Step by step explanation on how to reverse engineer an API using Wireshark, MitmProxy and Frida (Android).
- Wireshark - (https://www.wireshark.org/)
- Frida - (https://frida.re/)
- Mitm Proxy - (https://mitmproxy.org/)
First Create an evironment variable with the name 'SSLKEYLOGFILE' using the following command:
$ export SSLKEYLOGFILE=<LOCATION_TO_SSLKEYLOGFILE>
N.B: LOCATION_TO_SSLKEYLOGFILE
can be a path of your choice, file will be created automatically after.
After setting the ENV variable you have to set a proxy, either to your browser or to your system.
The proxy should point to localhost
on port 8080
unless you have changed mitm default configuration settings.
To start mitm proxy just open a new terminal and type
$ mitmweb # For web version
$ mitmproxy # For terminal version
Now using mitm proxy you can reach and intercept all HTTP domains but when you try to surf on an HTTPS domain it will warn you that it's not secure to proceed.
To avoid this problem you have to simply download Mitm Certificate going on http://mitm.it
.
Then select your operating system, download the certificate and install it.
This way you can also reach HTTPS domains without getting that warning.
To populate SSLKEYLOGFILE you have to navigate through different pages using SSL / HTTPS such as https://www.google.it
so that SESSION KEYS
will be created inside of SSLKEYLOGFILE
.
This step is really important, without it you cannot proceed in any way.
After configuring the proxy we need to setup wireshark.
First of all open wireshark and go to:
Edit -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename
and select the target SSLKEYLOGFILE that has been generated before.
Now just start a new Wireshark scan on the target network-adapter and see all your requests (HTTP/HTTPS etc.) being logged on your screen.
In order to sniff packets of android apps you need to:
- Configure an android emulator
- Set proxy on the android emulator
- Install frida-server on android-emulator
- Disable SSL pinning of the App
The first thing to do is to configure an android emulator; the best way
is to use Android Studio Emulators
.
When you are creating an emulator is important to choose a version that does not support
Google Play Store
in order to gain root
access to the device.
Once that the emulator is configured and started we have to setup the proxy on it. Just go
to android emulator settings and set a proxy with host localhost
and port 8080
.
Now you need to install frida-server, you can download it from the official repo:
After downloading frida, drag and drop the extracted content of the zip file into the emulator. Dragged file will be available into the download folder.
At this point enter inside the emulator with a shell with the following command:
$ adb root # Gain root permission in the shell
$ adb shell # Enter inside the android emulator with a shell
Then copy frida-server in /data/local/tmp
$ cd storage/emulated/0/Download
$ cp frida-server-x.y.z-android-<architecture> \
/data/local/tmp/frida-server
Last thing to do is to start the frida-server doing the following:
$ ./frida-server &
To install Objection
on pc we just need the following command:
$ pip3 install objection
First we need to find the package of our app.
$ adb shell ps # Look for your app package -> ex. com.example.org
Once you found the package connect to the frida process
$ objection -g <package-name> explore
When connection has been established, disable SSL Pinning
$ android sslpinning disable
Instead of using objection, which most of times fail bypassing SSL pinning, we can use a script that I found here: https://github.com/httptoolkit/frida-android-unpinning
You just have to downlaod the file: frida-script.js
Once downloaded we have to install frida-tools
with the following command:
pip3 install frida-tools
Now just execute:
$ frida --no-pause -U -l ./frida-script.js -f $TARGET_PACKAGE_NAME
At this point SSL should be disabled for your application and now you can use it sniffing all requests. Requests can be seen in wireshark.
Jacopo De Gattis