蘋果在 iOS 5 中新引入了“ 遠程虛擬接口(Remote Virtual Interface, RVI )”的特性,可以在 Mac 中建立一個虛擬網絡接口來作爲 iOS 設備的網絡棧,這樣所有經過 iOS 設備的流量都會經過此虛擬接口。
此虛擬接口只是監聽 iOS 設備本身的協議棧(但並沒有將網絡流量中轉到 Mac 本身的網絡連接上),所有網絡連接都是 iOS 設備本身的,與 Mac 電腦本身聯不聯網或者聯網類型無關。
iOS設備本身可以爲任意網絡類型(WiFi/xG),這樣在 Mac 電腦上使用任意抓包工具(tcpdump、Wireshark、CPA)抓取 RVI 接口上的數據包就實現了對 iPhone 的抓包。
Mac OS X 對 RVI 的支持是通過終端命令 rvictl 提供的(需要安裝Xcode):
➜ ✗ rvictl
rvictl [-h][-l][-s <udid1> ... <udidN>][-x <udid1> ... <udidN>]
Remote Virtual Interface Tool starts and stops a remote packet capture instance
for any set of attached mobile devices. It can also provide feedback on any attached
devices that are currently relaying packets back to this host.
Options:
-l, -L List currently active devices
-s, -S Start a device or set of devices
-x, -X Stop a device or set of devices
首先將手機連接到Mac上,打開iTunes,查看手機的UDID。
然後打開Mac終端,輸入:
➜ ✗ rvictl -s UDID
Starting device xxe6128f0xxxxxxxxxd8e92c9fa790xxxxxxxxxx [SUCCEEDED] with interface rvi0
使用tcpdump監聽虛擬接口,可以按Ctrl+C停止監聽(如果安裝了wireshark,此步驟可以直接使用wireshark來監聽虛擬接口):
➜ ✗ sudo tcpdump -i rvi0 -w dump.pcap
tcpdump: WARNING: rvi0: That device doesn't support promiscuous mode
(BIOCPROMISC: Operation not supported on socket)
tcpdump: listening on rvi0, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
3904 packets captured
3915 packets received by filter
0 packets dropped by kernel
命令行解釋:
-i rvi0 選擇需要抓取的接口爲rvi0(遠程虛擬接口)
-w dump.pcap 設置保存的文件名稱
結束監聽之後別忘了刪除虛擬接口:
➜ ✗ rvictl -x UDID
Stopping device xxe6128f0xxxxxxxxxd8e92c9fa790xxxxxxxxxx [SUCCEEDED]
然後將文件dump.pcap拖入wireshark分析即可,此處的dump.pacp包含了WebSockets信息。
或者如果不需要分析WebSockets流量,也可以這樣,安裝tcpreplay工具:
➜ ✗ brew install tcpreplay
==> Installing dependencies for tcpreplay: libdnet
==> Installing tcpreplay dependency: libdnet
==> Downloading https://homebrew.bintray.com/bottles/libdnet-1.12.mojave.bottle.4.tar.gz
######################################################################## 100.0%
==> Pouring libdnet-1.12.mojave.bottle.4.tar.gz
🍺 /usr/local/Cellar/libdnet/1.12: 28 files, 213.3KB
==> Installing tcpreplay
==> Downloading https://homebrew.bintray.com/bottles/tcpreplay-4.3.2.mojave.bottle.tar.gz
==> Downloading from https://akamai.bintray.com/50/502523def8034da8a129f830457c2d7fb5ac6e3ebde96370c8c2756508c7bdda?__gda__=exp=1575966605~hmac=28bbdf5c3dd5e7db91386e69af18f2454f277e985993b7a69b0f2961aa91b97d&response-content-disposition=
######################################################################## 100.0%
==> Pouring tcpreplay-4.3.2.mojave.bottle.tar.gz
🍺 /usr/local/Cellar/tcpreplay/4.3.2: 14 files, 1.5MB
Tcprewrite可以重寫數據包。
Tcprewrite重寫第二層以太網層:
➜ ✗ tcprewrite --dlt=enet --enet-dmac=00:11:22:33:44:55 --enet-smac=66:77:88:99:AA:BB --infile=dump.pcap --outfile=data.pcap
也可以重寫第四層TCP、UDP層:
➜ ✗ tcprewrite --portmap=80:8080,22:8022 --infile=dump.pcap --outfile=tcp.pcap
但是注意,此方法雖然可以生成讓Charles打開的pcap文件,但是並沒有我們所需要的WebSockets信息,因此不建議這麼做。
