github.com/zeroeh/udp-mitm

udp-mitm

Use NAT to MITM specific UDP traffic for traffic shaping purposes. The primary purpose of this project is to capture UDP traffic from games and process/edit them before they reach their destination. Since UDP is connectionless, unlike TCP which can be rerouted via hosts file, it needs special handling such as a specific NAT reroute or an application with a pcap hook to capture and edit the packets en route.

Features

• Stealth. Be able to hide from any anticheat that would otherwise be looking for pcap hooks, firewall rules, and DNS reroutes (hosts file).
• You make the rest. The included test application is enough to get started making your hooks / features.

Requirements

• Computer running the target application
• Second computer used as the intercept, this can be a laptop or raspberry pi, as long as it runs linux and has an ethernet port and wifi capabilities.
• Golang
• Sudo privileges

Instructions

• Host = the machine running the target game/application. This machine is air gapped and connected via ethernet to the intercept.
• Intercept = the machine offering the tethered internet connection to the host. This machine is running the mitm proxy application.

If you do not understand the above 2 concepts or want to see visually, please see diagram1.png.

1. Download the NTP client script to the host machine and the NTP proxy script to the intercept. When the steps refer to the bash script to run, please look here for the script.

2. Set up the intercept and host machines by going to ethernet settings and sharing the connection. See how to do this here or here, or you can just google "linux share internet connection through ethernet". For a raspberry pi tutorial, see here

3. If the above instructions from the links dont work, try deleting ALL ethernet profiles on both intercept and host machines and trying step 1 again. If it still doesn't work, try flushing the iptables with iptables --flush && iptables -t nat --flush on the intercept and reboot. If it still doesn't work, you may need to enable ipv4 forwarding on the intercept. You can do this with sudo sysctl net.ipv4.ip_forward=1 which should apply every reboot and to apply the change immediately do sudo echo "1" > /proc/sys/net/ipv4/ip_forward.

4. On the host machine, shut off or disconnect from wifi and see if you can get internet, if not, refer to step 2 again. If it succeeds, continue. (you can use ifconfig to see which IP addresses are assigned to eth0, which they should be if everything is working)

5. On the intercept machine, run the "start_reroute.sh" script. Arguments for this script will be:

   • Remote application port (dst)
   • Local MITM port (local)
   • Intercept IP on ethernet (host)
   • Intercept IP base address in cidr notation.

(example: sudo ./start_reroute.sh 123 5555 10.42.0.1 10.42.0.0/24) If the script doesn't work, you may need to make it executable. (chmod +x start_reroute.sh)

• Note: use iptables -t nat -L -n -v to double check that the iptables rules were applied. There should be a rule in OUTPUT and a rule in PREROUTING.

1. Start the NTP proxy on the intercept with go run ntp_proxy.go
2. Run the NTP client on the host with go run ntp_client.go
3. If everything works correctly, the client script should print out the read buffer repeatedly every 10 seconds. You can see example outputs in the success directory. If it doesn't work, then you are on your own, sorry.

Issues

• The example NTP test applications stop transmitting packets after a bit. This is probably some protection mechanism on apples end however. Other applications that I've tested do not experience this effect.
• You may experience some cross talk from the intercept coming from your router on heavily used UDP applications. This can be negated by changing the iptables script to use the ethernet interface only.

Todo

• Maybe make the bash script a little more user friendly by cutting down the arguments a little bit?
• Add args to the cleanup script for looping the amount of times to cleanup rules. (Smarter cleanup script)