How to sniff HTTPS from Android app

Requirements

  1. Rooted device with ProxyDroid installed.
  2. “Computer” with Burp installed.

Let’s start

Launch Burp from your computer.

Proxy -> Options -> Proxy Listeners

Uncheck current “running” proxy, the Add a new Proxy Listener.

Choose:

  • Bind to port: 8080
  • Bind to address: All interfaces

Selection_010

From the button below, export CA certificate in DER format.

Now change the file extension into .cer and push it in a user-browsable folder on your device. E.g.: I connected the device to the computer and I used adb.

mv burpcert.der burpcert.cer
adb push burpcert.cer /sdcard/Download

While you’re there, take note of your ip address (in this example I’ll use 192.168.1.69).

Device configuration

Settings -> Security -> Install certificates from storage

Select the pushed .cer certificate (obviously), and give it a name.

You’ll be warned that your traffic  may be monitored (obviously).

Install ProxyDroid.

Configure:

  • Host: your pc address
  • Port: 8080
  • Proxy Type: HTTP (no HTTPS, I’m sure!)

I suggest to choose, under Feature Settings, the Individual Proxy configuration so that you can choose only the app of which do you want to sniff the traffic.

Enable Proxy Droid and enjoy.

List victim’s visited websites

This is the easy and cheaper way:

you also need a Linux distro with Ettercap and Wireshark.

From command line type:

ettercap -T -Q -M arp:remote -i iface -w log.pcap /victimip/ /gatewayip/

What are you doing?

-T text only interface, only printf

-Q  Super quiet mode

-M arp:remote perform a MITM attack using ARP poisoning. “remote” is optional and you have to specify it if you want to sniff remote ip address poisoning a gateway. Indeed if you specify a victim and the gw in the TARGETS, ettercap will sniff only connection between them.

-i iface force using the “iface” network interface

-w log.pcap write sniffed data to “log.pcap” file

 

Open Wireshark and import the .pcap file, then go to:

Statistics -> HTTP -> Load Distribution

In the box type:

 http.host

Now look at the “HTTP Requests by HTTP Hosts“.

This will show you all the sniffed in/out  HTTP type traffic.

But take a look about Xplico

Best computer and network security books

---
Dissecting_the_Hack_Revised_Edition-[Street-Nabors-Baskin-Carey]-(2010).pdf
Hacking_The_Art_of_Exploitation_2nd-[Erickson]-(2008).pdf
XSS_Attacks:_Cross_Site_Scripting_Exploits_and_Defense-[Fogie-Grossman-Hansen-Rager-Petkov]-(2007).pdf
The_Web_Application_Hacker's_Handbook_2nd-[Stuttard-Pinto]-(2011).pdf
Netcat_Power_Tools-[Kanclirz]-(2008).pdf
Metasploit_The_Penetration_Tester's_Guide-[Kennedy-O'Gorman-Kearns]-(2011).pdf
Introduction_to_Modern_Cryptography-[Katz-Lindell]-(2007).pdf
Hacking_Exposed_6th-[McClure-Scambray-Kurtz]-(2009).pdf
Cracking_Passwords_Guide_1.1-[Dravet]-(2010).pdf
The_Art_of_Intrusion-[Kevin_Mitnick]-(2005).pdf
Nmap_Cookbook_The_Fat_free_Guide_to_Network_Scanning-[Nicholas_Marsh]-(2010).pdf
Practical_Packet_Analysis_Using_Wireshark_To_Solve_Real_World_Network_Problems_2nd-[Chris_Sanders]-(2011).pdf
Penetration_Tester_Open_Source_Toolkit_3rd-[Jeremy_Faircloth]-(2011).pdf
SQL_Injection_Attacks_and_Defense-[Clarke]-(2009).pdf
---

http://www.multiupload.nl/YANT7ZE08W

Nmap scan (and someone else…) through proxy and proxy chaining

But nmap (or some other program) doesn’t support proxy… so you need proxychains.

If you are on a Debian-based simply type

apt-get install proxychains

Then edit

/etc/proxychains.conf

And add your proxy. If you want to learn the syntax, in the config file you can see some more examples.

I try to explain with a regex-like expression:

[http|socks4|socks5] ipaddress port username password

Be happy, Tor is configured by default!

It’s not all. Obviously proxychains is used primarily for proxy chaining.
How to configure it? Add more proxies to proxychain.conf !

Finally run your software, e.g.

proxychains nmap -T4 -A ipaddress

Nmap – cheat sheet

Every time I spend useless time to refresh my memory from nmap man page, so I create this little chat sheet.

Any suggestion will be appreciated!

If you specifie the class, it’ll search all ip in that class range:

w.x.y.z/c

Input from list of hosts/networks:

-iL filename

Output in (fname.nmap fname.xml fname.gnmap):

-oA fname

Increase verbosity level (use -vv or more for greater effect):

-v

Reverse DNS.

-sL

Force send TCP SYN packet (use raw socket, need root):

-sS

Use ACK scan (use on open and filtered ports):

-sA

if (unfiltered) ‘stateless firewall’ else if (all result filtered) ‘stateful firewall’

UDP scan:

-sU

Probe open ports to determine service/version info:

-sV

Enable OS detection:

-O

Enable OS detection, version detection, script scanning, and traceroute:

-A

Treat all hosts as online (skip ACK on 80,443 and ICMP PING,TIMESTAMP):

-Pn

Scan all possible ports:

-p1-65535

Scan <number> most common ports (http://nmap.org/presentations/BHDC08/):

--top-ports <number>