) is connected to the internal network that will be proxified and configured to use a static ip (192.168.3.1). If the names differ, use the ones you got from the *ip link* command. @@ -46,27 +46,27 @@ case, this needs to be disabled by changing `dns=dnsmasq` to `#dns=dnsmasq` in **/etc/NetworkManager/NetworkManager.conf** and if on Ubuntu 16.04 or newer running: -{{< highlight bash >}} +```bash sudo systemctl restart NetworkManager -{{< / highlight >}} +``` If on Ubuntu 12.04 or 14.04 running: -{{< highlight bash >}} +```bash sudo restart network-manager -{{< / highlight >}} +``` afterwards. Now, dnsmasq can be be installed and configured: -{{< highlight bash >}} +```bash sudo apt-get install dnsmasq -{{< / highlight >}} +``` Replace **/etc/dnsmasq.conf** with the following configuration: -{{< highlight none >}} +``` # Listen for DNS requests on the internal network interface=eth1 bind-interfaces @@ -75,21 +75,21 @@ dhcp-range=192.168.3.10,192.168.3.100,96h # Broadcast gateway and dns server information dhcp-option=option:router,192.168.3.1 dhcp-option=option:dns-server,192.168.3.1 -{{< / highlight >}} +``` Apply changes: If on Ubuntu 16.04 or newer: -{{< highlight bash >}} +```bash sudo systemctl restart dnsmasq -{{< / highlight >}} +``` If on Ubuntu 12.04 or 14.04: -{{< highlight bash >}} +```bash sudo service dnsmasq restart -{{< / highlight >}} +``` Your **proxied machine** in the internal virtual network should now receive an IP address via DHCP: @@ -101,19 +101,19 @@ IP address via DHCP: To redirect traffic to mitmproxy, we need to enable IP forwarding and add two iptables rules: -{{< highlight bash >}} +```bash sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080 sudo iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080 -{{< / highlight >}} +``` ## 4. Run mitmproxy Finally, we can run mitmproxy in transparent mode with -{{< highlight bash >}} +```bash mitmproxy --mode transparent -{{< / highlight >}} +``` The proxied machine cannot to leak any data outside of HTTP or DNS requests. If required, you can now [install the mitmproxy certificates on the proxied diff --git a/docs/src/content/howto-transparent.md b/docs/src/content/howto-transparent.md index d448bd823..2943aae42 100644 --- a/docs/src/content/howto-transparent.md +++ b/docs/src/content/howto-transparent.md @@ -34,10 +34,10 @@ achieve transparent mode. ### 1. Enable IP forwarding. -{{< highlight bash >}} +```bash sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv6.conf.all.forwarding=1 -{{< / highlight >}} +``` This makes sure that your machine forwards packets instead of rejecting them. @@ -46,9 +46,9 @@ a newly created `/etc/sysctl.d/mitmproxy.conf` (see [here](https://superuser.com ### 2. Disable ICMP redirects. -{{< highlight bash >}} +```bash sysctl -w net.ipv4.conf.all.send_redirects=0 -{{< / highlight >}} +``` If your test device is on the same physical network, your machine shouldn't inform the device that there's a shorter route available by skipping the proxy. @@ -60,12 +60,12 @@ If you want to persist this across reboots, see above. Details will differ according to your setup, but the ruleset should look something like this: -{{< highlight bash >}} +```bash iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080 ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080 -{{< / highlight >}} +``` If you want to persist this across reboots, you can use the `iptables-persistent` package (see [here](http://www.microhowto.info/howto/make_the_configuration_of_iptables_persistent_on_debian.html)). @@ -74,9 +74,9 @@ If you want to persist this across reboots, you can use the `iptables-persistent You probably want a command like this: -{{< highlight bash >}} +```bash mitmproxy --mode transparent --showhost -{{< / highlight >}} +``` The `--mode transparent` option turns on transparent mode, and the `--showhost` argument tells mitmproxy to use the value of the Host header for URL display. @@ -92,24 +92,24 @@ Follow steps **1, 2** as above, but *instead* of the commands in step **3**, run Create a user to run the mitmproxy -{{< highlight bash >}} +```bash sudo useradd --create-home mitmproxyuser sudo -u mitmproxyuser bash -c 'cd ~ && pip install --user mitmproxy' -{{< / highlight >}} +``` Then, configure the iptables rules to redirect all traffic from our local machine to mitmproxy. **Note**, as soon as you run these, you won't be able to perform successful network calls *until* you start mitmproxy. If you run into issues, `iptables -t nat -F` is a heavy handed way to flush (clear) *all* the rules from the iptables `nat` table (which includes any other rules you had configured). -{{< highlight bash >}} +```bash iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080 ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080 ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080 -{{< / highlight >}} +``` This will redirect the packets from all users other than `mitmproxyuser` on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user `mitmproxyuser`. Hence step **4** should look like: -{{< highlight bash >}} +```bash sudo -u mitmproxyuser bash -c '$HOME/.local/bin/mitmproxy --mode transparent --showhost --set block_global=false' -{{< / highlight >}} +``` @@ -117,16 +117,16 @@ sudo -u mitmproxyuser bash -c '$HOME/.local/bin/mitmproxy --mode transparent --s ### 1. Enable IP forwarding. -{{< highlight bash >}} +```bash sudo sysctl -w net.inet.ip.forwarding=1 -{{< / highlight >}} +``` ### 2. Place the following two lines in **/etc/pf.conf**. -{{< highlight none >}} +``` mitm_if = "re2" pass in quick proto tcp from $mitm_if to port { 80, 443 } divert-to 127.0.0.1 port 8080 -{{< / highlight >}} +``` These rules tell pf to divert all traffic from `$mitm_if` destined for port 80 or 443 to the local mitmproxy instance running on port 8080. You should replace @@ -134,23 +134,23 @@ or 443 to the local mitmproxy instance running on port 8080. You should replace ### 3. Configure pf with the rules. -{{< highlight bash >}} +```bash doas pfctl -f /etc/pf.conf -{{< / highlight >}} +``` ### 4. And now enable it. -{{< highlight bash >}} +```bash doas pfctl -e -{{< / highlight >}} +``` ### 5. Fire up mitmproxy. You probably want a command like this: -{{< highlight bash >}} +```bash mitmproxy --mode transparent --listen-host 127.0.0.1 --showhost -{{< / highlight >}} +``` The `--mode transparent` option turns on transparent mode, and the `--showhost` argument tells mitmproxy to use the value of the Host header for URL display. @@ -184,16 +184,16 @@ for earlier versions of OSX. ### 1. Enable IP forwarding. -{{< highlight bash >}} +```bash sudo sysctl -w net.inet.ip.forwarding=1 -{{< / highlight >}} +``` ### 2. Place the following line in a file called, say, **pf.conf**. -{{< highlight none >}} +``` rdr pass on en0 inet proto tcp to any port {80, 443} -> 127.0.0.1 port 8080 -{{< / highlight >}} +``` This rule tells pf to redirect all traffic destined for port 80 or 443 to the local mitmproxy instance running on port 8080. You should replace @@ -201,24 +201,24 @@ to the local mitmproxy instance running on port 8080. You should replace ### 3. Configure pf with the rules. -{{< highlight bash >}} +```bash sudo pfctl -f pf.conf -{{< / highlight >}} +``` ### 4. And now enable it. -{{< highlight bash >}} +```bash sudo pfctl -e -{{< / highlight >}} +``` ### 5. Configure sudoers to allow mitmproxy to access pfctl. Edit the file **/etc/sudoers** on your system as root. Add the following line to the end of the file: -{{< highlight none >}} +``` ALL ALL=NOPASSWD: /sbin/pfctl -s state -{{< / highlight >}} +``` Note that this allows any user on the system to run the command `/sbin/pfctl -s state` as root without a password. This only allows inspection of the state @@ -229,9 +229,9 @@ tighten the restriction up to the user running mitmproxy. You probably want a command like this: -{{< highlight bash >}} +```bash mitmproxy --mode transparent --showhost -{{< / highlight >}} +``` The `--mode transparent` flag turns on transparent mode, and the `--showhost` argument tells mitmproxy to use the value of the Host header for URL display. @@ -256,7 +256,7 @@ for more. Follow steps **1, 2** as above, but in step **2** change the contents of the file **pf.conf** to -{{< highlight none >}} +``` #The ports to redirect to proxy redir_ports = "{http, https}" @@ -274,13 +274,13 @@ tproxy_user = "nobody" rdr pass proto tcp from any to any port $redir_ports -> $tproxy pass out route-to (lo0 127.0.0.1) proto tcp from any to any port $redir_ports user { != $tproxy_user } -{{< / highlight >}} +``` Follow steps **3-5** above. This will redirect the packets from all users other than `nobody` on the machine to mitmproxy. To avoid circularity, run mitmproxy as the user `nobody`. Hence step **6** should look like: -{{< highlight bash >}} +```bash sudo -u nobody mitmproxy --mode transparent --showhost -{{< / highlight >}} +``` ## "Full" transparent mode on Linux @@ -289,7 +289,7 @@ connections. In case this isn't desired, the --spoof-source-address argument can be used to use the client's IP address for server-side connections. The following config is required for this mode to work: -{{< highlight bash >}} +```bash CLIENT_NET=192.168.1.0/24 TABLE_ID=100 MARK=1 @@ -303,15 +303,15 @@ iptables -t nat \ ip rule add fwmark $MARK lookup $TABLE_ID ip route add local $CLIENT_NET dev lo table $TABLE_ID -{{< / highlight >}} +``` This mode does require root privileges though. There's a wrapper in the examples directory called 'mitmproxy_shim.c', which will enable you to use this mode with dropped privileges. It can be used as follows: -{{< highlight bash >}} +```bash gcc examples/complex/full_transparency_shim.c -o mitmproxy_shim -lcap sudo chown root:root mitmproxy_shim sudo chmod u+s mitmproxy_shim ./mitmproxy_shim $(which mitmproxy) --mode transparent --set spoof-source-address -{{< / highlight >}} +``` diff --git a/docs/src/content/howto-wireshark-tls.md b/docs/src/content/howto-wireshark-tls.md index 0c7a6d1b6..ddaa22361 100644 --- a/docs/src/content/howto-wireshark-tls.md +++ b/docs/src/content/howto-wireshark-tls.md @@ -13,9 +13,9 @@ Wireshark can use these log files to decrypt packets. See the [Wireshark wiki](h Key logging is enabled by setting the environment variable `SSLKEYLOGFILE` so that it points to a writable text file: -{{< highlight bash >}} +```bash SSLKEYLOGFILE="$PWD/.mitmproxy/sslkeylogfile.txt" mitmproxy -{{< / highlight >}} +``` You can also `export` this environment variable to make it persistent for all applications started from your current shell session. You can specify the key file path in Wireshark via `Edit -> Preferences -> diff --git a/docs/src/content/overview-features.md b/docs/src/content/overview-features.md index a49716ed1..b5bb7bc64 100644 --- a/docs/src/content/overview-features.md +++ b/docs/src/content/overview-features.md @@ -92,12 +92,12 @@ Re-route all GET requests from `example.org` to `mitmproxy.org` (using `|` as th The `modify_body` option lets you specify an arbitrary number of patterns that define replacements within bodies of flows. `modify_body` patterns look like this: -{{< highlight none >}} +``` /flow-filter/regex/replacement /flow-filter/regex/@file-path /regex/replacement /regex/@file-path -{{< / highlight >}} +``` * **flow-filter** is an optional mitmproxy [filter expression]({{< relref "concepts-filters">}}) that defines which flows a replacement applies to. @@ -121,15 +121,15 @@ to create a script using the replacement API on Flow components. Replace `foo` with `bar` in bodies of requests: -{{< highlight none >}} +``` /~q/foo/bar -{{< / highlight >}} +``` Replace `foo` with the data read from `~/xss-exploit`: -{{< highlight bash >}} +```bash mitmdump --modify-body :~q:foo:@~/xss-exploit -{{< / highlight >}} +``` ## Modify Headers @@ -138,12 +138,12 @@ The `modify_headers` option lets you specify a set of headers to be modified. New headers can be added, and existing headers can be overwritten or removed. `modify_headers` patterns look like this: -{{< highlight none >}} +``` /flow-filter/name/value /flow-filter/name/@file-path /name/value /name/@file-path -{{< / highlight >}} +``` * **flow-filter** is an optional mitmproxy [filter expression]({{< relref "concepts-filters">}}) that defines which flows to modify headers on. @@ -171,29 +171,29 @@ to create a script using the replacement API on Flow components. Set the `Host` header to `example.org` for all requests (existing `Host` headers are replaced): -{{< highlight none >}} +``` /~q/Host/example.org -{{< / highlight >}} +``` Set the `Host` header to `example.org` for all requests that do not have an existing `Host` header: -{{< highlight none >}} +``` /~q & !~h Host:/Host/example.org -{{< / highlight >}} +``` Set the `User-Agent` header to the data read from `~/useragent.txt` for all requests (existing `User-Agent` headers are replaced): -{{< highlight none >}} +``` /~q/Host/@~/useragent.txt -{{< / highlight >}} +``` Remove existing `Host` headers from all requests: -{{< highlight none >}} +``` /~q/Host/ -{{< / highlight >}} +``` ## Proxy Authentication diff --git a/docs/src/content/overview-installation.md b/docs/src/content/overview-installation.md index 1cdf62ad6..9dd5d8db5 100644 --- a/docs/src/content/overview-installation.md +++ b/docs/src/content/overview-installation.md @@ -15,9 +15,9 @@ Please follow the steps for your operating system. The recommended way to install mitmproxy on macOS is to use [Homebrew](https://brew.sh/): -{{< highlight bash >}} +```bash brew install mitmproxy -{{< / highlight >}} +``` Alternatively, you can download standalone binaries on [mitmproxy.org](https://mitmproxy.org/). diff --git a/docs/src/content/tools-mitmdump.md b/docs/src/content/tools-mitmdump.md index 624246d4c..6a9b39210 100644 --- a/docs/src/content/tools-mitmdump.md +++ b/docs/src/content/tools-mitmdump.md @@ -16,17 +16,17 @@ documentation. ### Example: Saving traffic -{{< highlight bash >}} +```bash mitmdump -w outfile -{{< / highlight >}} +``` Start up mitmdump in proxy mode, and write all traffic to **outfile**. ### Filtering saved traffic -{{< highlight bash >}} +```bash mitmdump -nr infile -w outfile "~m post" -{{< / highlight >}} +``` Start mitmdump without binding to the proxy port (`-n`), read all flows from infile, apply the specified filter expression (only match POSTs), @@ -34,36 +34,36 @@ and write to outfile. ### Client replay -{{< highlight bash >}} +```bash mitmdump -nC outfile -{{< / highlight >}} +``` Start mitmdump without binding to the proxy port (`-n`), then replay all requests from outfile (`-C filename`). Flags combine in the obvious way, so you can replay requests from one file, and write the resulting flows to another: -{{< highlight bash >}} +```bash mitmdump -nC srcfile -w dstfile -{{< / highlight >}} +``` See the [client-side replay]({{< relref "overview-features#client-side-replay" >}}) section for more information. ### Running a script -{{< highlight bash >}} +```bash mitmdump -s examples/simple/add_header.py -{{< / highlight >}} +``` This runs the **add_header.py** example script, which simply adds a new header to all responses. ### Scripted data transformation -{{< highlight bash >}} +```bash mitmdump -ns examples/simple/add_header.py -r srcfile -w dstfile -{{< / highlight >}} +``` This command loads flows from **srcfile**, transforms it according to the specified script, then writes it back to **dstfile**. diff --git a/docs/src/content/tute-clientreplay.md b/docs/src/content/tute-clientreplay.md index 048fd0a55..fc2251bd9 100644 --- a/docs/src/content/tute-clientreplay.md +++ b/docs/src/content/tute-clientreplay.md @@ -25,9 +25,9 @@ how. ## 1. Run mitmdump to record our HTTP conversation to a file. -{{< highlight bash >}} +```bash mitmdump -w wireless-login -{{< / highlight >}} +``` ## 2. Point your browser at the mitmdump instance. @@ -41,9 +41,9 @@ your browser with mitmproxy's SSL certificate authority]({{< relref And that's it\! You now have a serialised version of the login process in the file wireless-login, and you can replay it at any time like this: -{{< highlight bash >}} +```bash mitmdump -C wireless-login -{{< / highlight >}} +``` ## Embellishments @@ -58,9 +58,9 @@ These add only a few moments to the time it takes to replay, but they're not really needed and I somehow feel compelled to trim them anyway. So, we fire up the mitmproxy console tool on our serialised conversation, like so: -{{< highlight bash >}} +```bash mitmproxy -r wireless-login -{{< / highlight >}} +``` We can now go through and manually delete (using the d keyboard shortcut) everything we want to trim. When diff --git a/docs/src/content/tute-highscores.md b/docs/src/content/tute-highscores.md index 2d03076d1..a57b18bf7 100644 --- a/docs/src/content/tute-highscores.md +++ b/docs/src/content/tute-highscores.md @@ -33,13 +33,13 @@ of leaderboards and so forth. Then, right at the end, there's a POST to this tantalising URL: -{{< highlight none >}} +``` https://service.gc.apple.com/WebObjects/GKGameStatsService.woa/wa/submitScore -{{< / highlight >}} +``` The contents of the submission are particularly interesting: -{{< highlight xml >}} +```xml scores @@ -57,7 +57,7 @@ The contents of the submission are particularly interesting: -{{< / highlight >}} +``` This is a [property list](https://en.wikipedia.org/wiki/Property_list), containing an identifier for the game, a score (55, in this case), and a @@ -75,7 +75,7 @@ for raw body. Your preferred editor (taken from the EDITOR environment variable) will now fire up. Lets bump the score up to something a bit more ambitious: -{{< highlight xml >}} +```xml scores @@ -93,7 +93,7 @@ more ambitious: -{{< / highlight >}} +``` Save the file and exit your editor.