CODEWITHSUNDEEP
androidsslwiresharkpacket-sniffersman-in-the-middle
yosra
yosra

Reputation: 1032

Sniffing SSL packets using Wireshark

I'd like to reverse engineer a decoder. So I am using an android application to control the decoder and I want to sniff the flow of packets that the application emits to the decoder.

The packets are sent over SSL so they are all encrypted. Apart from Wireshark, I tried using mitmproxy and mitmdump but in vain.

Knowing that it is impossible for me to get the private key from my decoder, I am looking for a way to use a proxy (basically man in the middle) that will enable me to generate a new certificate so I can use its private key on Wireshark (instead of the one of my decoder) to decrypt my packets.

Is there any way I can do this? I would appreciate some help.

Upvotes: 2

Views: 5197

Answers (2)

CherryDT
CherryDT

Reputation: 29092

If you want to avoid changing the certificate (which won't work with many applications), you could try injecting code into the Android app to sniff and dump SSL traffic. Take a look at https://github.com/5alt/ssl_logger (5alt's fork works with Android). Note that you need root for this.

This works by hooking functions inside OpenSSL so that the raw traffic can be dumped before encryption/after decryption.

You have to install Frida Android server: https://www.frida.re/docs/android/

  • Connect phone with USB debugging on
  • Download frida-server for the right CPU architecture from https://github.com/frida/frida/releases
    • To know which CPU architecture your device is using (for getting the right download), you can run getprop ro.product.cpu.abi on the phone.
  • Push to /data/local/tmp of Android (as root), make executable (chmod 755).
  • Run /data/local/tmp/frida-server on the phone.
  • On your computer, install frida-tools using pip install --user frida-tools. (Must be Python2, not Python3!)
  • List processes to see if everything works, by running frida-ps -U on your computer with the phone connected
  • Forward Frida's ports: adb forward tcp:27042 tcp:27042; adb forward tcp:27043 tcp:27043
  • Get ssl_logger on your computer
  • Run python ssl_logger.py -pcap log.pcap -remote com.android.package.name on your computer. (Note that -remote is not explained in the readme, but it's necessary!.)
    • You can add -verbose to see live traffic output.
    • Let it run until you are done, quit with Ctrl+C. You then have a file log.pcap which you can analyze in Wireshark.
    • Note: In case you are getting a JavaScript error, you have to edit ssl_logger.py and insert a line with var addresses, SSL_get_fd, SSL_get_session, SSL_SESSION_get_id, getpeername, getsockname; before the line with function initializeGlobals.

Tutorials for using Frida on Android: https://11x256.github.io/

Upvotes: 1

blue112
blue112

Reputation: 56592

You may want to look into Charles Proxy.

It allows you to send a fake certificate and to intercept SSL traffic.

It won't work if the android application is using certificate pining, though.

Upvotes: 2

Related Questions