Fiddler + Apps that ignore proxy settings

[Adam]

Hi everyone,

I'm relatively new to fiddler, but i've been reading a lot all over stackexchange and other places trying to figure out the solution to an issue that i'm not sure is even really solvable in any easy sense:

I would like to use fiddler with the HTTP traffic of an application that doesn't respect windows system proxy settings (the developer apparently used wxWidgets).  I confirmed with wireshark that the traffic is plain old HTTP/HTTPS, and that other applications work fine with my Fiddler install (i.e. the normal browser/etc things show up).

I've considered trying to do a reverse proxy, but I don't control the server this application is talking to, either, so it's not like I can install Fiddler on the server and do a local reverse proxy.  What I really want here, I guess, is a "man in the middle" proxy with the capabilities fiddler has.

Does anyone know how this might be accomplished?  Here's what i've read so far, having spend a few hours learning, but i'm still without a working solution.  I'm hoping someone can suggest a working toolchain from experience here?

• A really complex setup... maybe it works, but it seems like a ton of effort, and you need HyperV to follow this recipie: https://jeffchiu.wordpress.com/2015/07/30/openwrt-and-fiddler-for-http-and-https-transparent-proxy-traffic-capture-part-1/
• A combined toolchain with MITMP might work ?  https://github.com/mitmproxy/mitmproxy/issues/682
  

Other ideas:

• https://superuser.com/questions/966400/using-fiddler-to-sniff-https-requests-of-any-process-proxifier
  
• https://weblog.west-wind.com/posts/2009/jan/14/monitoring-http-output-with-fiddler-in-net-http-clients-and-wcf-proxies
  
• https://security.stackexchange.com/questions/8902/how-to-force-all-programs-to-use-my-proxy
  
• http://apievangelist.com/2015/08/24/easy-way-to-inspect-https-api-traffic-in-a-multiplatform-multidevice-environment/
  
• https://superuser.com/questions/1088309/windows-10-nat-port-forwarding-ip-masquerade
  
• Using NetSED instead of fiddler for what I want to do ?  It lacks so many of the nice UI features that Fiddler has though.. 
• Trying BurpSuite instead.. it has the same problems as fiddler in setting the proxy settings.

[Adam]

P.S.  I forgot to mention, that of course i've RTFM'd too, and found unfortunately nothing to help me in links like http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureWinHTTPApp#configure-a-winhttp-application-to-use-fiddler .   The application in question is a C++ application apparently that uses winsock somehow, but beyond that I'm not quite sure what's going on, other than it clearly ignores system proxy settings.  I don't think it's doing it on purpose.. but I suspect there's got to be a solution to apps that "don't behave" with any of the suggested configurations at http://docs.telerik.com/fiddler/configure-fiddler/tasks/configurefiddler 

[Eric Lawrence]

Your research looks pretty thorough.

On Windows, most applications use WinINET, WinHTTP, System.NET, or Java's stack, all of which can have their proxy set in a variety of ways. Unfortunately, it looks like wxWidgets aims to be some sort of cross-platform toolkit, which usually means that the developer assumes a baseline (a socket) and implements everything else on top of that. In some cases, that means the app doesn't support proxies at all, while in others it means that the developer of the app must expose proxy settings via custom configuration UI. Most apps built like this do end up supporting proxies because it's difficult to sell or deploy to any sort of organization without proxy support. (Taking a quick look at the online docs for wxWidgets, I don't see ANY mention of HTTPS at all, so if there's HTTPS in use, maybe they're using wxWidgets only for the UI and using something like WinHTTP for networking).

So, supposing that the app really is 

• using wxWidgets for networking, and
• doesn't have a config UI or a hidden environment setting, and 
• the developer isn't willing to add one

...what can you do?

The best path partly depends on what you need. Do you need HTTPS, or just HTTP? Do you need to modify traffic, or only read? If, for instance, you only need to read HTTP traffic, you could just capture in WireShark and then export a PCAP to read in Fiddler. But if you need to modify HTTPS traffic, things get more dicey. In particular, to modify HTTPS traffic, you probably need to modify the list of trusted certificates in the application (as it may not adopt the system's trust store). That usually means finding some database file shipped with the app and modifying it to add Fiddler's root certificate.

Other than the HTTPS certificate trust issue, you might just run Fiddler on port 80 and 443, edit the HOSTS file so that whatever server the client is trying to talk to points at 127.0.0.1. Fiddler will capture the requests as if they were sent directly to it, and you can use scripting to forward the direct requests off to the original destination.

My previous reading leads me to believe you could probably hack a proxy chain together with MITMProxy, but I haven't ever tried this myself.

[Adam]

Thanks Eric! 

I only really need HTTP here I think, and I think the developer used WxHTTP, which, in turn, probably is it's own HTTP stack, like you said.  All that being said, I have a comment and one further question:

1)  I found via trial and error that using http://www.proxycap.com/ + Fiddler seems to actually work "magically" somehow to force the misbehaving application to hit Fiddler.  Unfortunately this isn't exactly a free solution, and may not appeal to many, as proxycap is a commercial product.

2)  Question:  How would I go about implementing the scripting that you mention ?  Assume for example, that the client hits host  XYZ.COM on port 80 and/or 443.  It's easy enough to redirect the DNS via hosts to hit the localhost on 80/443 as you mention, but i've got no idea how to configure fiddler to "pass through" that traffic to XYZ.COM so that I can inspect and/or then modify it?

P.S.  Is the only way to modify traffic via the autoresponder and a saved file, or is there another mechanism to do it "on the fly" that I haven't discovered ?

[EricLaw]

1. Yeah, ProxyCap looks like it just re-routes connections at the TCP/IP layer; that's a capability that exists in Linux via built-in tools, but I don't know that the same tools are included in Windows. Maybe they are?

2. The scripting is pretty simple for HTTP traffic. The request should come into Fiddler with the hostname header of the target site; that may mean that it just works. But I can't recall whether .NET ends up using the HOSTS file-- if it did, that would mean you'd have an endless loop because Fiddler would try to forward the traffic to itself. To workaround this, you'd just click Rules > Customize Rules. Inside OnBeforeRequest, you'd do something like:

   if (oSession.HostnameIs("whatever.com")) {

       oSession["X-OverrideHostname"] = "123.123.123.123"; // Use real IP address here

  }

3. You can send stored responses using the AutoResponder. Or you can modify outbound and inbound traffic using Extensions, the scripting engine or via Inspectors in Editing mode when traffic is paused at a breakpoint.

[Adam]

Thanks.  One last silly question:  is there a way to make fiddler listen to more than one port at a time ?  IE run on both 80 and 443 simultaneously , for example ?

[Eric Lawrence]

From the Fiddler book:

QuickExec command: !listen port [SubjectCN] 

Starts a new proxy listener object on the specified port. This listener’s Sessions will be added to the Web Sessions list. The listener instance is automatically configured to permit remote connections. If the CN parameter is present, all inbound connections on this listener will automatically invoke a HTTPS handshake; Fiddler will present a certificate containing the specified SubjectCN. This feature is useful Fiddler when Fiddler is being used as a reverse proxy for a HTTPS site.

Examples: 

      !listen 8889 

      !listen 4443 secure.example.com