Thursday, January 22, 2015

Intercept all HTTP + SSL Android traffic and bypass SSL Pinning

How to intercept all Android HTTP / HTTPS network traffic on Windows and bypass SSL Pinning

  1.  Install ADB / Android SDK or use the AppUse VM
  2. Root the android device
  3. Install Android Cydia Substrate
  4. adb install com.saurik.substrate.apk
  5. Install Android SSL Trust Killer
  6. adb install Android-SSL-TrustKiller.apk
  7. Export Burp Root CA Certificate
  8. Push Burp Cert to the sdcard
  9. adb push PortSwiggerCA.cer /sdcard
  10. Install Burp Cert in the Android Trust Store
  11. Settings > Security > Install from device storage
  12. On Windows, create a Wireless hotspot sharing your Internet / external connection
    1. Create the hotspot:
    2. ​netsh wlan set hostednetwork mode=allow ssid=MyHotspot key=MyPassword keyUsage=persistent
    3. To start the hotspot
    4. netsh wlan start hostednetwork
    5. Or to stop the hotspot:
    6. netsh wlan stop hostednetwork
  13. Enabled Internet Connection Sharing with your external connection:
  14. Right click your connection's NIC, "Sharing" tab, check the box, select "MyHotspot". The external NIC icon should say "shared".
  15. Connect the Android to the wifi Hotspot using the key configured previously.
  16. Optional: If you prefer to use a static network configuration as opposed to DHCP, go to the Wifi connection advanced settings and look for the IP address attributed. Switch to a static IP and set this IP manually. The gateway should be the IP address of the Windows "MyHotspot" interface. The DNS Server should be your ISP's / corporate network one. Reconnect the Wifi with the new network configuration.
  17. Try to ping the Android device's IP address from the Windows.
  18. Run Burp and make it listen on the Hotspot's interface IP address.
  19. You can configure this proxy in the Wireless connection advanced settings, but that would take effect only for proxy-aware apps such as the web browser. Preferably, and since your device is rooted, use an app such as ProxyDroid to make all the apps go through the proxy transparently. You should have Play Store working as well.
  20. Configure your Burp's upstream proxies rules if needed.
  21. You should be able to intercept all HTTP/HTTPS traffic. If not, well, go back to step 1.

No comments:

Post a Comment