0

I need to perform MITM attack on an app which doesn't use HttpURLConnection and OkHttp libraries for network connection.

Analysis :

  1. Configured burp on the devices, able to capture request of Chrome browser but not the test app.
  2. Wireshark is showing communication of test app is happening on TLS 1.2 only.
  3. Tried Network profiler of android studio but nothing shown.

What we should do if the network connection is done with curl which I am not very familiar with?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Chacha
  • 1
  • 3
  • Have you installed the burp certificate on the devices? If they are running Android N or above, however, you will need root access to install the cert to properly intercept HTTPS traffic. –  Jun 20 '19 at 13:26
  • As mentioned in the description, I am able to capture request of chrome ( installing burp cert on the nouget rooted device) but not my app. Can anything related to curl not work for burp? – Chacha Jun 20 '19 at 13:51
  • 2
    Curl is just a utility for grabbing web content. As is Wget. I'm not sure what the ask is here. Have you read this post? https://security.stackexchange.com/questions/153440/intercepting-android-app-traffic-with-burp –  Jun 20 '19 at 13:57
  • Thanks but I already read that. gimme some new ideas. – Chacha Jun 20 '19 at 15:07
  • The thing that the linked question suggests is to figure out how the app communicates. You performed a packet capture. Can you determine what protocol is used? – schroeder Jun 20 '19 at 17:18
  • Yeah I have gone through the above link as well as other mitm topics on security stack exchange, but couldn't succeded. Protocol is already mentioned in description, it's TLS 1.2 – Chacha Jun 20 '19 at 18:12
  • It sounds like your app is using cert pinning. I usually use a frida script to work around it, that works in most cases, but not always: https://techblog.mediaservice.net/2018/11/universal-android-ssl-pinning-bypass-2/ But your app could also use tunneling (ignore proxy settings), or using protocols other than http(s), which burp cannot intercept. – Martin Fürholz Jun 20 '19 at 20:03
  • Is it possible for app to communicate with server if SSL pinning is implemented ( burp is already configured as mitm)? It may be a possibility that it uses different tunnel.As Wireshark is showing protocol TLS 1.2 then it should be https only? – Chacha Jun 21 '19 at 03:30
  • If everything is set up correctly then the app should complain that it cannot connect to the servers, if the reason really is that it has SSL pinning implemented. – Martin Fürholz Jun 21 '19 at 03:36
  • @MartinFürholz , SSL pinning is not there as app is able to communicate to the server through bypassing the proxy. – Chacha Jun 21 '19 at 10:10

1 Answers1

1

If Wireshark reports that the device is making DNS requests, set up a MitM DNS server (or just modify the WiFi settings on the device to point to a custom DNS server) that points the target domain(s) to your Burp host. Alternatively, if you can, edit the HOSTS file on the device to bypass DNS and treat your IP as the target domain.

If the requests are being sent to a specific IP address without performing a DNS lookup (unlikely, but not impossible), you will instead need to convince the device that your computer with Burp has the IP address it's looking for, or simply route all traffic through your computer (which I'm guessing you're already doing, if you can see the device requests in Wireshark) and configure it to route traffic intended for the target IP to the local machine instead (on Linux this can be done with iptables, I believe).

Next, configure Burp to listed on port 443 (or whatever other port(s) the TLS traffic is sent to) in "Invisible" proxy mode. In this mode, Burp simply acts as a web server and uses the SNI to generate a suitable TLS certificate and to forward the request to the host (if you choose to do that).

However, note that this will not work if the app is both validating TLS certificates (which it should be, but a surprising number of apps - especially those that avoid the standard libraries - fail to do this or do it incorrectly, such as only checking the subject name and not the chain of trust) and using its own certificate store for the list of allowed CAs (instead of the operating system's cert store), or if the app is using certificate pinning. In either of those cases, you will need to modify the app itself. If you don't have the APK, you'll need a rooted device to do this; go to the app's install location and look for anything that looks like a certificate store, key store, or certificate file, and add / replace it with your Burp certificate. The app should then trust Burp and allow you to proxy the traffic. (It is possible that the app is using cert/key pinning and the pin is hardcoded; in that case you would need to extract and decompile the app binaries to replace the key or simply skip the TLS check, and at that point it might be easier to just analyze the decompiled app).

CBHacking
  • 40,303
  • 3
  • 74
  • 98