Thursday, January 22, 2015

Intercept all HTTP + SSL Android traffic and bypass SSL Pinning

How to intercept all Android HTTP / HTTPS network traffic on Windows and bypass SSL Pinning


  1.  Install ADB / Android SDK or use the AppUse VM
  2. Root the android device
  3. Install Android Cydia Substrate
  4. adb install com.saurik.substrate.apk
  5. Install Android SSL Trust Killer
  6. adb install Android-SSL-TrustKiller.apk
  7. Export Burp Root CA Certificate
  8. Push Burp Cert to the sdcard
  9. adb push PortSwiggerCA.cer /sdcard
  10. Install Burp Cert in the Android Trust Store
  11. Settings > Security > Install from device storage
  12. On Windows, create a Wireless hotspot sharing your Internet / external connection
    1. Create the hotspot:
    2. ​netsh wlan set hostednetwork mode=allow ssid=MyHotspot key=MyPassword keyUsage=persistent
    3. To start the hotspot
    4. netsh wlan start hostednetwork
    5. Or to stop the hotspot:
    6. netsh wlan stop hostednetwork
  13. Enabled Internet Connection Sharing with your external connection:
  14. Right click your connection's NIC, "Sharing" tab, check the box, select "MyHotspot". The external NIC icon should say "shared".
  15. Connect the Android to the wifi Hotspot using the key configured previously.
  16. Optional: If you prefer to use a static network configuration as opposed to DHCP, go to the Wifi connection advanced settings and look for the IP address attributed. Switch to a static IP and set this IP manually. The gateway should be the IP address of the Windows "MyHotspot" interface. The DNS Server should be your ISP's / corporate network one. Reconnect the Wifi with the new network configuration.
  17. Try to ping the Android device's IP address from the Windows.
  18. Run Burp and make it listen on the Hotspot's interface IP address.
  19. You can configure this proxy in the Wireless connection advanced settings, but that would take effect only for proxy-aware apps such as the web browser. Preferably, and since your device is rooted, use an app such as ProxyDroid to make all the apps go through the proxy transparently. You should have Play Store working as well.
  20. Configure your Burp's upstream proxies rules if needed.
  21. You should be able to intercept all HTTP/HTTPS traffic. If not, well, go back to step 1.

Thursday, January 8, 2015

Setup a Bittorrent download/seed box on Android

I used to run XMBC (now named Kodi) on a Raspberry Pi, which worked great, but it lacked a bit a power. Also, the Linux versions of Kodi are not usually updated as much as the Windows or Android versions.

Definitely being an Android person, I decided to get myself a nice Android TV box for christmas. After having rooted it, installed all the media-center stuff and connected a nice big external USB hard drive for media storage, came the part of looking for a way to install a Bittorrent client.

As it turns out there are quite a lot of choices from the Google Play Store. But nothing matched what I needed:
  • A bittorrent client that runs as a daemon all the time ;
  • Must support scheduling to download only at night ;
  • Must have a directory watching feature ;
  • Must be manageable remotely via Web UI.

I tried different ones with no luck. After some research I came across an acceptable solution: Installing a bootstrapped version of Ubuntu Precise on the top of the Android OS. There is an elegant solution with video tutorials for that here.

The installation is pretty straightforward, you should be done in less than 15 minutes. Just watch the video tutorials first.

I chose a 2GB disk image with a Precise installation. When it finishes installing the base packages, type the following commands from your Android prompt (You can use ConnectBot or Terminal Emulator for this).

- Jump into the Ubuntu chrooted environment:
deb

- Update the packages list and upgrade them to the latest version
apt-get update -y && apt-get upgrade -y

- Install Andromize (A package designed to furthermore adapt your installation to the Android environment)
apt-get install andromize

- Clean the APT cache
apt-get clean

- Create a new user
adduser jeremy

- Create a password
passwd jeremy

- Add the user to the sudo group
adduser jeremy sudo

- Install SSH Server
apt-get install openssh-server

You may optionally want to change the SSH listen port in /etc/ssh/sshd_config.

At this point your base system is set up. You can logout your Ubuntu shell to be dropped back on the Android shell and see the options to the "deb" command with "deb h":

root@NEO-X8H-PLUS:/sdcard # deb h
Script to integrate Debian binaries on an Android phone

Without options: start a root bash shell
bootdeb ?: help, display this help text
bootdeb u: umount, remove symlinks and unmount Debian disk
bootdeb k: kill, kill (-KILL) programs, then unmount Debian disk
bootdeb r: reboot, mount Debian readonly and reboot (last resort)
bootdeb c: clean, clean symlinks to Android root from Debian disk
bootdeb s: sshd, start the openssh server
bootdeb S: sshd-stop, stop the openssh server
bootdeb x: xrdp, start the xrdp server
bootdeb X: xrdp-stop, stop the xrdp server

To umount the Ubuntu image, use "deb u". For now, you can just run the SSH server using "deb s" and then connect to it, either locally with ConnectBot or remotely with any SSH client.

Now for the Bittorrent installation part. I chose the Deluge client as it as activiely maintained and developed, and it matches all the criteria I needed.

- Install the following package to get "add-apt-repository" on your Ubuntu installation
sudo apt-get install python-software-properties

Note: In some situations, you may need to install the package "software-properties-common" instead.

- Add the Deluge PPA to your installation, and install the Deluge daemon and WebUI Server (refer to this page for more details):
sudo add-apt-repository ppa:deluge-team/ppa
sudo apt-get update
sudo apt-get install deluged deluge-web

Run the daemon and the WebUI Server:
deluged
deluge-web &

All done! you should now be able to point your browser to http://android.ip.address:8112/. The default password to the WebUI is "deluge". Then take some time to adjust the configuration such as the download paths, bandwidth limits and schedules.

For a more seamless experience, you can make Kodi periodically scan your download folder to have movies added to the library automatically!

Note: When you run certain commands from within your Linux installation, you may see errors such as "passwd: u:r:init:s0 is not authorized to change the password of [...]". In this case, you need to temporarily disable SELinux back on the Android shell by using the command below:
setenforce 0