Capturing plain HTTP traffic

Once the interceptor host is configured to act as a router, some interesting things can be done. For example, it is possible to determine the source and destination of the packages that pass through the host, we’re going to use this fact to redirect packages with destination port 80 to Hyperfox, so we can proxy them to the original destination (and capture them in the process).

First, see Hyperfox’s options:

hyperfox -h

Now start Hyperfox without providing a root CA certificate or key, so it starts in HTTP-only mode:

hyperfox
# ...
# 2014/12/31 07:53:29 Listening for incoming HTTP client requests on 0.0.0.0:1080.

In order for the target to redirect packages intended for the router to us we use arpfox, a tool that you can download from https://github.com/malfunkt/arpfox.

sudo arpfox -i $HYPERFOX_IFACE -t $HYPERFOX_TARGET \
$HYPERFOX_GW

Using arpfox is very convenient and easy as you don’t have to change any settings on the target not have any real interaction with it besides being on the same LAN. If you don’t have success finding arpfox you may as well just set the IP of the host as the target gateway manually, this will of course require physical access to the target.

Once the target starts sending traffic to the host machine, it will in turn redirect port 80 traffic to Hyperfox and we’ll be able to capture everything.

If you want to capture HTTPs traffic the proccess is a bit more complicated, see how can it be done.