【Android(安卓)学习记录】:针对Android(安卓)7.0 抓不到HTTPS包的情况
学习记录:针对Android 7.0 抓不到HTTPS包的情况
[TOC]
背景
前段时间需要抓包,目前做https强证书校验的越来越多,手机升级之后,导致很多时候抓不到包,因此,总结一下抓包方法,这里基本没有自己研究的内容,都是从其他的博客搬过来汇总的
##环境:
1,一台root的手机
2,导出burp证书,push到sd安装—这一步就不介绍了,然后
cp /data/misc/user/0/cacerts-added/* /system/etc/security/cacerts/
这里记得要把权限改一下,否则没有权限读取chmod 644 /system/etc/security/cacerts/*
此时你已经可以抓到非强证书校验的报文了
抓包方案
1,root手机 安装xpose 使用justTrustme
参考链接:http://blog.csdn.net/qq_27446553/article/details/52525013
2,如果抓取的是第三方程序,免root可以可以使用VirtualXposed,仅hook被测试程序的证书校验部分
安装路径:https://github.com/android-hacker/VirtualXposed
3,root手机,安装Frida,使用以下脚本可以完成部分功能或针对被测程序进行定向hook
参考链接:(链接已经失效)https://jaq.alibaba.com/community/art/show?articleid=989
参考链接:【技术分享】使用Frida绕过Android SSL Re-Pinning
源代码:
https://techblog.mediaservice.net/wp-content/uploads/2017/07/frida-android-repinning_sa-1.js
/* Android SSL Re-pinning frida script v0.2 030417-pier $ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt $ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/*/setTimeout(function(){ Java.perform(function (){ console.log(""); console.log("[.] Cert Pinning Bypass/Re-Pinning"); var CertificateFactory = Java.use("java.security.cert.CertificateFactory"); var FileInputStream = Java.use("java.io.FileInputStream"); var BufferedInputStream = Java.use("java.io.BufferedInputStream"); var X509Certificate = Java.use("java.security.cert.X509Certificate"); var KeyStore = Java.use("java.security.KeyStore"); var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory"); var SSLContext = Java.use("javax.net.ssl.SSLContext"); // Load CAs from an InputStream console.log("[+] Loading our CA...") cf = CertificateFactory.getInstance("X.509"); try { var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt"); } catch(err) { console.log("[o] " + err); } var bufferedInputStream = BufferedInputStream.$new(fileInputStream); var ca = cf.generateCertificate(bufferedInputStream); bufferedInputStream.close();var certInfo = Java.cast(ca, X509Certificate); console.log("[o] Our CA Info: " + certInfo.getSubjectDN()); // Create a KeyStore containing our trusted CAs console.log("[+] Creating a KeyStore for our CA..."); var keyStoreType = KeyStore.getDefaultType(); var keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(null, null); keyStore.setCertificateEntry("ca", ca); // Create a TrustManager that trusts the CAs in our KeyStore console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore..."); var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); var tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore); console.log("[+] Our TrustManager is ready..."); console.log("[+] Hijacking SSLContext methods now...") console.log("[-] Waiting for the app to invoke SSLContext.init()...") SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) { console.log("[o] App invoked javax.net.ssl.SSLContext.init..."); SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c); console.log("[+] SSLContext initialized with our custom TrustManager!"); } });},0);
但是上面的内容也不是很全,比如缺少okhttp,缺少webview等,可以自己维护一个比较全面的
4,重打包:不推荐,目前大部分应用对重打包防护比较好,不推荐重打包
更多相关文章
- MonoDroid学习笔记(一)―― 搭建MonoDroid开发环境及Hello World
- 安卓系统架构多年经验总结:《Android程序的编译,安装和运行》 | An
- Android(安卓)根证书管理与证书验证
- Android(安卓)app实现自更新和安装,权限检测适配Android6.0以下和
- android 为什么需要签名
- Android逆向之旅---爆破应用签名的一种全新高效方式(Native+服务
- android安全学习之2—android中.pem和.pk8是什么文件?
- Android(安卓)获取Root权限之后的静默安装实现 代码示例分析
- 在Ubuntu下获取Android4.0源代码并编译