type
status
date
slug
summary
tags
category
icon
password
一、证书安装以及Android数据包抓取
- 先导出
Burpsuite
DER
格式证书,然后使用openssl
将其转为pem格式
并且输出hash值,然后将其转换为.0
格式
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F78d5c5b8-0f3f-4dea-9296-4fa141fa594b%2FUntitled.png?table=block&id=1ae1f937-2f9c-4717-b6e3-87aa11e3abc2&t=1ae1f937-2f9c-4717-b6e3-87aa11e3abc2&width=641&cache=v2)
- 然后将证书移入手机中
- 如果是安装为用户凭据则可以直接将
pem
格式证书放入手机存储中,然后直接使用证书安装工具安装,或者直接将.0
格式文件移动至/data/misc/user/0/cacerts-added
中,并且给予644
权限(-rw-r--r--)
- 如果安装为系统凭据,则需要将
.0
格式文件移动至/system/etc/security/cacerts
目录并且给予644
权限(-rw-r--r--)
重启设备即可生效。
由于从Android 7.0版本开始,系统不再信任安装的用户证书,可能会导致无法抓取SSL/TLS加密数据包或者无网络等问题,因此需要将HttpCanary根证书添加至系统CA目录,此操作需要在Root设备上进行。部分手机可能有限制,无法修改system分区,可以用magisk模块的方式不修改system分区安装系统证书。如何使用magisk在安卓安装https ca证书 | Chara's Blog
将证书放到
fiddler_ca_cert_magisk.zip
里的/system/etc/security/cacerts/
下,可以使用7-zip直接拖进去,不需要设置文件权限。![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F5f39e39b-c37e-4da4-99fd-6656aa73c030%2FUntitled.png?table=block&id=1b11f351-0513-428e-af81-5f49335a6be4&t=1b11f351-0513-428e-af81-5f49335a6be4&width=192&cache=v2)
- 然后配置手机的代理服务器,将其代理服务器IP设置为Windows抓包设备的IP(同一局域网下),端口
8080
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F9e680c4d-ebc0-435e-ae40-e2aa885af27c%2FUntitled.png?table=block&id=675e9672-ceba-43e5-83c3-edffb22832c3&t=675e9672-ceba-43e5-83c3-edffb22832c3&width=288&cache=v2)
- Burpsuite设置
Proxy Listeners
,添加监听192.168.0.106:8080
然后即可正常抓包。
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F1bc6f808-a29c-4861-a02b-4f51a0415ae3%2FUntitled.png?table=block&id=c537e004-5735-4f97-a207-22662ccf8d96&t=c537e004-5735-4f97-a207-22662ccf8d96&width=528&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fd149457d-6af1-4ca9-aeea-d5db2605c517%2FUntitled.png?table=block&id=622f1d59-5de5-4ab9-9db9-0077851d0845&t=622f1d59-5de5-4ab9-9db9-0077851d0845&width=672&cache=v2)
二、Charles的安装与使用
- 使用Charles破解工具Charles破解工具 注册Charles
- 和Burpsuite操作过程一样,保存Chreles证书,并且使用openssl获取哈希值,然后转为.0格式,然后将其安装到系统目录,重启设备即可生效
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F24767b7e-ea14-4168-8a5a-f560297f68a5%2FUntitled.png?table=block&id=a3657866-cf23-4536-8268-42960e040f25&t=a3657866-cf23-4536-8268-42960e040f25&width=1078&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ff07e5a75-d422-476b-8110-df1b43d0c77f%2FUntitled.png?table=block&id=a0b17b55-9528-48b7-8c8a-84b257e37730&t=a0b17b55-9528-48b7-8c8a-84b257e37730&width=240&cache=v2)
- 配置Charles监听代理
(Proxy→SSL Proxying Settings 和Proxy→Proxy Settings )
和手机代理
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F63c36c43-6f88-4637-9d9a-bea5f531a994%2FUntitled.png?table=block&id=cb3baaf0-11ca-4cba-9cfb-1d091be69f6b&t=cb3baaf0-11ca-4cba-9cfb-1d091be69f6b&width=624&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F0a03d4ce-1d1a-4481-8054-704e8e540c26%2FUntitled.png?table=block&id=d34c859d-8a48-4026-87f6-5241726b8641&t=d34c859d-8a48-4026-87f6-5241726b8641&width=480&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F0d8fb4b0-ceef-495e-8e98-66ebe438d2d0%2FUntitled.png?table=block&id=9590589d-9051-4228-b542-17a7c454d73c&t=9590589d-9051-4228-b542-17a7c454d73c&width=336&cache=v2)
- 在首次收到包时选择允许Allow
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F035e2d5f-f456-4db0-820b-f14094aa6393%2FUntitled.png?table=block&id=3597e1a4-8401-44c9-99ab-1ff943feb2df&t=3597e1a4-8401-44c9-99ab-1ff943feb2df&width=576&cache=v2)
三、VPN抓包方式
在实际抓手机 App 包场景中,有很多种方案,经典的就是 Fiddler 、 Burpsuite ,但是 Fiddler 、 Burpsuite 会遇到一个问题,如果 App 为了防止中间人抓包,特意设置了不走代理这个选项,那单独直接用 Fiddler 、 Burpsuite 这些抓包工具就不能抓包的。
- 最简单的方法就是使用
HttpCanary
在手机端进行抓包
- 或者使用Postern + Charles 这个组合,是因为 Charles 没有直接监听到 App,Charles 是监听到了 Postern 上,Postern 就是一个VPN ,所以 App 设置不走代理也没用,它是通过 VPN 将所有流量转发到 Charles 的 socks 代理,再打开 Charles 的 External Proxy Server — (外部代理服务器)转发到 Burpsuite,从而实施中间人抓包
在这里使用
VProxid
替代Postern
作为VPN代理- 先导出Charles根证书,然后密码设置为
123456
,导出为p12
格式
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ffe5e1bd2-7b3f-4f5d-8469-d62bbe9a45ce%2FUntitled.png?table=block&id=b4bc8c41-49f0-41b5-a71b-7cb2e3570c2b&t=b4bc8c41-49f0-41b5-a71b-7cb2e3570c2b&width=1149&cache=v2)
- 在Burpsuite中导入刚刚导出的charles证书
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2F505f6bc1-496b-4540-8f97-f5d67c2e0c2d%2FUntitled.png?table=block&id=cfc4da76-1710-4a88-b1a8-d3ca6b3434ab&t=cfc4da76-1710-4a88-b1a8-d3ca6b3434ab&width=1132&cache=v2)
- 在Charles中修改代理设置,取消全部
HTTP Proxy
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fbf6bfe71-81e4-4e4a-b6d0-9a620e6f9968%2FUntitled.png?table=block&id=3d9975b9-be30-44ae-84bf-415786064e8a&t=3d9975b9-be30-44ae-84bf-415786064e8a&width=659&cache=v2)
- 然后设置转发下游代理,下面两个选项分别为 HTTP 代理和 HTTPS 代理,都要填写 Wb Proxy Server 代理地址,也就是下游的 Burp 代理地址
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Ffd2cb7e9-b6ae-44cc-a9e0-9e1000e20a7d%2FUntitled.png?table=block&id=4b5dedae-ecbe-4aad-a5fc-b0371d185be1&t=4b5dedae-ecbe-4aad-a5fc-b0371d185be1&width=592&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fb03105d3-a22e-45e6-a30c-e1fb3b7a7c1e%2FUntitled.png?table=block&id=67044c5f-7451-4bd3-a026-31f99cc13e70&t=67044c5f-7451-4bd3-a026-31f99cc13e70&width=629&cache=v2)
- 向VPN代理APP中添加设置,服务器IP为抓包Windows设备的局域网IP,端口为charles
SOCKS
设置的端口,选择需要抓包的APP
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fed85089a-ee99-4805-a149-904bdf2bb366%2FUntitled.png?table=block&id=36ac354c-a553-40c1-90d4-458bd1b8893a&t=36ac354c-a553-40c1-90d4-458bd1b8893a&width=418&cache=v2)
- 然后就可以开始抓包
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Fb6b3554e-32bf-4d09-a385-972bfaaf7335%2FUntitled.png?table=block&id=a2acc5f3-470e-4bd0-95d4-af8bf591f9fe&t=a2acc5f3-470e-4bd0-95d4-af8bf591f9fe&width=1069&cache=v2)
- 如果不想使用VPN方式抓包就恢复到Charles的设置即可
![notion image](https://www.notion.so/image/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Feff53e85-effb-4e1a-a25c-05216c244729%2FUntitled.png?table=block&id=8d22dc76-4a5f-40e2-ba2d-2e9d82b9a5e9&t=8d22dc76-4a5f-40e2-ba2d-2e9d82b9a5e9&width=1658&cache=v2)
如果出现小锁,可以右键对应流量,然后Enable SSL Proxying
四、Windows抓包电脑版微信小程序
- proxifier 添加 burp 代理服务器,协议类型必须是 https
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F3d9d581b-1cbe-449e-9723-f2162662aa76%2F2646abaf-2545-4828-8d62-6ac0f8017d49%2FUntitled.png?table=block&id=51789476-2c0c-4f9f-aac8-c97f90e3dcad&t=51789476-2c0c-4f9f-aac8-c97f90e3dcad&width=816&cache=v2)
- 查看微信程序名称
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F3d9d581b-1cbe-449e-9723-f2162662aa76%2Fb92f468b-acb3-49c7-a2db-113efa042ad8%2FUntitled.png?table=block&id=7d01b0b5-c7b8-48b9-a946-c52dd9138965&t=7d01b0b5-c7b8-48b9-a946-c52dd9138965&width=776&cache=v2)
- 添加代理规则 可以用 * 通配符,选择之前配置好的 burp 代理服务器
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F3d9d581b-1cbe-449e-9723-f2162662aa76%2Fe66996c9-80eb-4c4d-a708-dc0de5e2735b%2FUntitled.png?table=block&id=bd18f5ae-0100-4e2d-9bdf-b927efd516cb&t=bd18f5ae-0100-4e2d-9bdf-b927efd516cb&width=596&cache=v2)
- 打开公众号文章后即可在 Proxifier 中看到代理流量
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F3d9d581b-1cbe-449e-9723-f2162662aa76%2F5432aae4-d316-479b-8f91-3af090f24216%2FUntitled.png?table=block&id=41f20808-2c20-45ff-a43b-c860b214f452&t=41f20808-2c20-45ff-a43b-c860b214f452&width=1011&cache=v2)
- burp 成功抓包
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F3d9d581b-1cbe-449e-9723-f2162662aa76%2Ff06d8d40-cbd8-44e4-8eaa-5129674f4038%2FUntitled.png?table=block&id=cb465d21-06dd-48a0-8345-607490455ec8&t=cb465d21-06dd-48a0-8345-607490455ec8&width=969&cache=v2)
五、iptables 转发流量配合抓包
将 Android 设备和 BurpSuite处于同一网络下,使用 root 权限将访问任何主机的 80 和 443 端口请求转发到 BurpSuite。
使用
iptables -t nat -L
查看规则,发现出口流量被转发至指定IP和端口![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F3d9d581b-1cbe-449e-9723-f2162662aa76%2Fdc199f08-e38b-49b5-a724-a0381e0af1c6%2FUntitled.png?table=block&id=89f7ece7-2d2f-483f-872d-070b4eb77787&t=89f7ece7-2d2f-483f-872d-070b4eb77787&width=1705&cache=v2)
在
BurpSuite
中启用透明代理Porxy -> Options -> Edit -> Request handing -> Support invisible proxying(enable only if need)
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F3d9d581b-1cbe-449e-9723-f2162662aa76%2F98459b09-d3f4-4a5f-b1da-034dd392df6a%2FUntitled.png?table=block&id=e1f35849-4c9c-41a4-ba8e-6ce546e2d0d0&t=e1f35849-4c9c-41a4-ba8e-6ce546e2d0d0&width=2068&cache=v2)
如果想清空规则
六、LAMDA中间人代理抓包
![notion image](https://www.notion.so/image/https%3A%2F%2Fprod-files-secure.s3.us-west-2.amazonaws.com%2F3d9d581b-1cbe-449e-9723-f2162662aa76%2F781f6af1-fd89-4a02-90d9-d749c5906be6%2FUntitled.png?table=block&id=6771aa2a-8495-4c4e-9fb4-82a57346ebad&t=6771aa2a-8495-4c4e-9fb4-82a57346ebad&width=3840&cache=v2)
启动中间人,这将会全自动的在设备上开启全局的中间人,你就可以截获应用的 http/s 流量,当然,也可以包括 DNS 请求(全局)。 它可以自动应用及撤销中间人,退出脚本后设备及网络也将恢复它原来的样子。仅需安装
Magisk-LAMDA
模块如果你需要对国际APP进行中间人,请转到 globalmitm
执行下面命令即可
参考
- 作者:LLeaves
- 链接:https://lleavesg.top//article/Android%E6%8A%93%E5%8C%85
- 声明:本文采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。
相关文章