i8igmac Posted July 19, 2016 Share Posted July 19, 2016 I was board this last weekend. I felt like sniffing some data from my android phone. So i installed the burp certificate on my samsung s3, witch forced me to setup a pin or password lock on my phone. If you manualy install custom certs on the android then you are forced to use a pin/password to protect the phone... So, setup some iptable rules to force the traffic on my phone to pass threw a transperint burp suite running on my labtop. I first tested the phone webbrowser and worked very well, no obnoxious certificate errors (as expected)... but when I tried to sniff the snapchat app or facebook app it was a nogo... Any ideas for sniffing the snapchat app or facebook app? Has any one tried? I removed the pin/password from my phone and reconfigured a simple swipe phone unlock. This automaticly deletes the cert I installed from burp... Quote Link to comment Share on other sites More sharing options...
dustbyter Posted July 19, 2016 Share Posted July 19, 2016 I have not tested those applications that you are referring to, however some applications are implementing certificate pinning. The applications in those cases would stop processing requests is they see that the certificate they receive is not the one expected. The pinning occurs by having the application check for hard coded values within the certificate. In your case, did the application still function correctly when trying to run it through burp? From my experience, I use ProxyDroid to set up the address of the machine that is running burp (requires root on device), sounds like you may have a different set up in your environment. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted July 19, 2016 Author Share Posted July 19, 2016 iptables -t nat -A PREROUTING -p tcp -s 192.168.96.75 –dport 80,443 -j DNAT –to-destination 192.168.96.70:8080 my setup is a home built debian based router with iptables. So running the above with a masquerade command will force the source ip(phone) to the destination ip(labtop) snapchat app was just cut off the data response witch seems to match the description you explained... However, the Facebook app was functional, no errors on the phone... but burp was not showing any data stream but some alerts and warnings that maybe burp suite decided to allow the traffic threw... I should have took a closer look at the traffic... seems like hsts stream(just a guess) Quote Link to comment Share on other sites More sharing options...
cooper Posted July 20, 2016 Share Posted July 20, 2016 Look at any of the talks by Arne Swinnen. He found a slew of issues in the Facebook and Instagram apps and indeed needed to do *something* within Burp, but I can't recall any more what it was. Here's a very recent one: Quote Link to comment Share on other sites More sharing options...
dustbyter Posted July 21, 2016 Share Posted July 21, 2016 I tested instagram. I was able to get it to route traffic to burp, but I used proxydroid, I also installed the burp certificate on the android phone. is your phone rooted? Quote Link to comment Share on other sites More sharing options...
i8igmac Posted July 22, 2016 Author Share Posted July 22, 2016 I'm not so sure it matters in the situation. As long as traffic makes it to burp or another machine... I'm looking at this from a pentest situation... if I install a cert on a device, I want to see the traffic in plain text... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.