In a previous post, we have discussed how to decrypt TLS traffic using a transparent PolarProxy proxy server. This is the baseline scenario when PolarProxy is installed on the same client computer where HTTPS traffic is generated.
This tutorial goes further and provides a more advanced and complete configuration. PolarProxy is installed at a geographically different location from the client and is configured to send decrypted communications to Arkime server, a packet capture and retrieval tool. Arkime is also installed on a dedicated computer. These three parts - PolarProxy, Arkime and the client - are interconnected with the Linux router, which is the default gateway. The router is connected via its uplink port to the MikroTik router / firewall.
Figure 1 represents a logical topology of the network. PolarProxy, Arkime and gateway are VirtualBox machines, all running on a Lenovo ThinkPad T14 laptop and have 32 GB of RAM. Windows 10 is installed as the host OS on ThinkPad along with VirtualBox hypervisor and runs VBox machines. HTTPS traffic that we will decrypt is generated while browsing the Internet using Firefox browser installed on the host OS. The laptop is connected to Mikrotik router/Firewall conncting simulated networks to the Internet. Decentralizing the transparent proxy, packet capture tool, and client to separate servers is beneficial because they can be upgraded without affecting other elements of the topology.
Picture 1 - Logical Network Topology
Subnets:
-> Gateway - MikroTik: 192.168.88.0/24
-> Client - Gateway: 192.168.56.0/24
-> PolarProxy - Gateway: 192.168.57.0/24
-> Arkime - Gateway: 192.168.58.0/24
Used Software:
-> Gateway - Linux Ubuntu 20.04.2 LTS
-> PolarProxy 0.8.16.0 installed on Ubuntu 20.042 LTS
-> Arkime/Moloch 2.7.1-1 installed on Ubuntu 20.042 LTS
-> Client - Win 10 Pro 20H2
1. Gateway - Linux Ubuntu 20.04
The Ubuntu router is a central point in our network and serves as the default gateway for Arkime, PolarProxy and Windows client. Therefore, we need to configure it first. Let's assume that OS is installed, system is up and running and ready for further configuration. The first step is configuration of IP addresses.
1.1 Configure Network Interfaces
Edit the file below created during OS installation (Picture 2).
$ sudo vi /etc/netplan/00-installer-config.yaml
Picture 2 - Gateway Interfaces Configuration
Once done, save the file and apply the changes by running the following command:
$ sudo netplan apply
Verify settings:
$ ip a | grep -P "enp0s\d{1,2}"
Picture 3 - IP Addresses Configured on Default Gateway
1.2 Enable IPv4 and IPv4 Forwarding for Default Gateway
Uncomment the line in /etc/sysctl.conf.
$ sudo vi /etc/sysctl.conf
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
After editing the file, you can run the following command to make the changes take effect right away.
$ sudo sysctl -p
1.3 Add Rules to Forward Traffic to PolarProxy
$ sudo systemctl disable ufw
$ sudo systemctl stop ufw
$ apt install iptables-persistent
$ sudo systemctl enable iptables
$ sudo systemctl start iptables
The interface enp0s8 is the "inside" interface on the GW pointing towards the clients. PolarProxy server has an IP address 192.168.57.102.
Add a forward rule on the gateway to allow forwarding traffic to our PolarProxy server:
$ sudo iptables -I FORWARD -i enp0s8 -d 192.168.57.102 -p tcp --dport 10443 -m state --state NEW -j ACCEPT
Add a DNAT rule to forward 443 traffic to PolarProxy on port 10443:
$ sudo iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 443 -j DNAT --to 192.168.57.102:10443
Save IPtables configuration:
$ sudo iptables-save > /etc/iptables/rulesv4
2. Firewall - Mikrotik
Let's assume that MikroTik is fully configured for connection to the Internet. Therefore, we only need to add static routes to subnets 192.168.5x.0/24 located behind the IP address 192.168.88.250.
[admin@MikroTik] > ip route add dst-address=192.168.56.0/24 gateway=192.168.88.250 comment="to_client_on_Ubuntu"
[admin@MikroTik] > ip route add dst-address=192.168.57.0/24 gateway=192.168.88.250 comment="to_polarproxy_net"
[admin@MikroTik] > ip route add dst-address=192.168.58.0/24 gateway=192.168.88.250 comment="to_arkime_net"
Now, we should be able to ping IP 192.168.56.101 from Mikrotik firewall. And of course, if the client has a set IP 192.168.56.1/24 and DGW 192.168.56.101, we should be able to ping 8.8.8.8 from the client (Windows).
3. PolarProxy
3.1 Network Configuration
Edit the file below created during OS installation (Picture 4).
$ sudo vi /etc/netplan/00-installer-config.yaml
Picture 4 - PolarProxy Interfaces Configuration
Once done, save the file and apply the changes by running the following command:
$ sudo netplan apply
3.2 PolarProxy Installation
Create a user for PolarProxy’s systemd service and download PolarProxy. In case, curl command fails to download the file, temporary flush the firewall and nat rule that we have configured in Part 1.3. Once the file is downloaded, restore rules with the command iptables-restore < /etc/iptables/rules.v4 from the gateway.
Create a system user for the PolarProxy daemon.
$ sudo adduser --system --shell /bin/bash proxyuser
Create log directory for proxyuser.
$ sudo mkdir /var/log/PolarProxy
$ sudo chown proxyuser:root /var/log/PolarProxy/
$ sudo chmod 0775 /var/log/PolarProxy/
Download and install PolarProxy.
$ sudo su proxyuser
$ mkdir ~/PolarProxy
$ cd ~/PolarProxy/
$ curl https://www.netresec.com/?download=PolarProxy | tar -xzf –
$ exit
Copy the default PolarProxy service config to the systemd location.
$ sudo cp /home/proxyuser/PolarProxy/PolarProxy.service /etc/systemd/system/PolarProxy.service
Modify /etc/systemd/system/PolarProxy.service by adding "–pcapoveripconnect 192.168.58.102:57012" at the end of the ExecStart command. The socket 192.168.58.102:57012 is the socket Arkime is listening on.
$ sudo vi /etc/systemd/system/PolarProxy.service
Picture 5 - Creating PolarProxy Systemd Service
Enable and start the PolarProxy service.
$ sudo systemctl enable PolarProxy.service
$ sudo systemctl start PolarProxy.service
Verify that PolarProxy has connected to Arkime’s PCAP-over-IP listener on TCP port 57012 (Picture 6).
Picture 6 - Connection Established Between PolarProxy and Arkime
3.3 Trusting the PolarProxy Root CA
Download CA root certificate from web server that is running on port 10080:
$ curl http://127.0.0.1:10080/polarproxy.cer > polarproxy.cer
Import download PolarProxy Root CA certificate to OS:
$ sudo mkdir /usr/share/ca-certificates/extra
$ sudo openssl x509 -inform DER -in polarproxy.cer -out /usr/share/ca-certificates/extra/PolarProxy-root-CA.crt
$ sudo dpkg-reconfigure ca-certificates
Copy converted certificate /usr/share/ca-certificates/extra/PolarProxy-root-CA.crt to Windows client and import it to web browser.
Import Root CA certificate to browser (Firefox):
Open: about:preferences#privacy
Scroll down to "Certificates" and press [View Certificates...]
In the "Authorities" tab, press [Import...]
Open "polarproxy-pem.crt"
Trust this CA to identify websites. (check the box)
Picture 7 - Importing CA Root Certificate to Firefox on Windows Client
4. Arkime
4.1 Network Configuration
Edit the file below created during OS installation.
$ sudo vi /etc/netplan/00-installer-config.yaml
Picture 8 - Arkime Interfaces Configuration
Once done, save the file and apply the changes by running the following command:
$ sudo netplan apply
4.2 Arkime Installation and Configuration
Download Arkime package for Ubuntu 20.04.
$ wget https://s3.amazonaws.com/files.molo.ch/builds/ubuntu-20.04/moloch_2.7.1-1_amd64.deb
$ sudo apt install ./moloch_2.7.1-1_amd64.deb
After installing the Arkime package, configure Arkime by running:
$ sudo /data/moloch/bin/Configure
Enter “none” as the interface to monitor (the interface setting will be ignored when Arkime gets configured as a PCAP-over-IP server).
Install the ElasticSearch server by typing “yes” when prompted.
Edit /data/moloch/etc/config.ini and add "pcapReadMethod=pcap-over-ip-server" to configure Arkime to listen for PCAP-over-IP connections.
$ sudo vi /data/moloch/etc/config.ini
Picture 9 - Arkime Configuration
Next, enable and start the ElasticSearch systemd service.
$ sudo systemctl enable elasticsearch.service
$ sudo systemctl start elasticsearch.service
Initiate the Arkime search cluster.
$ /data/moloch/db/db.pl http://localhost:9200 init
Create a new admin user with password secret_pass. Feel free to change the password if needed.
$ sudo /data/moloch/bin/moloch_add_user.sh admin "Admin User" secret_pass -admin
You can now enable and start the Moloch capture and viewer services.
$ sudo systemctl enable molochcapture.service
$ sudo systemctl start molochcapture.service
$ sudo systemctl enable molochviewer.service
$ sudo systemctl start molochviewer.service
Verify that Arkime is listening for incoming connections on TCP port 57012 (Picture 10).
$ ss -nta | grep 57012
Picture 10 - Arkime Listening on port 57012 for Incoming Connection from PolarProxy
4.3 Troubleshooting Arkime Issues
If the moloch viewer fails to start after boot, add the sleep timeout 5s to ExceStart command into the file below (Picture 11):
$ sudo vi /etc/systemd/system/molochviewer.service
Picture 11 - Adding Timeout 5s to Exec Command to Delay Starting Moloch Viewer
Similarly, add sleep timeout 5s to ExceStart command for Moloch Capture Service, if the service fails to start (Picture 12)
$ sudo vi /etc/systemd/system/molochcapture.service
Picture 12 - Adding Timeout 5s to Exec Command to Delay Starting Moloch Capture
5. Testing
Open http://192.168.58.102:8005/sessions in a browser and look for a connection to the port 80. The Arkime username and password is admin/secret_pass if you have followed the instructions in this tutorial.
Decrypted HTTPS session are shown on the Picture 13. Notice, the destination TCP port is 80 instead 443.
Picture 13 - Decrypted HTTPS Traffic in Arkime
The Picture 14 depicts captured user's credential test/test sent in HTTP POST to URL pobox.sk.
Picture 14 - Captured Credentials in HTTP traffic
End.