Grab, anti grab, anti grab

preface

When I was still in school, I came into contact with grabbing bags. At that time, I wrote a Xiaobai article in the post bar to mislead Xiaobai (no. But I didn't get involved with reverse at that time, so I was not interested in capturing bags. In the final analysis, I was too young and ignorant. Until now, I found that it is a basic skill that security personnel must master. When interviewing for security posts, I will ask about the knowledge related to capturing bags. packet capture) It is a means to view the sending and receiving process of data packets. There are also many ways to capture packets. You can hook functions at the software layer, view the sent or received data packets, and capture packets by using third-party tools such as Wireshark, tcpdump, fiddler and Charles. This article demonstrates how to use Charles to capture packets of android App and force the App to go away from the agent

Tool preparation

step

Open after installing Charles. Select the menu proxy - > SSL proxying settings

Check Enable SSL Proxying under the SSL Proxying tab, and then click Add

Add a rule with Host * and Port 443, as shown in the figure:

Click OK

Click Help - > SSL proxying - > Save Charles root certificate... To export the root certificate and save it as charles.pem

Put the downloaded OpenSSL into the environment variable

Go to the certificate export directory, open the command line, and execute the following command:

openssl x509 -subject_hash_old -in charles.pem

According to the output, rename charles.pem to b6a3624b.0. Note that the file suffix is 0

Then re mount the system partition of the phone

adb root
adb remount

Push the renamed file into the / system/etc/security/cacerts directory

adb push b6a3624b.0 /system/etc/security/cacerts

Go back to Charles and select proxy - > proxy settings

Set a port and press OK

On the mobile phone WIFI setting page, set a proxy for the connected WIFI and proxy to Charles. Write the host name or ip address of the computer in the host name of the proxy server, and write the port set in Charles in the port of the proxy server. Click Save after writing

Next, the https packets of the mobile phone will be transferred to Chales and successfully parsed

Of course, sometimes things don't go so smoothly. When we grab packets, others will find ways to prevent them. If we know that the application clearly has an http request, but we can't catch the packet in the packet capturing tool, it is likely that the application is set not to let the request go. The common setting codes are as follows:

  1. URLConnection class
    public static String get(String urlStr){
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        InputStream inputStream = null;
        try {
            URL url = new URL(urlStr);
            HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection(Proxy.NO_PROXY);
            httpURLConnection.setRequestMethod("GET");
            inputStream = httpURLConnection.getInputStream();
            if(httpURLConnection.getResponseCode() == 200) {
                byte[] buf = new byte[1024];
                int len = -1;
                while ((len = inputStream.read(buf)) != -1) {
                    byteArrayOutputStream.write(buf, 0, len);
                }
            }
        }
        catch (Exception e){
            return e.toString();
        }
        finally {
            close(inputStream);
            close(byteArrayOutputStream);
        }
        return byteArrayOutputStream.toString();
    }

Note the above openConnection(Proxy.NO_PROXY), which is where you set the request not to go through the proxy

  1. OkHttp Library
    public static String get(String url)  {
        OkHttpClient.Builder client = new OkHttpClient.Builder();
//        //Mode 1:
//        client.proxy(Proxy.NO_PROXY);
//        //Mode 2:
        ProxySelector proxySelector = new ProxySelector() {
            @Override
            public List<Proxy> select(URI uri) {
                return null;
            }

            @Override
            public void connectFailed(URI uri, SocketAddress sa, IOException ioe) {

            }
        };
        client.proxySelector(proxySelector);
        Request request = new Request.Builder()
                .url(url)
                .build();

        try (Response response = client.build().newCall(request).execute()) {
            return response.body().string();
        }
        catch (Exception e){
            return e.toString();
        }
    }

Similarly, the place marked in the above note is also the setting request does not go through the agent

For these, we can use the corresponding hook method to force http requests to go through the proxy. Here, frida is used to hook. The code is as follows:

if(Java.available){
	Java.perform(function(){
		//openConnection
		var URL = Java.use("java.net.URL")
		var openConnection1 = URL.openConnection.overload("java.net.Proxy")
		var openConnection2 = URL.openConnection.overload()
		openConnection1.implementation = function(proxy){
			console.log("openConnection() proxy = " + proxy)
			return openConnection2.call(this)
		}
		//okhttp
		var OkHttpClientBuilder = Java.use("okhttp3.OkHttpClient$Builder")
		var proxy = OkHttpClientBuilder.proxy.overload("java.net.Proxy")
		proxy.implementation = function(proxy){
			console.log("proxy() prxoy = " + proxy)
			return null
		}

		var proxySelector = OkHttpClientBuilder.proxySelector.overload("java.net.ProxySelector")
		proxySelector.implementation = function(proxySelector){
			console.log("proxySelector() proxySelector = " + proxySelector)
			return null
		}

	})
}

Tags: Android

Posted on Thu, 04 Nov 2021 09:36:00 -0400 by DjMikeWatt