學習記錄:針對Android 7.0 抓不到HTTPS包的情況
[TOC]
背景
前段時間需要抓包,目前做https強證書校驗的越來越多,手機升級之後,導致很多時候抓不到包,因此,總結一下抓包方法,這裏基本沒有自己研究的內容,都是從其他的博客搬過來彙總的
##環境:
1,一臺root的手機
2,導出burp證書,push到sd安裝—這一步就不介紹了,然後
cp /data/misc/user/0/cacerts-added/* /system/etc/security/cacerts/
這裏記得要把權限改一下,否則沒有權限讀取chmod 644 /system/etc/security/cacerts/*
此時你已經可以抓到非強證書校驗的報文了
抓包方案
1,root手機 安裝xpose 使用justTrustme
參考鏈接:http://blog.csdn.net/qq_27446553/article/details/52525013
2,如果抓取的是第三方程序,免root可以可以使用VirtualXposed,僅hook被測試程序的證書校驗部分
安裝路徑:https://github.com/android-hacker/VirtualXposed
3,root手機,安裝Frida,使用以下腳本可以完成部分功能或針對被測程序進行定向hook
參考鏈接:(鏈接已經失效)https://jaq.alibaba.com/community/art/show?articleid=989
參考鏈接:【技術分享】使用Frida繞過Android SSL Re-Pinning
源代碼:
https://techblog.mediaservice.net/wp-content/uploads/2017/07/frida-android-repinning_sa-1.js
/*
Android SSL Re-pinning frida script v0.2 030417-pier
$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
$ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause
https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
*/
setTimeout(function(){
Java.perform(function (){
console.log("");
console.log("[.] Cert Pinning Bypass/Re-Pinning");
var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
var FileInputStream = Java.use("java.io.FileInputStream");
var BufferedInputStream = Java.use("java.io.BufferedInputStream");
var X509Certificate = Java.use("java.security.cert.X509Certificate");
var KeyStore = Java.use("java.security.KeyStore");
var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
var SSLContext = Java.use("javax.net.ssl.SSLContext");
// Load CAs from an InputStream
console.log("[+] Loading our CA...")
cf = CertificateFactory.getInstance("X.509");
try {
var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
}
catch(err) {
console.log("[o] " + err);
}
var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
var ca = cf.generateCertificate(bufferedInputStream);
bufferedInputStream.close();
var certInfo = Java.cast(ca, X509Certificate);
console.log("[o] Our CA Info: " + certInfo.getSubjectDN());
// Create a KeyStore containing our trusted CAs
console.log("[+] Creating a KeyStore for our CA...");
var keyStoreType = KeyStore.getDefaultType();
var keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
console.log("[+] Our TrustManager is ready...");
console.log("[+] Hijacking SSLContext methods now...")
console.log("[-] Waiting for the app to invoke SSLContext.init()...")
SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
console.log("[+] SSLContext initialized with our custom TrustManager!");
}
});
},0);
但是上面的內容也不是很全,比如缺少okhttp,缺少webview等,可以自己維護一個比較全面的
4,重打包:不推薦,目前大部分應用對重打包防護比較好,不推薦重打包