Hi,

Thank you very much for your contributions.
In my case, I am running a client on my host machine (Mac Ventura) and an SMB server on my VM (Ubuntu 14.04).
The VM is configured to use the private network (interface: vmenet3) with the host.

Here are the IP addresses and the port numbers:

Server on my VM has the IP 192.168.139.130, and listens on port 445.
Client connects to the VM using the IP 192.168.139.1, and connects using the port 55419.

I would like to run the relay server on my host machine running the client.
Therefore, relay's IP address will also be 192.168.139.1 but it will listen on 445 (the same with the SMB server on my VM).

Here is my host configuration below.
I first enable IP forwarding, then forward the packets to the relay using pfctl.

sysctl -w net.inet.ip.forwarding=1
echo "rdr pass inet proto tcp from any to any port 445 -> 192.168.139.1 port 445" | sudo pfctl -ef -

Then, I run the script as below.
sudo python3 mitm_relay.py -l 192.168.139.1 -r 445:192.168.139.130:445

However, it does not capture any packets. Do you have any intuition why?
Any help is much appreciated,

Hi,

My first guess is that because of your pfctl rule, and using the same port for the relay and for the destination, the packets relayed by mitm_relay are also caught by the rule and go back to itself instead of being forwarded to the destination.

A couple options that I can think of:

• If possible for you, you may want to completely get rid of pfctl, and point your SMB client to 192.168.139.1:445 directly. It will be intercepted by the relay and forwarded to the destination.
• If not possible, you could try to make the relay listen on another port, for example 5555, and change your pfctl rule to something like rdr pass inet proto tcp from any to 192.168.139.1 port 445 -> 192.168.139.1 port 5555

Hope this helps.

Thank you very much for your super quick response!

My server (destination) and relay have different IP addresses, although they use the same ports, would that still cause issues?

I will test it without pfctl first and let you know.

Unfortunately, it didn't not work both ways.

When testing with pfctl, here is my rule:
echo "rdr pass inet proto tcp from any to 192.168.139.130 port 445 -> 192.168.139.1 port 4445" | sudo pfctl -ef -

The command you suggested was different but destination is actually 192.168.139.130, so I updated it that way.

echo "rdr pass inet proto tcp from any to 192.168.139.130 port 445 -> 192.168.139.1 port 4445" | sudo pfctl -ef -

I suppose the issue remains the same then.

• Packets go from your client to 192.168.130:445, are redirected by pfctl to 192.168.139.1:4445 (mitm_relay)
• mitm_relay relays to 192.168.139.130:445, but since it's on the same host, will be caught again by pfctl

You basically need to tell pfctl to only redirect packets coming from the client, but not those coming from mitm_relay.

You could try to create an additional IP address on your host, make mitm_relay listen on it, and either point your SMB client to it or make pfctl redirect packetc to it. Or you could run mitm_relay in a separate VM, which would solve the issue too.

Alternatively, if somehow you know which source port the client is using, you can filter on it in your pfctl "from" condition.

Thank you so much for your help.
Based on your feedback, I stopped using the VM.
I created two alias for the server (127.0.0.2) and the relay (127.0.0.3) using loopback interface.
I also got rid of using pfctl, and made the client point to the relay directly.
This resulted in a successful run, really appreciate your support again and again!