For every developer, it should be said that one of the most basic skills, recently because of the company needs to contact some packet capture related, but also encountered some strange problems, so I make a simple record, hope to help you.

A packet capture tool is commonly used on the mobile terminal

If you want to do a good job, you must first use the tool, to catch the bag, how can there be no good tools, for ordinary bag, we have the following tools

Fiddler

In Windows environment is very good, provides a series of ways to capture packets and subsequent scripts, highlighting, scripts, which is the reason many people like.

Note: Support is poor on the MAC. The new version lacks core functionality scripts, making the experience poor.

Charles

You can experience nice on Mac or Windows. Timed storage is supported, but scripts are not supported. (That’s why it’s not as good as the Fiddler fire, which is great on a MAC.)

AnyProxy

Ali’s package capture tool, used on the web page, simple to use, support JS script. Consider batch packet capture.

conclusion

The following experiences are personal.

For Windows users who just want to grab and practice, Fiddler is a bad choice. For MAC users, Charles is a good choice.

AnyProxy and Fiddler can be useful if you want to analyze the data and write it to the database. MAC users can use AnyProxy and fiddler. Don’t ask why.

There are a whole bunch of tutorials that I won’t go into here.

Warm tips: remember to install the certificate, remember Android7.0 or below (above using xp framework, or other ways)




Principles of common packet capture tools

It’s a little off topic, but back on track, what is the principle of packet capture software?

Man-in-the-middle attack

What is a man-in-the-middle attack?

A picture is worth a thousand words (the gray picture)

In short, xiao Hong and Xiao Green two people want to communicate, the result is overheard by the middleman xiao Black and forwarded respectively.

Isn’t there HTTPS?

Many people think that HTTPS is not on the line, I have a certificate to do verification ah, but the general HTTPS is still equivalent to naked, similar to the above tools through the proxy and forged root certificate can still grab HTTPS, see the specific principle of the following analysis.

The principle of analysis

Let’s take Charles as an example. Charles acts as a middleman agent. When the client communicates with the server, Charles receives the certificate from the server, and then dynamically generates a certificate and sends it to the client. Then Charles acts as an intermediate agent to communicate between the client and the server, so the data related to the communication can be intercepted by Charles.

The picture below describes:

The specific steps are as follows:

  1. The client sends an HTTPS request to the server
  2. Charles intercepts client requests and makes requests to the server disguised as clients
  3. The server returns the CA certificate to the client. (It was actually intercepted by Charles)
  4. Charles intercepts the response from the server, obtains the public key of the server certificate, and then makes a certificate to replace the server certificate and send it to the client.
  5. After the client receives the certificate from the server (actually Charles’s certificate), it generates a symmetric secret key, encrypts it with the certificate public key sent back by Charles, and sends it to the server (actually sent to Charles).
  6. Charles intercepts the client’s response, decrypts the symmetric secret key with his private key (which he has here), encrypts it with the server certificate public key, and sends it to the server.
  7. The server decrypts the symmetric secret key with its own private key and sends a response to the client (actually Charles)
  8. Charles intercepts the server response, replaces it with its own certificate and sends it to the client.
  9. At this point, the link is established and Charles has the public key of the server certificate and the symmetric secret key negotiated between the client and the server. He can then decrypt or modify the encrypted message.

This is why we need to install the certificate to catch HTTPS, because we need to make the client think the certificate is valid, that is, our certificate is also the root certificate, but after Android7.0, users manually installed the certificate will not be trusted, so we usually use the xp framework or other methods




How to prevent man-in-the-middle attacks?

Determines whether the proxy is set

When a network request is made, it determines whether the client is currently configured with a proxy. If the proxy is configured, it is denied access.

Description The local certificate on the client is verified

Perform certificate verification on the local client, and set not only the public key verification, but also the complete formal verification mode. In this case, the certificate will not only verify the domain name, but also verify the public key and other information in the certificate. In this case, the certificate forged by the middleman cannot pass the authentication and cannot be captured.

The Https request and the corresponding data are encrypted

After encrypting the data encrypted by the certificate, the data is still garbled even after the certificate is replaced by the peer party.

Finally, all the above are my true understanding and actual feelings, there is a risk to catch the bag, we can practice, do not black gray industry ha


Refer to the blog

  • How do you prevent man-in-the-middle attacks




I’m Petterp, and if you find my post helpful, please like 👏, and if you have any thoughts or questions, feel free to discuss them in the comments section. 👨 💻