Android Black Tech series--wireshark and fiddler analysis of TLS protocol package data in Android (with case samples)

First, preface

In a previous article has introduced a network access software hack tutorial, at that time the breach is the application itself is a loophole, that is, the log information is not closed, we crawl the log to obtain key information to find a breach to crack. That article also said, if the app does not have log information, what should we do? Then you need to use a clutch to find a breakthrough.

Second, install fiddler certificate

We use the Fiddler to connect the mobile phone to grasp the packet view, the application accesses the data information all uses the HTTPS protocol, namely encrypts the data, we may not be able to view, is troublesome, this article explains how to view these encrypted data.

First we know that the Fiddler grab Bag tool is able to grasp the HTTPS data, is the Fiddler certificate installed in the device. The installation process is also simple:

First step: Export the Fidder certificate file

Enter the Fiddler option:

Then select Export certificate directly to the desktop.

Step Two: Install the certificate into the device

The previous step of the certificate file, put in the device's SD directory, and then open the certificate file directly in the device, will prompt the installation information, of course, here in the old version of the system, may also need to set up the page to operate:

In Settings, select Security, and then select Install Certificate from SD card to install it properly. After the installation is successful, you can view this certificate information:

third, crawl the sample app packet

In this way, our device will have the Fiddler certificate, at this time in the Fiddler grab packet will see the normal HTTPS protocol data:

We can view the returned data information:

Unfortunately, the data shown here is not complete. So this time, we have to find a way to get all the data returned, can be manipulated with the Wireshark tool, and the Wireshark tool will be analyzed more detailed than the Fiddler tool, but fiddler more convenient and quick. However, the Wireshark tool can only be run on the PC side of the packet, so if you want to use this tool to grab the phone data, there are two ways:

The first type: Wireshark+fiddler tools

Fiddler accesses traffic on the PC as a proxy on the mobile phone side. Then Wireshark can crawl the request on the PC, so as to use Wireshark to grab the phone's request.

The second type: Wireshark+tcpdump tools

Of course, we can also use the Tcpdump tool to directly grab the phone's request data, generally saved as pcap file format, and then on the PC side with the Wireshark to analyze the Pcap file format. About tcpdump how to grab a package to generate PCAP files, you can search by yourself. There's no explanation here.

Many students consider the second, but the second will fail, because there is the need to crawl the HTTPS protocol data, so there is certificate-related information, if you directly use the Tcpdump tool to capture the package generated files, and then use the Wireshark tool analysis will fail. Because the Wireshark analyzes the TLS protocol data, it is necessary to set the certificate information, otherwise the parsing fails. So here's the first way to do it.

iv. Wireshark Analysis of TLS packets

Because Wireshark analyzes the data of the TLS protocol, it is necessary to set up the certificate information, otherwise it is encrypted data information:

Then the problem here is actually converted, how to use Wireshark to decrypt the TLS data information, this is relatively simple, we can use the browser automatically generated certificate information, as a decryption tool. A knowledge point is needed here: The browser will have a hint when accessing HTTPS protocol information:

Let us trust this certificate:

Then, we confirm security, at this time, if a system environment variable is set. The browser will save the certificate information to the specified file, the system environment variable is: sslkeylogfile, and then customize a sslkey to save the file name.

Because we can catch the HTTPS request link in the above with fiddler, this time we put this link in the browser to visit once:

Then there will be a corresponding Sslkey data saved, you can go to see this information:

So we got this URL corresponding to the certificate information, here can be seen in fact, with the help of the browser to obtain, the following wireshark to set this certificate information:

In Wireshark Edit->preferences->protocols->ssl, set the location of the Sslkey information file you just saved, and save it.

The following is the beginning of the packet analysis, in the boot Wireshark grab packet, some students may not be able to see the Packet Capture network interface information:

This needs to start the system NPF service, we can do this:

01, at the beginning –> run
02. Input:%windir%/system32
03, will open a folder window, found inside the CMD.EXE (Cmd.exe)
04. Right click and select "Run as Administrator"
05. Input command: net start NPF
06, the system prompts Netgroup Packet Filter Driver Service has started successfully.
07, to this point, Wireshark and then click Interfaces List can normally select the interface to be captured.
08. If you need to turn off this service, you will be able to enter the command: net stop NPF at the command line.

After successful operation, then go to Wireshark Select the interface list information will have the network interface information:

When running here, be sure to remember to select both local and wireless connections to avoid missing requests:

Click Start, you will find a lot of requests in the brush screen, in order to see the data we care about, you can use some filtering rules to filter, and here is actually a lot of filtering rules commands, interested students can search the operation of their own experiments, here we just want to see the SSL protocol request information:

Then we use the browser to refresh just that HTTPS request, will find a lot more TLS protocol request, if there is not set the above Sslkey information, see is encrypted information:

Here is a brief talk about the principle of the TLS protocol, directly stole a picture on the Internet:

Once the Sslkey information is set, you can see that application data is decrypted:

Also, at this point, an extra decrypted SSL tab is found at the bottom. Decryption here will find that there is a hypertext transport layer behind the SSL layer, that is, HTTP and other information. Then we check this message and right-click on his HTTP stream:

Remember that there is an OK word of the HTTP protocol data information entry, this is because it has been decrypted, so see the HTTP protocol:

Five, decrypt the return data information

Here you can see the request information and return information clearly. We then put this part of the data in the decryption with AES:

The result of seeing the print is a return JSON message:

About the decryption method here, a previous article in the JADX Analysis sample has been seen:

We copy this method directly, write a simple Java success can be decrypted. Do not know the students to review the previous introduction of the content bar.

Vi. Summary of TLS knowledge points

Well, here we go, how to use Wireshark and fiddler these two grab the package artifact, decrypt HTTPS request information. About the TLS protocol may be some classmates still do not know, and he and SSL difference is what, in fact, TLS is an upgrade version of SSL:

Many protocols now use TLS, and the TLS1.3 version is out. WX, for example, uses this protocol for data encryption. After we have this skill, we can easily analyze the TLS protocol data later, of course, we must master Wireshark the use of this tool, we have learned the network engineering class, we know the network protocol stack, such as physical layer, network layer, Transport layer, application layer:

We've seen a few layers of information in the bottom Information Bar of Wireshark:

At the SSL layer, decryption is required to see the details of the subsequent Hypertext Transfer layer protocol, which is the result of the operation of the decryption method above.

Vii. Questions and Answers

In fact, see some of the students here will have a curious place:

• The first: Start using Fiddler can be directly decrypted data, why still use Wireshark to grab the bag? Because we can see that the information that fiddler crawls is not complete. Of course, sometimes it may be full, so there is no need to use Wireshark for packet capture analysis.
• The second: In the Fiddler crawl to the link in the browser to access, generate the corresponding Sslkey information file. Isn't it possible to see the returned data directly in the browser? Why do you use Wireshark to grab a bag? This is true to see all of the return information accessed in the browser, but the use of Wireshark to capture the packet is for more information to see the TLS protocol access process. This is also for the future proficiency of the preparation of the operation.

In reverse studies, sometimes grabbing a packet is a very important point of breach. Therefore, it is also a critical skill to capture packet analysis package information.

Reprinted from: http://www.wjdiankong.cn/category/android%e6%8a%80%e6%9c%af%e7%af%87/

Android Black Tech series--wireshark and fiddler analysis of TLS protocol package data in Android (with case samples)