1. IntrepidusGroup
  2. Mallory

Wiki

Clone wiki

Mallory / Usage

Usage

This guide covers how to use the GUI. This assumes that Mallory is running and working correctly.

Interfaces

The interfaces tab controls how you've setup Mallory. in this tab you'll choose which interface to provide as the "victim" and which is the outbound interface. If you set it up using the PPTP topology, you'll see a ppp0 interface. Most others you will see an eth1. Choose your settings and click "apply."

Protocols

The protocols tab controls how TCP/UDP streams are processed. Protocols like SSL need to be enabled for each particular port.

Example: A SSL enabled web server is running on port 9898 and you want to watch traffic going from the client to the server. Your rule would look like this:

ssl_example:sslproto.SSLProtocol:9898

The available protocols are:

  • https.HTTPS: (undocumented)
  • http.HTTP: standard HTTP decoder
  • sslproto.SSLProtocol: this decoder will replace any certificates outbound with a Mallory certificate allowing all traffic to be visible and manipulated

Rules

The rules tab is where you can control how the packets are processed. The simplest example of this is to create a debug rule to prints that will dump the packets to the console. This is the easiest way to make sure your network setup is working.

  • Name: Whatever you want to call the rule
  • Direction: How the rule is processed. Server to client, client to server, or bi-directional
  • Type:
    • Nothing: do nothing at all to the packets
    • Debug: print out packet information to the console, streams tab, and the sqlite database
    • Muck: modify packets on the fly based on the rules below
    • Fuzz: (undocumented)
  • Payload: (undocumented)
  • Muck: (undocumented)

Make a Debug Rule

  • in the rules tab, click on the green icon to add a new empty rule
  • under direction choose "both"
  • for type choose "debug"
  • choose "save rule"

Make a Muck Rule

... TO BE DOCUMENTED ...

Streams

The streams tab watches TCP streams as they pass through Mallory or let you manually change them before they are passed through.

Option:

  • Intercept: tells whether or not to watch data that passes through Mallory. If you turn this off, Mallory doesn't do much.
  • Autosend: Whether or not to pass the packets along automatically or hold them until you click the send button

Advanced

... TO BE DOCUMENTED ...

Updated