Jump to content
Tuts 4 You

Traffic Sniffing


li0nsar3c00l

Recommended Posts

I'm trying to sniff all traffic coming from my android phone (rooted), especially https, but I haven't found a way yet.

I assume the apk I'm primarily interested in, uses certificate pinning.

Can anyone recommend me a solution or provide some tipps?

thanks in advanced

Link to comment

Hey,

 

have you tried Burp Proxy? This is considered the most reliable solution. (Pro Version is out there somewhere)

https://support.portswigger.net/customer/portal/articles/1841101-configuring-an-android-device-to-work-with-burp

It's also possible to bypass certificate pinning using "TrustKiller" or "SSLUnpinning"
https://github.com/iSECPartners/Android-SSL-TrustKiller

https://github.com/ac-pm/SSLUnpinning_Xposed

 

Or you could decompile the specific App and patch the certificate pinning function in it, sign it and upload it to your device. (Not recommended :-) )

Link to comment

You can test these APK. I made something similar in the past and use it:

http://www.appbrain.com/app/shark-for-root/lv.n3o.shark

http://www.kismetwireless.net/android-pcap/

The are a lot of alternatives sniffer apps if you want to do it directly on your smartphone or set up your PC as a wireless access point, then run wireshark on the PC.
Here for example: http://lifehacker.com/5369381/turn-your-windows-7-pc-into-a-wireless-hotspot

Hope it helps. ;)

Link to comment
22 hours ago, Zulu said:

Hey,

 

have you tried Burp Proxy? This is considered the most reliable solution. (Pro Version is out there somewhere)

https://support.portswigger.net/customer/portal/articles/1841101-configuring-an-android-device-to-work-with-burp

It's also possible to bypass certificate pinning using "TrustKiller" or "SSLUnpinning"
https://github.com/iSECPartners/Android-SSL-TrustKiller

https://github.com/ac-pm/SSLUnpinning_Xposed

 

Or you could decompile the specific App and patch the certificate pinning function in it, sign it and upload it to your device. (Not recommended :-) )

i tried burp suite, however i'm not able to see any app traffic besies i installed the cert. propably due to the fact, that the wifi proxy only works for the browser

so i tried to redirect the traffic using proxydroid, but not succesfull. on http it just goes through, with https mode it doesnt connect. i assume because of the untrusted cert. was that correct so far?

now i only need to find a way to install xposed on my sm-g900f, any tipps for deodexing a stock rom without wiping any data?

Edited by li0nsar3c00l
Link to comment
  • 5 weeks later...
  • 3 months later...

If it is something you are trying to intercept on an android phone, you could try and run an emulator in a virtual machine and intercept from outside it maybe? Memu is a nice emulator although there is more.. then run wireshark on the host of the virtual machine.. ( or debug what's going through the emulator.. has to be decrypted / encrypted somewhere ;) )

Edited by Nemo
Link to comment
Extreme Coders

Exactly as Nemo suggested, using an emulator for intercepting ssl traffic may prove helpful.

I have had success by installing the burp cert in the root ca store within emulator.
For intercepting traffic some tutorials suggests to set a manual proxy. This may not work as not all apps respect the proxy settings.

A better option is to use the -http-proxy command  line arg while launching the emulator.
For instance if burp is running on port 8080, you can use the following command.

emulator -avd <avd name> -http-proxy 127.0.0.1:8080

Additionally, in newer versions of android (lollipop and above) you can use a reverse proxy.
To intercept ssl traffic on port 443 you can do,

adb reverse tcp:443 tcp:8080

Lastly since SSL works in a different way compared to normal HTTP traffic you may only see the ip addresses and not the hostnames in your interception proxy.
This is particularly true in older versions of burp.

To workaround this problem you can rewrite the DNS requests before it reaches burp. A tutorial on this method is available on this blog post.

Link to comment
  • 3 weeks later...
  • 1 month later...

If you use a Mac, you might want to have a look at Debookee for network traffic analysis of your devices (it does not decrypt HTTPS yet, but this might be supported later).

If you want to view all HTTP/HTTPS traffic and modify any data sent/received, I can recommend Charles Web Debugging Proxy.

Edited by Alain
  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...