The last time to share the idea of cracking the mobile phone encryption data, is to use the intermediary agent to crack, network security call this practice called Man-in-the-middle, today talk about how to achieve.
Coincidentally, on March 2, 2016, 360 pushed a message about the vulnerability of the code-named drowning, which is essentially what we discussed in this article, but what we did was serious.
Since the middleman is involved, I need an agent software to act as a middleman, here we choose Software Fiddler, the Software is a lightweight capture software, but it also realizes the function of intermediary agent. Grab the package software or use Wireshark. As for why not directly using Fiddler to grab Packet analysis, is because Fiddler is lightweight (or elder brother is love with Wireshark), a lot of features than Wireshark support a wide range, such as long-connected features, And we're just using it as a proxy and a certificate-making feature. Of course fiddler also has a lot of its own advantages and disadvantages, follow-up we will see a little.
This experiment software is the world's largest genuine music service platform Spotify, the use of the software to test the reason is that in the test I need to confirm whether the encrypted stream is an audio stream.
In the previous article has been on the SSL and other related knowledge and decryption principle has done a detailed elaboration, forget can review.
This article to two aspects of mobile and PC side, the whole idea is the same, the implementation will be slightly different.
First talk about the mobile side, the usual capture environment 1:
Figure 1
That is, the mobile phone connected to the device, on the forwarding device to deploy LIBPCAP crawl mobile phone IP messages.
Now we need to deploy the agent software on the PC, that is fiddler, because the data will go to the proxy server PC, so install Wireshark on the PC to grab the packet, no longer use the Libpcap capture environment on the forwarding machine.
Here are a few things to do:
1, set fiddler, such as
After installing fiddler do 2, the settings shown in Figure 3: Path tools->fiddleroptions
Figure 2
Figure 3
Figure 4
HTTPS option Check on Capturehttps, select from remote clients only (the actual process can not pass the machine's message, Khan); Connection option select Allow remote compute to connect. HTTPS that page about the certificate may not be the same as yours, I downloaded a fiddler in the page shown in Figure 4 for the certificate and the export of the private key, because Fiddler comes with the certificate generator, does not support the export of the private key feature, downloaded after the installation on Windows.
2, set the agent for the phone, long press the residence connection wifi-> display advanced and then set the agent, 5:
Figure 5
Fig. 6 Fig. 7
The proxy server hostname is the proxy IP address you want to link to, because the fiddler default port is 8888, so the proxy server port is set to 8888.
Enter the PC IP plus port number in the mobile browser, enter the relevant page to download the certificate, the Blue Fiddler rootcertificate in the picture, install, the certificate uses for the app. If your phone does not have a password policy set, you may be prompted to set a password when you install the certificate. 6 and Figure 7 are shown.
3, set Wireshark and fiddler to associate, New in Preferences->protocols->ssl, 8
Figure 8
Figure 9
The Mypem.txt file is the private key given by fiddler, the specific steps is to make a 1, 2 steps after you set up, use the phone to access the app, the Fiddler log page will automatically generate the private key (this is the first step to install plug-in role), The private key marked in the Red Line section of Figure 9 is stored in a text file, but in the following format, the middle line is replaced with the private key:
-----BEGIN PRIVATE KEY-----
BASE64 encoded private key here
-----END PRIVATE KEY-----
At this point, complete the setup, restart Fiddler, open Wireshark, in order to reduce the clutter, we only catch 8888 port of the message, 10:
Figure 10
Use Wireshark to crawl and decrypt messages as shown in 11
Figure 11
We can see that the green HTTP message is the decrypted message after the TLS handshake. If there is no decryption, the packet is encrypted and the color is a gray TLS message. This is the intuitive feeling. To determine whether the captured data is decrypted, you can see the client key Exchange message in the TLS handshake, the portion of the red line in Figure 12 is the decrypted data, and the red line in Figure 13 shows no decrypted data.
Figure 12
Figure 13
Figure 14 explains why the 8888 port was crawled. Because only the communication between the mobile phone and fiddler (before the agent) is decrypted, so to crawl the communication between the two messages, and fiddler use 8888 port and mobile communication, so use 8888 port. The communication between fiddler and Server is not decrypted, and the fiddler port is random, so it is not necessary to obtain this part of the data. In fact, the same data through the network card two times, once encrypted, once again no encryption, which is crawling 8888 ports, filtering useless data reasons.
Figure 14
This way of cracking encrypted data is not always effective, one reason,
First understand the usefulness of SessionID, the Flow association. Refer to the relevant article. If you catch the first SSL encryption packet has the corresponding SessionID, indicating that this stream reuse the previous flow negotiation parameters, and fiddler do not know these parameters, then the relevant data can not be decrypted, figure 15 is not reused, Session ID 0, if reused, There will be a long list of characters. Of course, there are many reasons not to decrypt, I hope we can share more.
Figure 15
The mobile side is so much, the PC-side and mobile-side thinking is consistent. But the implementation aspect is slightly different, I say briefly here. If the PC software and fiddler deployed on a PC, 14, the application software and fiddler communication, is the communication between the process, using the loopback address 127.0.0.1, is not through the network card, that is, Wireshark is unable to obtain the corresponding decryption packet. So the solution is as follows:
1, the Wireshark default winpcap delete, install Npcap to grab the packet, the reason is WINDOWSTCP/IP protocol stack does not implement the network loopback interface, details reference https://wiki.wireshark.org/ Capturesetup/loopback, do not explain too much.
2, the use of two PC machine, where the face and the mobile phone grab packet corresponds to, one of the most fiddler agent, another PC equivalent to mobile phone, specific reference to the mobile phone's three-step setup, PC proxy settings should be.
Overall Architecture 16:
Figure 16
The above content is the mobile and PC-side decryption SSL traffic actual implementation of the description, in fact, is very rough and simple. Why, because in the actual capture process, I found that the use of fiddler agent only captured encrypted picture messages, the corresponding audio Wireshark not captured, after troubleshooting, established because this part of the traffic does not go HTTP proxy, This means that the HTTP proxy does not support the forwarding of this part of the traffic, so the 8888 port is not captured. So if you want encrypted data similar to this traffic, then you can replace the Fiddler with the Sock agent, of course, the corresponding agent machine needs to install the certificate software. If anyone is interested, you can share it.
In fact, the above content gives us a revelation, is to go agent is not safe, even if your data is encrypted, common scenes of many of us like to flip the wall. You may think that the decryption of data need to give you a certificate, in fact, the certificate can be unknown, of course, the next certificate of the strategy can basically take advantage of the security of the sociological attack, the essence can be understood as the weakness of human nature, I found myself turned into a philosopher. Look at this article Http://my.oschina.net/CasparLi/blog/488298?fromerr=NqwEdtDw, don't be too angry after reading it. Everyone started with a rogue, some people have money to become a gentleman, some people are still old, face the rogue have a way.
Please also indicate if there is any error in the above content.
An implementation of encrypting TLS encrypted data (mobile end +pc side)