It started with adding MITM CA certificates to OS stores, recent operating systems require more and more obscure confirmations and certificate pinning is gaining momentum. In many cases, the best method to overcome this limitation is man-in-the-middle (MITM), where a special program intercepts packets and acts as a server to the client and vice versa.įor well-written applications, this doesn’t work out-of-the-box, and it all depends on the circumstances, how many steps must be taken to weaken the security of the testing environment for this attack to work. Of course, nowadays, most of these channels are secured using TLS, which provides encryption, integrity protection and authenticates one or both ends of the figurative tube. So our approach is less of a novel attack and more of an improvement on current techniques. In this blog post, we’ll introduce a method to simplify getting our hands on plaintext messages sent between apps ran on our attacker-controlled devices and the API, and in case of HTTPS, shoveling these requests and responses into Burp for further analysis by combining existing tools and introducing a new plugin we developed. Join the PCAPdroid international community on telegram or on matrix.Sniffing plaintext network traffic between apps and their backend APIs is an important step for pentesters to learn about how they interact. If you plan to use PCAPdroid to perform packet analysis, please check out the specific section of the manual.
* On rooted devices, capture the traffic while other VPN apps are running * Identify the country and ASN of remote server via offline db lookups * Create rules to filter out the good traffic and easily spot anomalies * Dump the traffic to a PCAP file, download it from a browser, or stream it to a remote receiver for real time analysis (e.g. * Decrypt the HTTPS/TLS traffic and export the SSLKEYLOGFILE * Inspect the full connections payload as hexdump/text * Inspect HTTP requests and replies thanks to the built-in decoders * Extract the SNI, DNS query, HTTP URL and the remote IP address
* Log and examine the connections made by user and system apps All the data is processed locally on the device. PCAPdroid simulates a VPN in order to capture the network traffic without root.
It also allows you to export a PCAP dump of the traffic, inspect HTTP, decrypt TLS traffic and much more. PCAPdroid is a privacy-friendly app which lets you track and analyze the connections made by the other apps in your device.
0 kommentar(er)
