Full Report
I recently had an assessment reviewing a kiosk application. As I have been working on Mallet recently, this seemed like a perfect opportunity to put Mallet in between the kiosk and its upstream, and see how the kiosk worked. This is a practical walkthrough to help you replicate the setup for your own MitM needs. The initial state of the network The end result
Analysis Summary
# Tool/Technique: Mallet (in the Middle Setup)
## Overview
Mallet is used in this context as a framework to intercept, inspect, and potentially manipulate network traffic flowing between a target kiosk application and its upstream network components. The setup described creates a "Man-in-the-Middle" (MitM) position using a small router running OpenWRT to forward traffic through a workstation running Mallet.
## Technical Details
- Type: Tool (Network Interception Framework/Proxy)
- Platform: OpenWRT (Router/Gateway), Workstation (Linux/Other running Mallet, SSH client)
- Capabilities: Traffic redirection via `iptables`, network bridging, remote port forwarding via SSH tunnels, traffic inspection/manipulation via custom graph construction within Mallet.
- First Seen: Not explicitly stated for Mallet itself, but the setup walkthrough was published October 10, 2018.
## MITRE ATT&CK Mapping
The core activity described relates to intercepting and manipulating network communications:
- **T1090 - Proxy**
- T1090.003 - Proxy: Multi-hop Proxy (Involved due to the chain of SSH tunnels and proxies connecting the target, OpenWRT, the workstation, and the final destination.)
- **T1557 - Man-in-the-Middle**
- T1557.001 - Man-in-the-Middle: Passive DNS Spoofing (While explicit DNS spoofing isn't detailed, the general MitM activity enabling traffic inspection falls under this tactic.)
## Functionality
### Core Capabilities
1. **Network Bridging:** Configuring an OpenWRT device (using hardware like GL.iNet routers) to bridge two Ethernet interfaces to transparently forward packets between the kiosk (victim) and the upstream switch.
2. **Traffic Redirection via `iptables`:** Using custom `iptables` rules (`nat -N REDSOCKS`) to redirect all TCP connections originating from or destined to the victim IP through a specific local port (port 12345) running the `redsocks` process.
3. **Proxification with `redsocks`:** `redsocks` intercepts the redirected TCP traffic and attempts to forward it as SOCKS connections to port 1080 on the local workstation.
4. **SSH Tunnel Establishment:** Setting up reverse SSH port forwarding (`ssh -R`) to tunnel the SOCKS traffic from the OpenWRT router (port 1080) back to the workstation (port 1080).
### Advanced Features
1. **Multi-Hop Proxy Chain:** Establishing a complex traffic flow:
* Kiosk Traffic $\rightarrow$ OpenWRT Bridge $\rightarrow$ `iptables` $\rightarrow$ `redsocks` (Port 12345) $\rightarrow$ SSH Tunnel $\rightarrow$ Workstation (Port 1080) $\rightarrow$ **Mallet SOCKS Server** (Port 1080).
2. **Outbound Traffic Back-Channel:** Configuring Mallet to use an upstream SOCKS proxy (Port 1081) which tunnels back through a separate SSH connection to the OpenWRT router, allowing Mallet to make outbound connections to the original destination while appearing to originate from the target network segment.
3. **Graph-Based Analysis:** Mallet's capacity to manage and visualize data flows based on graph construction, enabling detailed inspection and manipulation of the intercepted traffic.
## Indicators of Compromise
*Note: Since Mallet is a framework facilitating a technique, IoCs generally relate to the configuration setup rather than traditional malware artifacts.*
- File Hashes: N/A (Framework/Configuration)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- OpenWRT Management Interfaces (e.g., 192.168.1.1, custom WiFi SSID/IP)
- SSH Tunnel Endpoints (e.g., localhost:1080, localhost:1081 on workstation)
- Behavioral Indicators:
- Execution of Linux commands on a network gateway (OpenWRT) to disable the firewall (`/etc/init.d/firewall disable`).
- Creation of custom `iptables` chains (`iptables -t nat -N REDSOCKS`).
- Forwarding of traffic destined for external services via intermediate hosts using SOCKS proxies.
## Associated Threat Actors
The article does not associate this specific setup with any named threat groups; it is presented as a penetration testing/assessment technique.
## Detection Methods
- Signature-based detection: Low relevance for generic tool setups; detection would require looking for specific OpenWRT configuration changes or known Mallet binaries/signatures if deployed persistently.
- Behavioral detection: Monitoring network gateways (like travel routers) for unexpected configuration changes (e.g., firewall disablement, interface bridging) or for unusual traffic flows involving SOCKS proxies or SSH reverse tunnels originating from the gateway device.
- YARA rules: Not applicable for this methodology summary.
## Mitigation Strategies
- **Network Segmentation/Isolation:** Restrict management access to network devices (like routers) to trusted internal networks only.
- **Firewall Hardening:** Ensure that firewalls on network infrastructure devices (especially those bridging segments) are strictly configured and not disabled via administrative interfaces or scripts.
- **Intrusion Detection Systems (IDS):** Monitoring network segments for evidence of traffic redirection or the initiation of unusual proxied connections originating from edge devices.
- **Secure Configuration Management:** Using configuration management tools to verify that critical infrastructure devices maintain a secure baseline configuration (preventing manual `iptables` manipulation or critical service stoppage).
## Related Tools/Techniques
- **`redsocks`:** Used here to convert transparently redirected TCP traffic into SOCKS protocol connections for forwarding.
- **SSH:** Used extensively for secure command-line access and establishing tunnels (`-R` and `DynamicForward`).
- **OpenWRT:** The operating system used to configure the physical hardware for packet forwarding.