What's going on YouTube, this is Ipsek, and today we're going to cover how to intercept application from Android apps using Burp Suite. And I know I covered this or a part of this a long time ago with a hack the box machine router space, and a lot of it's going to be relatively similar. But back then, I didn't know how to intercept traffic on modern Android operating systems.
So we used a really old Android OS and use that to intercept this traffic. This video, we're going to cover it with the newer ones. And the issue I was having back then is since Android Nougat. it changed where the certificate authority has to be installed. In old versions of Android, you can install the certificate authority in the user thing and applications will still trust it.
But since Android NuGet, I believe it was, you have to start installing it to the system store. And then we're also going to cover putting Frida on the device so we can disable certificate pinning and intercept Instagram's traffic. I started doing this because I bought a device called the Wazen. It's just a little device that can open and close the door so you can let your dog out remotely. But they don't have a web interface.
It's all just an iOS or Android application. And I wanted to control it from my computer. So I started looking up how to intercept the traffic so I can see the API endpoints to hit and just create some keyboard shortcuts to open and close the door. But I figured I'd show a video on exactly how I did this, right?
So the first thing we're going to do is install Jenny motion. And I know a lot of people use something called like Android Studio to get an Android VM running, but I've always had trouble with that and Jenny Motion just works for me. So that's what I'm going to use.
I'm just copying the installer. We will wget it. And while it installs, I'm going to do sudo apt install and we need VirtualBox and ADB.
It's not going to install these two packages. So let's start this installation because it can take a while. And then Give see Jenny motion executable and execute this so we're installing two things at once And while those install I should mention two things I made or two changes I made to this VM I upped the memory to 8 gigs the processors to 4 and if you go to the CPU You have to make sure you have the virtualization setting checked I know VirtualBox has something similar to this if you don't have it you'll get an error when you try to start the VM But now that we have VirtualBox installed and JennyMotion installed, let's just open up JennyMotion. So go into the directory, do.
slash JennyMotion, and it's going to open up. And then we're going to have to log in. And we're just going to use the free license. We don't have to put anything in here. So if we just click next, it's going to ask what license.
I'm just going to say personal use. We'll click next on this. Agree to the license term and now we're at the Jenny motion screen.
All we have to do is add a device I'm gonna add let's see the pixel 3 SL and then click Next all this stuff looks good Because it's virtualizing this phone and taking 4 gigs of memory. That's why I increased the memory of my host to 8 gigs so let's just click Next Next Next and install So now it's going to download the Pixel OS and then when we start it we will have an Android phone. And then we can look at the certificate authority once it's installed and also put Burp Suites in.
And I guess while it's installing we can configure the Burp Suite certificate to be how we want it. So you can if you don't have it you can curl localhost 8080 cert when Burp Suite is running. And that's going to give you a... certificate.
If you've used my Ansible playbook to install everything, you could just go to user share, not user share, user local share, CA certificates, and grab the certificate out of there. But we're going to have to convert it to PEM format. So we're going to do open SSL X 509 dash inform dir dash in and put the certificate you downloaded. So cert.dir. And then we're going to call it, I'm going to call it burp.pem.
So we just converted this to PEM format. And then we have to rename it. And you'll always be able to choose the name I'm doing because the name is just going to be a MD five sum of the subject.
So if we do open SSL x 509 dash inform PEM, then dash subject hash old dash and burp dot PEM, this is going to be what you want the certificate name to be. So we're going to move burp dot PEM. to be this dot zero. And all this is, is going to be I want to say it's the first four bytes of the MD five sum of the subject.
which is this. Hold on. Oh, because we renamed it. So it's going to be an MD5, some of this, but it's encoded in ASN format.
If you want to look more into it, this GitHub issue, if you maybe Google this phrase, this is a good description of it, how it works. If you want to run a go program and step around and see exactly how it's generated. But important thing being, it's really just Port Swigger CA is what generates this file name.
Nothing in the certificate. So every Burp Suite certificate is pretty much going to be this name until they change this. So you could just name the certificate 9A5BA575.0. So now that all that is done.
We should have our Jenny Motion device downloaded. We can just start it. And as long as your VM is configured properly with VirtualBox, your CPU is set to virtualization mode, yada, yada, yada. We should be able to start the device and watch it boot up. And then once it's booted up, we have to place that certificate in the certificate store.
So we have Android starting now. Let's go to our terminal. And we can put this on this side.
Going to change this. So let us go into, let's see, settings. I think it's security. And then encryption and credentials, trusted certificates. And if we scroll down to where the P's should be, let's see, G-I-K-L-M-N-O-Q, we don't have Portswaker.
So we want to copy the certificate here. And if we do adb devices dash L, we can see we've already have adb attached to this device. Thank you, Jenny motion for doing all that for us.
So if we just did adb shell, we're just magically on this device. But we want to copy the certificate up. So I'm gonna do adb push, and then the certificate name, we're going to copy it to system at the security ca cert. And we have an error. We can't copy it because it's a read-only file system.
So let's go ADB shell. We will su so we'll root. And we can just do mount dash O, remount rw on slash.
So now we've mounted the partition to be read-write because it was read-only. Do the push again and it is successfully pushed. So now... I think we'll have to restart the device.
We can click on trusted certificates again and see if we see it. I'm pretty sure it loads it at boot. Let's see Q M N O. Oh no, we already have port swigger. So I don't even think we have to reboot this device.
So now that Android is configured with a burp certificate, we should be able to do a proxy. And there's two ways we can do this. We can either go back in settings, uh, network. And let's go to Internet, Android, the Wi-Fi and click settings and change it here if we change the proxy.
But I hate doing all the clicking. I'd rather just do it from a command. So if you do ADB shell settings, put global HTTP proxy and then let's get our IP.
So IP ADDR or IPA. We can get our IP address. and then colon 8080. So now we have the proxy set up, we have burp suite, let's make sure we're intercepting, I'm going to change the size. And we can go into a web browser.
And let's just go to google.com. And we get proxy connection failed, because we've got to change our proxy to be on all So now with this, if we hit the page, we can see traffic. And this is HTTPS traffic. So if we search for IPSec here, turn this on, we can magically see all the traffic.
And there's quite a bit. But you can see that's all configured and dandy. So now we'll have to install the Play Store.
So I'm going to click on OpenG Apps, click Accept. And let's see. OpenG Apps archive is corrupted.
Retry. Okay, now it's installing. I don't know exactly what happened there.
We have to restart the device. Let's see. Maybe.
Let's see. Let's stop. I'll just close the device, start it again, and hopefully the G App Store is started.
We'll also probably want to unset the proxy and to do that you just run the same command with colon zero. So once this starts up I will run this just to be safe and the reason is we don't want to intercept all the traffic going to the play store when we download applications because if we do that it's going to make it go a lot slower. So the other thing I'm going to do is create an alias.
So if we ran the command ip addr, actually before ip we can do dash o dash 4 addr show ens 33. It's only going to show this device we can awk print 4 to get the ip address and then I can do sed s delete everything that comes after the slash because we want to delete the subnet mask. And now we just have the IP address. So if I did an echo like this colon 8080, we have this. And the whole reason why I'm doing this is we can say alias adb set proxy is equal to then adb shell settings put global HTTP proxy and copy this.
like that. And now we have the command adb set proxy. So let us go in the app store. Let's sign in. I don't know if I actually ran the unset.
Maybe I did. Or maybe it doesn't take after reboot. But I'm going to log into the Play Store. I'm going to copy and paste my password.
And then we have to sign in without my security key. Tap yes on my phone or tablet. And let's confirm. Give me a second.
Yes, it is me. There we go. Let's agree to this.
So now we can install applications. I'm also going to disable backup devices. And we also want to make a unset command and we can just set this to colon zero.
So now let me install the device, the app I actually wanted to. We're going to install Wazen. And this is the app I was talking about in the beginning of my video to open and close the door.
I'm going to confirm I can indeed intercept all this traffic and then we will move on. to Instagram and see it doesn't work and figure out how we do that. And the answer is going to be we have to install a tool called Frida, which allows us to inject JavaScript into applications, which lets us modify a hook and modify things in real time.
Think of it like Grease Monkey is for browsers, but for like applications. So when a application attempts to authenticate or check a certificate we always return true but I think my VM actually froze so I'm going to pause the video restart my VM and we'll get it working. My VM's actually not frozen it's just going really slow so I'm going to unset the proxy. I'm guessing that's what's causing me to go down uh slow.
I'm going to search adb devices dash l it does list, maybe we should just stop this. Whenever you do nested virtualization, things get wonky. So I'm going to start this back up, we're going to make sure adb proxy is there. I'm also going to add this to bash rc. So I'm going to copy v dot bash rc, we can add these aliases.
Let's just do unset and we can delete everything. And let's do zero like that. It has been started. And we do have our application that I wanted to intercept here.
It's going to accept this and let's make sure burp suite is intercepting. I'm going to click login and we can test this. So ip at ipsec.rocks password of password, click login.
And we see our request. So we have successfully intercepted this application. So let's unset this. So adb unset proxy. Let's do another request to make sure we aren't intercepting anymore.
I'm going to go into the Play Store and I'm going to install Instagram. So go back in here, search Instagram. And I'm mainly going into this application because Instagram does do a surprising amount of obfuscation on the app and certificate pending or whatever it's called to somewhat prevent this type of stuff.
So it's a good demo to do. Once it installs, we will be able to set the proxy again. So ADB set proxy, get this command queued up. Do open intercept is on there. We'll do root at ipsac.rocks, but a password of password, set the proxy, go log in and we get an unexpected error occurred.
If we unset the proxy, click login, we get password incorrect. So something is happening on Instagram that is preventing us. from intercepting the traffic with our certificate. So let's go over to a web browser and I'm just gonna Google install Frida ADB and pretty much follow these instructions. And there's gonna be two things we have to do.
I guess while this goes on, we can do a pipx install Frida-tools. And that's going to be installing Frida on a local workstation, but we have to have it in two places. And this browser just crashed. Awesome.
So we have Frida installed. Go to this blog post. And it wants us to download Frida from the GitHub releases.
And one of the tricky things, there's a lot of things on this. We mainly just want the Frida-server. So I'm going to search Frida-server and then figure out which android we want.
So I'm going to go back to my box, do adb shell, uname-a, and I can see it is x86-64. So that is the release I want. We can just copy link, exit. I'm going to wget this. And then I'm going to do 7zx to extract this.xz file.
And then the instructions want us to push Frida to this location, data local temp. So I'm going to move Frida server to just be called Frida server. So it matches what their command is.
We push it to data local temp. And then we want to make it executable. And then we just execute it. And once it's running, I don't know why that prompt didn't come back, but we'll just leave it be. We can do a Frida, I think, PS.
And let's see. Frida PS right now. I'm guessing this is mine because we see mate whatever. Dash U is going to be USB. And that's going to tell it to go through our ADB connection.
And now we're on our mobile device. So if we look for Instagram, Frida, Android, Intercept, I think. If I Google this, do I come with anything?
SSL pinning bypass. So we have this script. Let's just download it. Make their Instagram go in here.
W get a, if we look at it, we can see it essentially, well, right here, it's disabling HTTP three and now it's hooking or SSL verification thing and just replacing the return value. So whenever it goes to verify a certificate, it just says this is true. Right. So let us now do they give instructions on this repo of how to start it? I can't remember if they did go back one more time.
Now we're wanting to go here. Let's see adb shell. Yep, right here. So Frida, USB-L, the script name, and then the application. So I'm going to close Instagram.
App info. That didn't do what I wanted it to. Oh, it did. I am not an Android user, so it takes me a while to fumble around in this.
It is now stopped. I don't think there's a no pause feature anymore. If I run this, what does it say? unrecognized argument.
So if I just remove no pause, nofollow directory dash l, I guess that was windows, but we have hooked the function right here. So now if I go root at ipsac.rocks, we do a password of password login. Can't find it.
Let's see. Oh, we have to set the proxy because we unset it. Right.
So let's do ADB set proxy. Burp suite is on login. And we have successfully intercepted the request to Instagram.
And it's no longer saying whatever error it said before, it's saying password is incorrect. So that's gonna wrap up the video. Hope you guys enjoyed it. Take care and I will see you all next time.