We will use the frida-trace utility to intercept the close call frida-trace -H 10.42.0.89:12345 -f -i closeġ0.42.0.89:12345 is the address of the frida-server running on the phone. To do that you need to run frida-server on the phone, and then you can interact with it via JavaScript API. So how to intercept a close call? In my opinion, the easiest way to do this is to use the frida toolkit. But my phone has a Qualcomm Snapdragon 800 MSM897 ARM processor, which means that the return address from close is not in the stack, but in the LR register. To find the code that calls close, we need to intercept the close call and look at the stack. So we can try to intercept the close in libc and see where it is called from. So how do we find that place? I thought that after a failed certificate verification the connection should be closed, which means that the close system call should be called. So, we know that Instagram somehow verifies the certificate of the host it connects to. Check the Internet about the pros and cons of using certificate pinning in your applications. This is a technique known as certificate pinning. Alternatively, the application has a list of certificates which can be trusted. This means that the application can have its own certificate store (like firefox browser for example) and not use the system one. Now to make sure that everything works, you can open any https site through the browser on your phone and the proxy will display these requests. In addition, you need to add the mitmproxy certificate to the trusted certificates on the device itself. You can run it with the command: docker run -rm -it -v ~/.mitmproxy:/home/mitmproxy/.mitmproxy -network host mitmproxy/mitmproxy mitmproxy -mode transparent -showhost -set listen_port=8081 -set=console_focus_follow=true Some requests went through, and some did not. Later I had to give it up, because for some unknown reason Instagram was unstable through it. In the beginning, I used BurpSuite CE in invisible proxy mode. Blocking UDP will force the application to use TCP instead of QUIC.Īfter that, it was necessary to bring up the mitm-proxy itself. sudo iptables -I FORWARD 1 -p udp -i wlx00e100884785 -dport 443 -j REJECT We also need to prohibit UDP traffic on port 443. Wlx00e100884785 is the name of the hotspot interface and 192.168.0.109 is the ip address of my computer's ethernet interface. This can be accomplished by using iptables: sudo iptables -t nat -I PREROUTING 1 -i wlx00e100884785 -p tcp -m multiport -dports 80,443 -j DNAT -to-destination 192.168.0.109:8081 Next I had to redirect these packets to my mitm-proxy. To check that everything was working properly, I ran Wireshark on my computer and saw the packets that the application was sending. Afterwards, I installed the app on my old rooted Nexus 5 and connected to the hotspot.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |