How to sniff HTTPS from Android app


  1. Rooted device with ProxyDroid installed.
  2. “Computer” with Burp installed.

Let’s start

Launch Burp from your computer.

Proxy -> Options -> Proxy Listeners

Uncheck current “running” proxy, the Add a new Proxy Listener.


  • Bind to port: 8080
  • Bind to address: All interfaces


From the button below, export CA certificate in DER format.

Now change the file extension into .cer and push it in a user-browsable folder on your device. E.g.: I connected the device to the computer and I used adb.

mv burpcert.der burpcert.cer
adb push burpcert.cer /sdcard/Download

While you’re there, take note of your ip address (in this example I’ll use

Device configuration

Settings -> Security -> Install certificates from storage

Select the pushed .cer certificate (obviously), and give it a name.

You’ll be warned that your traffic  may be monitored (obviously).

Install ProxyDroid.


  • Host: your pc address
  • Port: 8080
  • Proxy Type: HTTP (no HTTPS, I’m sure!)

I suggest to choose, under Feature Settings, the Individual Proxy configuration so that you can choose only the app of which do you want to sniff the traffic.

Enable Proxy Droid and enjoy.

List victim’s visited websites

This is the easy and cheaper way:

you also need a Linux distro with Ettercap and Wireshark.

From command line type:

ettercap -T -Q -M arp:remote -i iface -w log.pcap /victimip/ /gatewayip/

What are you doing?

-T text only interface, only printf

-Q  Super quiet mode

-M arp:remote perform a MITM attack using ARP poisoning. “remote” is optional and you have to specify it if you want to sniff remote ip address poisoning a gateway. Indeed if you specify a victim and the gw in the TARGETS, ettercap will sniff only connection between them.

-i iface force using the “iface” network interface

-w log.pcap write sniffed data to “log.pcap” file


Open Wireshark and import the .pcap file, then go to:

Statistics -> HTTP -> Load Distribution

In the box type:

Now look at the “HTTP Requests by HTTP Hosts“.

This will show you all the sniffed in/out  HTTP type traffic.

But take a look about Xplico

Best computer and network security books


Nmap scan (and someone else…) through proxy and proxy chaining

But nmap (or some other program) doesn’t support proxy… so you need proxychains.

If you are on a Debian-based simply type

apt-get install proxychains

Then edit


And add your proxy. If you want to learn the syntax, in the config file you can see some more examples.

I try to explain with a regex-like expression:

[http|socks4|socks5] ipaddress port username password

Be happy, Tor is configured by default!

It’s not all. Obviously proxychains is used primarily for proxy chaining.
How to configure it? Add more proxies to proxychain.conf !

Finally run your software, e.g.

proxychains nmap -T4 -A ipaddress

Nmap – cheat sheet

Every time I spend useless time to refresh my memory from nmap man page, so I create this little chat sheet.

Any suggestion will be appreciated!

If you specifie the class, it’ll search all ip in that class range:


Input from list of hosts/networks:

-iL filename

Output in (fname.nmap fname.xml fname.gnmap):

-oA fname

Increase verbosity level (use -vv or more for greater effect):


Reverse DNS.


Force send TCP SYN packet (use raw socket, need root):


Use ACK scan (use on open and filtered ports):


if (unfiltered) ‘stateless firewall’ else if (all result filtered) ‘stateful firewall’

UDP scan:


Probe open ports to determine service/version info:


Enable OS detection:


Enable OS detection, version detection, script scanning, and traceroute:


Treat all hosts as online (skip ACK on 80,443 and ICMP PING,TIMESTAMP):


Scan all possible ports:


Scan <number> most common ports (

--top-ports <number>