Android结合Frida的硬核抓包大法

2023-07-02T17:37:00

前言

这篇文章是我找了好久才在收藏夹里面找到的。转载自吾爱论坛:https://www.52pojie.cn/thread-1405917-1-1.html

准备工作

  • 已 root 的安卓手机(貌似ios也不能root吧)
  • frida环境一套(刚发现我竟然忘记写frida教程了)

    操作原理

    使用tcpdump去从系统层次去抓包,然后通过firda去hook需要抓包的app,拿到sslkey,然后利用sslkey去解密tcpdump抓到的包

    操作原理

    tcpdump的抓包方面

    1.1 手机中执行 tcpdump

    tcpdump -i any -s 0 -w /sdcard/Download/capture.pcap

    2.1 手机没有tcpdump的

  • 下载地址:https://www.androidtcpdump.com/android-tcpdump/downloads
  • 如果遇到权限不够的,先push到sdcard/ 再移动过去

    adb push tcpdump /data/local/tmp/

    2.2 在手机中执行给权限

    chmod 777 tcpdump

    2.3 继续执行1.1

    ./tcpdump -i any -s 0 -w /sdcard/Download/capture.pcap

    frida的hook方面

    1.1 查看frida信息

  • frida 命令选项 更多关于frida信息 可以查看frida官方信息 https://frida.re/docs/home/

    C:\Users\User>frida -h
    Usage: frida [options] target
    
    Options:
    --version             show program's version number and exit
    -h, --help            show this help message and exit
    -D ID, --device=ID    connect to device with the given ID
    -U, --usb             connect to USB device
    -R, --remote          connect to remote frida-server
    -H HOST, --host=HOST  connect to remote frida-server on HOST
    -f FILE, --file=FILE  spawn FILE
    -F, --attach-frontmost
                          attach to frontmost application
    -n NAME, --attach-name=NAME
                          attach to NAME
    -p PID, --attach-pid=PID
                          attach to PID
    --stdio=inherit|pipe  stdio behavior when spawning (defaults to “inherit”)
    --runtime=duk|v8      script runtime to use (defaults to “duk”)
    --debug               enable the Node.js compatible script debugger
    -l SCRIPT, --load=SCRIPT
                          load SCRIPT
    -P PARAMETERS_JSON, --parameters=PARAMETERS_JSON
                          Parameters as JSON, same as Gadget
    -C CMODULE, --cmodule=CMODULE
                          load CMODULE
    -c CODESHARE_URI, --codeshare=CODESHARE_URI
                          load CODESHARE_URI
    -e CODE, --eval=CODE  evaluate CODE
    -q                    quiet mode (no prompt) and quit after -l and -e
    --no-pause            automatically start main thread after startup
    -o LOGFILE, --output=LOGFILE
                          output to log file
    --exit-on-error       exit with code 1 after encountering any exception in
                          the SCRIPT

    2.1 编写frida脚本(sslkeyfilelog.js)

    function startTLSKeyLogger(SSL_CTX_new, SSL_CTX_set_keylog_callback) {
      console.log("start----")
      function keyLogger(ssl, line) {
          console.log(new NativePointer(line).readCString());
      }
      const keyLogCallback = new NativeCallback(keyLogger, 'void', ['pointer', 'pointer']);
    
      Interceptor.attach(SSL_CTX_new, {
          onLeave: function(retval) {
              const ssl = new NativePointer(retval);
              const SSL_CTX_set_keylog_callbackFn = new NativeFunction(SSL_CTX_set_keylog_callback, 'void', ['pointer', 'pointer']);
              SSL_CTX_set_keylog_callbackFn(ssl, keyLogCallback);
          }
      });
    }
    startTLSKeyLogger(
      Module.findExportByName('libssl.so', 'SSL_CTX_new'),
      Module.findExportByName('libssl.so', 'SSL_CTX_set_keylog_callback')
    )
    // https://codeshare.frida.re/@k0nserv/tls-keylogger/

    2.2 运行此frida脚本

    frida -U -f package -l ./sslkeyfilelog.js --no-pause

    解密数据包部分

    1.1 导出tcpdump的日志

    将 /sdcard/Download/capture.pcap 保存到电脑即可

    1.2 导出frida的日志

    手动复制粘贴吧,没有什么好办法,将日志保存到sslkey.txt文件里

    大概像下面酱婶(这样式),别掺杂别的就行

    CLIENT_RANDOM 557e6dc49faec93dddd41d8c55d3a0084c44031f14d66f68e3b7fb53d3f9586d 886de4677511305bfeaee5ffb072652cbfba626af1465d09dc1f29103fd947c997f6f28962189ee809944887413d8a20
    CLIENT_RANDOM e66fb5d6735f0b803426fa88c3692e8b9a1f4dca37956187b22de11f1797e875 65a07797c144ecc86026a44bbc85b5c57873218ce5684dc22d4d4ee9b754eb1961a0789e2086601f5b0441c35d76c448
    CLIENT_RANDOM e1c1dcaaf73a8857ee60f5b38979084c3e95fdebd9791bbab985a8f954132426 41dcf3d5e41cb469494bf5014a1ecca9f40124f5728895265fadd38f8dc9d5ac15c5fa6588c1ea68f38476297fe76183
    CLIENT_RANDOM 66c4f37afb2152e3837c8a7c48ce51e8307e6739e1fe3efc542887bbcae4f02a bbafe4881084570af01bed59f95bfcf7bc49d2e55acbc7fe33c1e06f8ff0bc2e747c2c428e7cd13f1c77c2141085f951
    CLIENT_RANDOM 8d0d92154ee030486a2b13f9441f85ef33c5e06732fbb06a1ac81fe34b6f2ce3 8270b34eee784e7f7de45f39af36f26e6abf99bb52fa8350945e3ebf79dc1c53a0693c24b0780ce3a54d39fd4b5b5149
    CLIENT_RANDOM b5d58899346db525f14312cfb52c1247ed7adb710ae43428bd331ce27d77dbc1 9effd5b469ef6fdf7a056ea50fc3ff0fdf9fa40ae709805bea8678ddce404f211ed534623876a5c616f3e7bc43121f48
    CLIENT_RANDOM af1b3f9ba0b4c27756c93595eb54cac6f0d8c6e9e4f0fcb1a36c45f0cd12060d 696a6fff39bf6c9863901a2145703de948c37e1abf6b4c03628118bee11c292239304ee020c71ff31a293fc6b9439364
    CLIENT_RANDOM e2a3d8e6b638976aa27c8cf031be5e6b03cf7ffa573be101816d5103025d404b 2b006379423d7252c864a129b6c5a693b75d477dc5d3f894af5f02db755c4f6dd54470b659882871c62ce002792e211a
    CLIENT_RANDOM 1c8cfe911e2111d80dc81c275c791c04467e8d7bca16963acec6a20051429981 bf08334d973d44d80c8f4542c2356a5fd9e0d390afde0374179cc81dd82aaa15aae52604988e9c9616ad0795c79c81ed

    2.1 打开.pcap文件 进入Wireshark

    // Wireshark快速过滤
    (http.request or tls.handshake.type eq 1) and !(ssdp)

    也可以像下面筛选常用数据流

    1、筛选经过 127.0.0.1 主机的所有数据包
    >> ip.addr == 127.0.0.1
    
    2、筛选目的地址是 127.0.0.1 的所有数据包
    >> ip.dst == 127.0.0.1
    
    3、筛选源地址是 127.0.0.1 的所有数据包
    >> ip.src == 127.0.0.1
    
    4、筛选从 127.0.0.1 到 127.0.0.2 的所有数据包
    >> ip.src == 127.0.0.1 and ip.dst == 127.0.0.2
    
    5、筛选源地址是 127.0.0.1 或者 127.0.0.2 的所有数据包
    >> ip.src == 127.0.0.1 or ip.src == 127.0.0.2
    
    6、筛选源地址是 127.0.0.1 且协议类型时 http(tcp) 的所有数据包
    按协议类型筛选:http(tcp)
    >> ip.src == 127.0.0.1 and http(tcp)
    
    7、根据端口过滤固定源与目标:
    ip.src == 192.168.0.2 and ip.dst == 192.168.0.233 and tcp.port == 965
    
    8、根据包长过滤固定源与目标:
    ip.src == 192.168.0.2 and ip.dst == 192.168.0.233 and tcp.len == 12

    2.2 设置Wireshark tls
    编辑 --> 首选项--> Protocols--> TLS



    选择到tls 后将之前的sslkey.txt导入下。 再使用下前面的过滤命令, 正常情况下, 现在就能正常看到了。(文案也是抄的我很抱歉)

    布局不对这么设置

    浏览器导入sslkey

    chrome.exe --ssl-version-max=tls1.3  --ssl-key-log-file="./ssl_keys.txt"

    参考内容

    Wireshark Tutorial: Display Filter Expressions
    https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/

HTTPS Traffic Without the Key Log File
https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/

The First Few Milliseconds of an HTTPS Connection
http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html

Sniffing HTTPS Traffic in Chromium with Wireshark
https://adw0rd.com/2020/12/2/chromium-https-ssl-tls-sniffing-with-wireshark/en/

当前页面是本站的「Baidu MIP」版。发表评论请点击:完整版 »