li0nsar3c00l Posted January 26, 2016 Posted January 26, 2016 I'm trying to sniff all traffic coming from my android phone (rooted), especially https, but I haven't found a way yet. I assume the apk I'm primarily interested in, uses certificate pinning. Can anyone recommend me a solution or provide some tipps? thanks in advanced
Zulu Posted January 26, 2016 Posted January 26, 2016 Hey, have you tried Burp Proxy? This is considered the most reliable solution. (Pro Version is out there somewhere) https://support.portswigger.net/customer/portal/articles/1841101-configuring-an-android-device-to-work-with-burp It's also possible to bypass certificate pinning using "TrustKiller" or "SSLUnpinning"https://github.com/iSECPartners/Android-SSL-TrustKiller https://github.com/ac-pm/SSLUnpinning_Xposed Or you could decompile the specific App and patch the certificate pinning function in it, sign it and upload it to your device. (Not recommended :-) )
hotpockets Posted January 27, 2016 Posted January 27, 2016 I use burp proxy, it's very very easy and quick to setup. Takes less then 5 minutes. I use it for iphone and android.
crystalboy Posted January 27, 2016 Posted January 27, 2016 You can test these APK. I made something similar in the past and use it: http://www.appbrain.com/app/shark-for-root/lv.n3o.shark http://www.kismetwireless.net/android-pcap/ The are a lot of alternatives sniffer apps if you want to do it directly on your smartphone or set up your PC as a wireless access point, then run wireshark on the PC. Here for example: http://lifehacker.com/5369381/turn-your-windows-7-pc-into-a-wireless-hotspot Hope it helps.
li0nsar3c00l Posted January 27, 2016 Author Posted January 27, 2016 (edited) 22 hours ago, Zulu said: Hey, have you tried Burp Proxy? This is considered the most reliable solution. (Pro Version is out there somewhere) https://support.portswigger.net/customer/portal/articles/1841101-configuring-an-android-device-to-work-with-burp It's also possible to bypass certificate pinning using "TrustKiller" or "SSLUnpinning"https://github.com/iSECPartners/Android-SSL-TrustKiller https://github.com/ac-pm/SSLUnpinning_Xposed Or you could decompile the specific App and patch the certificate pinning function in it, sign it and upload it to your device. (Not recommended :-) ) i tried burp suite, however i'm not able to see any app traffic besies i installed the cert. propably due to the fact, that the wifi proxy only works for the browser so i tried to redirect the traffic using proxydroid, but not succesfull. on http it just goes through, with https mode it doesnt connect. i assume because of the untrusted cert. was that correct so far? now i only need to find a way to install xposed on my sm-g900f, any tipps for deodexing a stock rom without wiping any data? Edited January 27, 2016 by li0nsar3c00l
Emper0rEyeZ Posted February 27, 2016 Posted February 27, 2016 Currently i use fiddler2 and its work perfectly. Ref : http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForAndroid
li0nsar3c00l Posted February 27, 2016 Author Posted February 27, 2016 The problem occured due to certificate pinning. In general fiddldr or burp works fine
hotpockets Posted June 23, 2016 Posted June 23, 2016 You can disable certificate pinning if your phone is rooted. I believe it was called SSL Trust Killer.
Nemo Posted June 23, 2016 Posted June 23, 2016 (edited) If it is something you are trying to intercept on an android phone, you could try and run an emulator in a virtual machine and intercept from outside it maybe? Memu is a nice emulator although there is more.. then run wireshark on the host of the virtual machine.. ( or debug what's going through the emulator.. has to be decrypted / encrypted somewhere ) Edited June 23, 2016 by Nemo
Extreme Coders Posted June 23, 2016 Posted June 23, 2016 Exactly as Nemo suggested, using an emulator for intercepting ssl traffic may prove helpful. I have had success by installing the burp cert in the root ca store within emulator. For intercepting traffic some tutorials suggests to set a manual proxy. This may not work as not all apps respect the proxy settings. A better option is to use the -http-proxy command line arg while launching the emulator. For instance if burp is running on port 8080, you can use the following command. emulator -avd <avd name> -http-proxy 127.0.0.1:8080 Additionally, in newer versions of android (lollipop and above) you can use a reverse proxy. To intercept ssl traffic on port 443 you can do, adb reverse tcp:443 tcp:8080 Lastly since SSL works in a different way compared to normal HTTP traffic you may only see the ip addresses and not the hostnames in your interception proxy. This is particularly true in older versions of burp. To workaround this problem you can rewrite the DNS requests before it reaches burp. A tutorial on this method is available on this blog post.
JeRRy Posted June 30, 2016 Posted June 30, 2016 For real-time capturing from real devices use rpcapd on Tomato based router. http://www.linksysinfo.org/index.php?threads/using-wireshark-with-tomato.34269/
Alain Posted August 17, 2016 Posted August 17, 2016 (edited) If you use a Mac, you might want to have a look at Debookee for network traffic analysis of your devices (it does not decrypt HTTPS yet, but this might be supported later). If you want to view all HTTP/HTTPS traffic and modify any data sent/received, I can recommend Charles Web Debugging Proxy. Edited August 17, 2016 by Alain 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now