preface
When I was still in school, I came into contact with grabbing bags. At that time, I wrote a Xiaobai article in the post bar to mislead Xiaobai (no. But I didn't get involved with reverse at that time, so I was not interested in capturing bags. In the final analysis, I was too young and ignorant. Until now, I found that it is a basic skill that security personnel must master. When interviewing for security posts, I will ask about the knowledge related to capturing bags. packet capture) It is a means to view the sending and receiving process of data packets. There are also many ways to capture packets. You can hook functions at the software layer, view the sent or received data packets, and capture packets by using third-party tools such as Wireshark, tcpdump, fiddler and Charles. This article demonstrates how to use Charles to capture packets of android App and force the App to go away from the agent
Tool preparation
step
Open after installing Charles. Select the menu proxy - > SSL proxying settings
Check Enable SSL Proxying under the SSL Proxying tab, and then click Add
Add a rule with Host * and Port 443, as shown in the figure:
Click OK
Click Help - > SSL proxying - > Save Charles root certificate... To export the root certificate and save it as charles.pem
Put the downloaded OpenSSL into the environment variable
Go to the certificate export directory, open the command line, and execute the following command:
openssl x509 -subject_hash_old -in charles.pem
According to the output, rename charles.pem to b6a3624b.0. Note that the file suffix is 0
Then re mount the system partition of the phone
adb root adb remount
Push the renamed file into the / system/etc/security/cacerts directory
adb push b6a3624b.0 /system/etc/security/cacerts
Go back to Charles and select proxy - > proxy settings
Set a port and press OK
On the mobile phone WIFI setting page, set a proxy for the connected WIFI and proxy to Charles. Write the host name or ip address of the computer in the host name of the proxy server, and write the port set in Charles in the port of the proxy server. Click Save after writing
Next, the https packets of the mobile phone will be transferred to Chales and successfully parsed
Of course, sometimes things don't go so smoothly. When we grab packets, others will find ways to prevent them. If we know that the application clearly has an http request, but we can't catch the packet in the packet capturing tool, it is likely that the application is set not to let the request go. The common setting codes are as follows:
- URLConnection class
public static String get(String urlStr){ ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); InputStream inputStream = null; try { URL url = new URL(urlStr); HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection(Proxy.NO_PROXY); httpURLConnection.setRequestMethod("GET"); inputStream = httpURLConnection.getInputStream(); if(httpURLConnection.getResponseCode() == 200) { byte[] buf = new byte[1024]; int len = -1; while ((len = inputStream.read(buf)) != -1) { byteArrayOutputStream.write(buf, 0, len); } } } catch (Exception e){ return e.toString(); } finally { close(inputStream); close(byteArrayOutputStream); } return byteArrayOutputStream.toString(); }
Note the above openConnection(Proxy.NO_PROXY), which is where you set the request not to go through the proxy
- OkHttp Library
public static String get(String url) { OkHttpClient.Builder client = new OkHttpClient.Builder(); // //Mode 1: // client.proxy(Proxy.NO_PROXY); // //Mode 2: ProxySelector proxySelector = new ProxySelector() { @Override public List<Proxy> select(URI uri) { return null; } @Override public void connectFailed(URI uri, SocketAddress sa, IOException ioe) { } }; client.proxySelector(proxySelector); Request request = new Request.Builder() .url(url) .build(); try (Response response = client.build().newCall(request).execute()) { return response.body().string(); } catch (Exception e){ return e.toString(); } }
Similarly, the place marked in the above note is also the setting request does not go through the agent
For these, we can use the corresponding hook method to force http requests to go through the proxy. Here, frida is used to hook. The code is as follows:
if(Java.available){ Java.perform(function(){ //openConnection var URL = Java.use("java.net.URL") var openConnection1 = URL.openConnection.overload("java.net.Proxy") var openConnection2 = URL.openConnection.overload() openConnection1.implementation = function(proxy){ console.log("openConnection() proxy = " + proxy) return openConnection2.call(this) } //okhttp var OkHttpClientBuilder = Java.use("okhttp3.OkHttpClient$Builder") var proxy = OkHttpClientBuilder.proxy.overload("java.net.Proxy") proxy.implementation = function(proxy){ console.log("proxy() prxoy = " + proxy) return null } var proxySelector = OkHttpClientBuilder.proxySelector.overload("java.net.ProxySelector") proxySelector.implementation = function(proxySelector){ console.log("proxySelector() proxySelector = " + proxySelector) return null } }) }