ANDROID PT / Traffic Interception over HTTP and HTTPS

TRAFFIC INTERCEPTION OVER HTTP AND HTTPS

- Layout for this exercise:




- Connecting Santoku to Nexus 5:




1 - INTERCEPTION OVER HTTP

- Clicking Settings on the Nexus 5 device:




- Going to the Wi-Fi connection:












- Modifying the connection:




- Showing advanced options:




- Enabling Proxy manually:




- Entering Santoku's IP (192.168.1.12) and port 8080:




- Starting the Burp suite at Santoku:






- Configuring Options for Burp:






















- Editing for listening on all interfaces:




- Editing the listening rules:




- Enabling the interception (on), the proxy Burp is now ready to read all traffic originated from the Nexus 5 device:




- To check the correct functionalty of the Burp proxy, let's install an application like Any.DO, what sends data to a web server over HTTP:




- Starting Any.DO:




- Signing in the application:




 - The interception is successful, because Burp displays both the username and password of the "signing in" process:





2 - INTERCEPTION OVER HTTPS

- For the purpose of intercepting an HTTPS connection a certificate is needed.

- Going to http://burp, there is a tab for downloading the CA Certificate:




- Dowloading the CA certificate:




- Going to Settings ->  Security:

- When trying to install the certificate, there is a cacert.der file at the Downloads folder.

- However, Android needs a differente type of extension (.crt, and not .der) to validate a certificate:



















- Going to Santoku, and accessing the Download folder of external storage:




- To make the certificate readable by Android, just renaming the file extension is enough, from cacert.der to cacert.cert:






- Now, going back to Nexus 5, the cacert.crt file is available to be installed:




- Giving a name to the certificate:




- When trying to perform the installation, a pattern, PIN or password is required:






- Picking up the PIN option:




- Chossing a PIN:






- Finally, the certificate is installed:




- Going to Trusted credentials (installed by USER), the certificate is available:




 - Now, connecting to a website over an HTTPS connection:





- Burp detects the HTTPS connection:




 - Checking the features of the HTTPS connection, and clicking the lock icon before the URL:






- Viewing the certificate:

ANDROID PT / Reversing and cracking an Android application

REVERSING AND CRACKING AN ANDROID APPLICATION

- Layout for this exercise:




1 - Connecting with ADB

- Linux Santoku  connects to Google Nexus 5 (4.4.4 API 19) using Android Debugger Bridge (ADB):

2 - Installing the application 

- cocon.apk is an application developed by Anant Shrivastava, and presented for the event Capture The Flag at the conference C0C0N.

- The goal of this exercise is to crack the application for discovering a hidden key.

- cocon.apk is available at Santoku machine:










- Installing the application on Nexus 5:








- The application is now installed on the mobile device:




- Launching the application:




- The output tells "Key is disabled". So, that is the key to be discovered along this exercise:





3 - Decompiling the application

- Using apktool with option d the application is decompiled. The output is redirected to the directory Cocon:







- Checking the contents of the new directory:




4 - Analyzing the application

- About the manifest of the application:




- The package used by the application is called "coc.on":




- "coc" and "on" are subdirectories recursively located inside the "smali" directory:

 

- Reaching "on" directory, the file "cocon.smali" is found:






- The smali file contains a representation of the Java code. Not being the actual code, however it is a very good approach to understand how the Java source code is written and how the app works:




etc  ...



- It is interesting to notice that a constant is created with value 0, and stored into register v0. Also, the value of register v0 is put into register p0, and eventually into the integer key_value: 




- The "show_key" method creates a constant with value 1, stored into register v8. Also, register v7 gets the value from p0, and finally compares v7 and v8 contents. In case of not matching, it jumps to cond_1:




5 - Cracking and rebuilding the application

- Now, with the purpose of skipping cond_1, values of v7 and v8 should match, so the value of v0 (later in the program transferred to v7) is changed from 0 to 1:










- Once patched the application, it must be recompiled or built again, using apktool with option b. The output will be the new application cracked_cocon.apk:

















6 - Signing the cracked application

- The new application is signed:




- Verifying that the application is correctly signed:





7 - Installing and testing the cracked application

- Before installing the new application, the old one must be uninstalled:






- Now, cracked_cocon.apk is installed into Nexus 5 with ADB:




- Running the application:



- The cracking process is  successful, because now the key is enabled and displayed on the screen of the mobile device: