Newbe question on web proxy servers and promiscuous mode

Question, I have been using several web proxy tools, Burp Suite, OWASP ZAP, Fiddler etc.
Normally when you setup a web proxy you set up the MITM between your browser and the app server.

Is there a way to setup, such proxy products to monitor traffic between the server and third party users in a similar way that wireshark uses promiscuous mode.

I assume that this is how traditional MITM attacks are performed.

Could someone give a brief overview of how to do such a configuration?

Sorry for the newbe question, Got to start somewhere.



Just to clarify, This is not a lame script kitty question. In the book “The Web Application Hacker’s Handbook 2” This is a white hat hacking reference. It refers to the technique of monitoring user requests and responses, between users and the server. So I and not asking this question to Black Hat hack MITM.

This is a valid question for White Hat Hacking.

Neither the web server or someone else’s browser is just going to want to send you their traffic (unless there’s a bug). The reason tools work Burp Suite work is because you add it as a proxy in your browser. This would require some kind of access to one or both of the devices.

Promiscuous sniffing with wireshark works because the wireless traffic is radio waves that your computer can pick up. On an unsecured WiFi network this traffic is not encrypted. On a wpa2 network it is encrypted with the wifi password (i.e. if you know it you can decrypt all the traffic). This should change with the wpa3 standard (encrypts the traffic differently to different devices).

If you do not have access to the traffic you need to pretend to be the devices involved so they connect to you instead of each other. An example of this is ARP (Address resolution protocol) spoofing. When devices are on the same subnet they work out which devices has the IP addresses they want to send packets to by broadcasting a request. Devices on the network respond to this request by specifying the MAC address belonging to the device with that IP. With ARP spoofing you respond to requests for the server and client’s IPs by specifying your own MAC address so they connect to you instead.

tl;dr I know of 3 main methods for getting traffic between a server and a third party

  1. Have access to one of the devices
  2. Passively sniffing the traffic between the devices if you have access to it
  3. Actively pretending to be the devices (spoofing) so they connect to you instead of each other

I think MiTM is specifically when you get into a situation where you relay the packets between the targets. So, I’m not sure if I’d count the second or some instances of the first.

Encryption (mainly ssl/tls) tries to prevent these attacks by encrypting the traffic so that what you receive when performing these attacks loos like nonsense. If the client and server implement this properly and certificate authorities can be trusted this should fix the problem. In practice there can be bugs in these setups and sometimes CAs can’t be trusted. E.g. heartbleed, sslstrip, poodle. These particular attacks are a bit old and (mostly) have been fixed, theyshouldn’t work on modern software).

1 Like

I should probably also mention that active spoofing can be picked up by intrusion detection systems. ARP spoofing in particular can be very noisy.

Thanks lkw for the detailed description. I also found an example article on nullbyte on how to
preform ARP Spoofing.



If you’re a network admin you can install a web proxy, something like squid3 to intercept web traffic and send it to the origin server. Most enterprise environments use them as a transparent proxy to route all of the web traffic without needing to configure the proxy on each endpoint manually.

You’ll have the issues that @ikw mentioned with encrypted traffic and then there are additional configurations to make like HTTPS Introspection

Thanks Shellcromancer I will check out squid3

This topic was automatically closed after 30 days. New replies are no longer allowed.