fritm is a minimalist, cross-platform (tested on macOS and Windows)
network reverse engineering framework written in Python.
fritm-hook allows you to easily hook the
connect()
function with frida to redirect all traffic
from a target application.
You can then use the builtin server written in Python to initiate a Man-in-the-middle attack.
Even if you don't want to use Python, you can use the fritm-hook
command to redirect the traffic to your application and implement the
simple lecture of the HTTP CONNECT header.
pip install fritmHook the process:
fritm-hook PROCESS_NAME_OR_PID -p PORT # (default 8080)Or create a new one:
fritm-spawn PATH_TO_COMMAND -p PORT # (default 8080)Launch a proxy server in Python:
import select
from fritm import start_proxy_server
def dumb_callback(soClient, soServer):
"""Forwards all the traffic between the two sockets
"""
conns = [soClient, soServer]
other = {soClient: soServer, soServer: soClient}
active = True
try:
while active:
rlist, wlist, xlist = select.select(conns, [], conns)
if xlist or not rlist:
break
for r in rlist:
data = r.recv(8192)
if not data:
active = False
break
other[r].sendall(data)
finally:
for c in conns:
c.close()
httpd = start_proxy_server(dumb_callback)Now, all the traffic will go through your application. You can modify anything on the fly.
- attach to the target process
- intercept the calls to
connect() - replace the target IP address by 127.0.0.1 and the port with the chosen one
- execute the
connect()function with the local IP - just before returning, send the HTTP CONNECT method with the original IP and port
fritm.spawn_and_hook(process, port) launches the process and ensures
it is hooked from the beginning.
- Launch a local server that listens for connections on the given port
- Upon receiving a new connection from the hooked client, read the IP and port of the server from the HTTP CONNECT header
- Open a new socket to the server
- Call
callback(socket_to_client, socket_to_server)
When specified, filter allows you to not redirect some connections.
It is a javascript expression that can use the variables sa_family,
addr and port.
A good value is sa_family == 2 (corresponds to AF_INET aka ipv4), but
for unknown reasons sa_family is 0 on Windows.
Differences with mitmproxy
- mitmproxy doesn't use function hooking, it intercepts all the traffic from your browser or computer
- mitmproxy only works for HTTP traffic, whereas fritm works with any TCP traffic.
Differences with proxychains / proxychains-ng
fritm-spawnis intented as simplified and cross-platform version of proxychains.fritm-hookcan attach to an already running process.- proxychains is not cross-platform and hard to install, whereas fritm is cross-platform and simple to install.
- proxychains uses a config file whereas
fritm-spawnonly takes two arguments - fritm includes a HTTP proxy server (that is also able to communicate with proxychains)
- proxychains can handle a lot of different proxy types (SOCKS4, SOCKS5, HTTPS) with a lot of options (e.g. for authentification)
- proxychains can chain multiple proxies
- proxychains handles any proxy address whereas
fritm-spawndefaults to localhost. However, if anyone needs it for remote addresses, post an issue and I'll implement it.
- Some Windows user faced issues that I couldn't reproduce
- fritm will fail on IPv6 addresses, but it should not be hard to fix (I just don't happen to have any application that uses an IPv6 address to test).