3

I want to pentest a mobile application. To do so, I want to intercept all WiFi traffic and forward it to Burp, which runs in a VM.

I enabled "Internet Sharing" on my Macbook so my phone now connects to the laptop using WiFi. Then I want to forward all traffic to the Burp proxy, which is at 172.16.122.128:8080.

Redirecting to localhost works:

rdr pass on bridge100 inet proto tcp from any to any port {80,443} -> 127.0.0.1 port 8080

I put this rule in a file and load it with pfctl -f pf.rules. After that, I listed on port 8080 using nc -l -p 8080 and when I browse somewhere on my phone it indeed connects to localhost instead.

However, when I try to forward to 172.16.122.128, it doesn't work:

rdr pass on bridge100 inet proto tcp from any to any port {80,443} -> 172.16.122.128 port 8080

The packets do end up in the VM (tested with Wireshark) but no connection is made. This could be because they originate from 192.168.2.3. Do I need NAT somewhere? How can I configure this correctly?

I drew a picture of my network layout. (The VM actually runs on my laptop, but I drew it separate here.) my network layout

Sjoerd
  • 196
  • 1
  • 2
  • 9
  • Can you test the connectivity between Mac and your VM without pf rule? E.g. listen on 8080 in the VM using nc, and then also use nc, but on MAC, to connect to 8080 on your VM? Maybe it is just a firewall inside a VM. – Andrey Sapegin Jul 26 '16 at 13:41
  • Is the vm a linux one? – Lmwangi Jul 27 '16 at 20:32
  • I tested connection between the Mac and the VM with `nc`, and this works fine. The VM is Kali Linux. – Sjoerd Jul 28 '16 at 07:37
  • I think that you need to setup routing/forwarding on your Mac, since it is connected to 2 different networks and needs to route packets between those networks. See http://apple.stackexchange.com/a/192183 for sample configuration. But you do not need NAT, just enabling forwarding should help. – Andrey Sapegin Jul 28 '16 at 07:45

3 Answers3

1

I guess, the problem is that you have not configured forwarding between 2 networks, (1) VM network (172.16.122.0/24) and (2) your LAN (192.168.2.0/24). To configure forwarding on your Mac, you probably need to do the following (sorry, I do not have a Mac, so I cannot try):

1) As written at https://apple.stackexchange.com/a/192183:

sudo sysctl -w net.inet.ip.forwarding=1
sudo sysctl -w net.inet.ip.fw.enable=1

2) add static routes to both networks, if needed (I guess, you have it already, since you can connect with nc from your Mac to the VM)

Finally, another option (without configuring your Mac as a router) is to setup NAT using your virtualisation software and forward a port to your VM. If you use a VMware Fusion, please have a look here or here.

Then, instead of forwarding traffic to the port on your VM, forward it to the forwarded port on the vmnet8 interface:

rdr pass on bridge100 inet proto tcp from any to any port {80,443} -> 172.16.122.1 port 8080

(port 8080 on the vmnet8 should be forwarded to port 8080 on your VM by VMware Fusion)

Community
  • 1
Andrey Sapegin
  • 1,201
  • 2
  • 12
  • 27
1

The following PF rules work:

nat on vmnet8 from bridge100:network to any -> (vmnet8)
rdr pass on bridge100 inet proto tcp from any to any -> 172.16.122.128 port 8080

This forwards all requests to 172.16.122.128, while doing NAT in between.

NAT is needed to translate between the addresses of the two networks, i.e. 192.168.2.0/24 and 172.16.122.0/24. The fowarding part already worked (as described in my question), but the packets were forwarded with the wrong source address. NAT changes that source address to 172.16.122.1, so that the VM knows to send packets back to my MacBook, which then forwards them to the phone again.

Sjoerd
  • 196
  • 1
  • 2
  • 9
  • great, that you got it working. I think that my answer still could be valid. As you wrote, "VM knows to send packets back to my MacBook, which then forwards them to the phone again." Exactly this forwarding probably was not working before you have enabled nat on your Mac. In my answer I offered to enable forwarding on Mac without NAT, which I expect would also solve the problem. – Andrey Sapegin Jul 28 '16 at 13:42
  • Exactly, IP forwarding needs to be enabled, but suspect it already was because I enabled Internet Sharing. I tried the forwarding without NAT, but it didn't work. Thanks for your help, @AndreySapegin! – Sjoerd Jul 28 '16 at 13:48
  • Hi, I am having trouble translating your answer to work for my situation and could really use some help. https://apple.stackexchange.com/q/363099/263848 – JBis Jun 27 '19 at 00:05
-1

If the VM is a linux one, you do need to Nat incoming traffic and mangle it. That is:

  1. An incoming packet from 192.168.2.3 is accepted
  2. Change the destination address of the packet to 172.16.122.128 (mangle)
  3. Submit the packet to the linux routing layer

Firewall commands

# Enable forward
sudo sysctl -w net.ipv4.ip_forward=1

# FLUSH ALL RULES
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Forward
sudo iptables -A FORWARD -i eth0 -j ACCEPT


# Mangling rule. I think you can add the port right after the dest ip
sudo iptables -t nat -A POSTROUTING -s 192.168.2.3/32  -j SNAT --to  172.16.122.128
Lmwangi
  • 352
  • 1
  • 6