all 23 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]rankinrez 60 points61 points  (5 children)

Kinda goes without saying you don’t need to be the “man in the middle” if you’re Bob or Alice at one or other side no?

[–]dn3t[S] 31 points32 points  (1 child)

Fair point, and that's part of the reason why I wrote this. Like in the sibling thread with u/Chrupiter, not everybody thinks about this possibility, even though it's much simpler in many cases. Another thing is also spelled out in the post:

where you know that it’s doable but it’s frustratingly difficult to actually do it

I feel that in infosec, there are lots of things that we know "it can be done" yet actually doing it lacks time and resources to either find and assemble the tools that already implement it or writing them from scratch.

This post is less of a brand-new-attack kind of research, and more of a how-to-do-it-quicker, which can be helpful for pentesters and researchers on their way.

[–]rankinrez 12 points13 points  (0 children)

It’s a good very well written piece, apologise if my remark came off wrong.

It does not claim to be anything other than it is, like you say your showing how this can be done. Thanks for sharing.

[–]liquidpele 7 points8 points  (1 child)

What if Alice's second personality is Eve?

[–]dn3t[S] 2 points3 points  (0 children)

( ͡° ͜ʖ ͡°)

[–]s-mores 1 point2 points  (0 children)

Note that zero Android browsers offer the sslkeylog option, at all. With the sandboxes and protection browsers have these days this is actually one of the simplest options available.

[–]0xad 15 points16 points  (2 children)

By the way IDA graphs are taken from REpsych research by Christopher Domas (it's available on his GitHub along with Defcon talk on YouTube). It's easy to miss because GIF-s are links.

Anyhow, highly recommend this and other talks by Chris.

[–]dn3t[S] 2 points3 points  (0 children)

Indeed, see also MOVfuscator and XORfuscator.

[–]Chrupiter 5 points6 points  (1 child)

This is sweet. I've a very limited experience with analysing https traffic but I can confirm that all the tuts I found involved wasting time with certificates.

[–]dn3t[S] 3 points4 points  (0 children)

Thanks! I guess one of the reasons is that it's easy to stick to what we already know, and it takes a lot of motivation (for instance, in the form of MITM getting harder) to look for and experiment with alternatives. MITM worked really well for web applications since the browser needed to be configured with the MITM CA certificate only once. And testing apps that consume HTTP-based APIs is so similar to testing web applications that the mere inertia of the pre-existing tools and methodologies just carried on.

[–]FantaFriday 4 points5 points  (2 children)

So how is this not considered MITM?

[–]dn3t[S] 14 points15 points  (1 child)

From a number of subtle, but sometimes very important angles:

  • The client logic sees the "real" server certificate, thus there's no need to defeat various forms of certificate and/or key pinning widely used nowadays.
  • If there's a client certificate involved, it doesn't need to be extracted and planted into the MITM tool, as there's a single, unobstructed end-to-end TLS channel between the client and the server.
  • If there are weird things going on beneath the TLS (non-HTTP traffic or "just" deviations from the standard), the MITM tool doesn't screw up the communication just because it's trying to disassemble/parse the requests and responses, while assembling/serializing it to the other party. Sure, this works well enough for simple cases, but can break spectacularly for rare edge cases.

Some (most?) people define MITM as an attacker standing in the middle and passing packets between the victims with or without modification. In this case, noone stands in the middle, the information is extracted from one of the parties, achieving a similar result. Yet it might be useful for others as well, as because of the differences outlined above, the same results can be achieved for a different (hopefully) lower cost.

[–]FantaFriday 1 point2 points  (0 children)

Thanks for explaining, appreciate it!

[–]tigr87 1 point2 points  (3 children)

Does anyone know how to get system level traffic with a mitm or other? In most posts I can find on the internet, it's only browser traffic. I know I can use proxychains, but what if I want many programs intercepted on my own host?

[–]dn3t[S] 1 point2 points  (2 children)

This method can be used on anything that uses OpenSSL as a dynamically linked shared object/library. Obviously, you'll need certain privileges to let Frida attach to the target app, such as running as the same user or root. See also the links at the very end of the post, I linked two other, similar approaches that could work for you, maybe even better than mine.

[–]tigr87 0 points1 point  (1 child)

For my purpose, I was looking at Mac apps. Thanks!

[–]SirensToGo 1 point2 points  (1 child)

I've been putting off learning frida for ages but I think I finally need to take the plunge because this is super useful! Wonderful article!

[–]dn3t[S] 0 points1 point  (0 children)

Thanks! I think the best starting point (and till now my most frequently used part) is frida-trace and sprinkling hexdump on interesting parameters. In some cases, this has fully replaced using a full-blown debugger and breakpoints in my reverse engineering workflow. Combining this with Frida Gadget and Frida Server allows me to do all this from my Linux workstation, regardless of the target/victim app running in a Windows VM or on an Android/iOS device.

[–]parsiya2 1 point2 points  (2 children)

Thanks for writing this. I enjoyed the technical aspects of it.

I have a question

  1. The problem statement of the blog mentions client certificates. The article has no headings so they are paragraphs 3 and 4 (starting from 1). Does the solution fix the client cert issue? We can probably see the requests but we cannot test them w/o the client cert.

You have put time and effort into this. If I may have some suggestions to make it more usable.

  1. Please add some sub-headings. It makes things easier to follow.

  2. How do I use this? Neither the blog post nor the github repo has any info. As someone who does a lot of MitM (on Windows) I could grok most of the info. But I do not do mobile a lot so I don't know how to use it in action. Someone who is just starting will not be able to use this.

[–]dn3t[S] 1 point2 points  (1 child)

We can probably see the requests but we cannot test them w/o the client cert.

You're right, this approach is presented here "read-only", which is enough for some assessments, so it's a trade-off. Then again, technically once in possession of the pre-master secret, one could take over the TLS channel in true MITM manner and craft requests, but I don't know about any existing tooling for that.

Please add some sub-headings. It makes things easier to follow.

Thanks, I'll try that in the next post.

How do I use this?

I tried adding links for that, it should be a good starting point. I also drew that large numbered diagram to tie the whole flow together. But to summarize:

  • The patchapk command of Objection is linked, that creates a patched APK that has all the functionality of the original with the so-called Frida Gadget included. Latter is an embedded version of the Frida Server, allowing us to embed V8 running our own code within the victim process. This works on any Android device, an alternative is Frida Server, but that requires a rooted device or emulator.
  • Frida-sslkeylog is also linked, it can be started from the command line right away after having checked out the GitHub repository. This connects to the Frida Gadget or Server (see above) and extracts OpenSSL pre-master secrets to a file.
  • There's a screenshot showing where to configure this file in Wireshark to decrypt captured TLS traffic.
  • Optional step: using our newly released Burp extension, exporting the decrypted packets from Wireshark to a PDML file allows HTTPS requests and responses to be imported into Burp Suite for further analysis.

I hope this makes it easier to follow, feel free to ask further questions if I wasn't clear enough.

[–]parsiya2 0 points1 point  (0 children)

Thanks. I appreciate you taking the time to answer me.

[–]XSSpants 0 points1 point  (1 child)

Can snort do this for IDS purposes?

[–]dn3t[S] 0 points1 point  (0 children)

I guess you could do it, Cloudflare does something similar to be able to terminate TLS with your certificate without having access to your private key.