Because of the need to analyze the update mechanism of some information of rival App, we used the packet capture tool. Here we will briefly analyze the three packet capture tools, mainly analyzing Fillder. If there are any improper ones, please kindly advise.

Knowledge supplement

HttpsCertDemo – http://win10 + openSSL – http://win10 + openSSL – http://win10 + openSSL Completed a simple front and back end Https communication Demo. If you already know the above, then we happily continue to read.

WireShark

The WireShark is a popular and powerful network data analysis tool that displays detailed network packets. The WireShark is easy to understand before you understand network protocols. Its name is very aggressive, can be translated as communication shark? Go to the official website and you can see their slogan Go Deep. Wireshark: Wireshark

It lets you see what’s happening on your network at a microscopic level.

WireShark is used as an analysis tool for HTTPS handshake process. This tool is more ground-level than Fildder and Charles, and it will display every “communication” between server and client, including detailed handshake process, repeated, missing, out-of-order TCP request, reconnection request, etc. :

The list here is too detailed, and all we need is the request such as POST, GET and so on, which is accurate to every time (and can be compared with Fildder later).

PS: Of course, you can use it if you want to, but if you want to view the content in HTTPS, you need to obtain the symmetric encryption key and configure WireShark to read it. This method is only applicable to browsers. You can refer to this article for mobile packet capture, but it only explains how to capture packets, not how to decrypt HTTPS. Of course, you can find a way to get the secret key from the mobile phone, but I didn’t go into the details here.

Fiddler

Web debugging proxy tool to log all HTTP(S) traffic between your computer and the Internet. Inspect traffic, set breakpoints, and fiddle with request/response.

Stringder is a developer that logs HTTP/HTTPS requests from all clients and servers, allowing you to monitor, set breakpoints, and even modify input/output data.

If your development process involves only the HTTP/HTTPS upper-layer network protocol, Fildder is sufficient. ConfigureForAndroid, Configure Fiddler to Decrypt HTTPS Traffic, etc

The principle of analysis

Before the application of Fildder, the server communicated with the client happily, and no one knew what they were communicating because of the encryption protection of HTTPS:

At this point we carried out a SAO operation:

  • Mobile phone (installed ready to capture the client), my computer (installedFildder) connect to the same LAN
  • The mobile phone is configured with the proxy, the IP is the IP of the computer, and the port isFildderListening port of

Stringder (); stringder (); stringder ();

However, HTTP packets can be intercepted, but for HTTPS requests, the client always reports an error such as “network error” (because the App whose packets are captured is a release version, no specific error message is displayed, but the certificate verification fails). At this point, we need to add the self-made certificate of Fildder to the certificate trust list of our mobile phone (use the mobile browser to access the PC IP+Fildder port to download the certificate, please refer to the link above for details). After the addition, most of the “little secret” between the client and server can be seen at a glance, why say most of it, and who is the small part? Let’s look at the principle first:

Let’s take a look at what Fildder does now, using a man-in-the-middle attack (MITM) :

  1. The client requests an HTTPS link and sends the list of encryption protocols and versions supported by the client to the server.
  2. Fildder masquerades as a client request server
  3. After the server receives Fiddler’s request, it filters the request for the appropriate encryption protocol. The CA certificate containing the public key information is returned.
  4. Dder dynamically generated the certificate from the server domain name (issued by using the certificate loaded into the client), and then sent it to the client. At this point, the client verified the certificate and read the fillder certificate installed before, so that the certificate could be verified. There may be unverifiable cases).
  5. In the process of uploading the symmetric secret key,FildderUse the root certificate private key to decrypt and obtain the symmetric secret key.
  6. All subsequent network transmissions will be decrypted using this symmetric secret key
  7. .

Note here:

  • We are going toFildderCertificate installed on the phone, let’s call it certificate A, and thenFildderWhen obtaining the certificate issued by the server, A new certificate is issued using the server domain name + certificate A, which we call certificate B. Send certificate B to the client, making the client think it is from the server.
  • When the client authenticates the certificate, it obtains certificate A for verification, and the authentication succeedsFildderYou can also use the private key of certificate A to decrypt the encrypted information and obtain the symmetric secret key.

When will packet capture fail

  1. The network framework of the captured App is set not to request a proxy address
  2. Some Android systems only trust the system certificate, or App Settings only trust the system certificate, because the App content cannot be modified, this may need to Root machine, refer to.
  3. Set up Certificate Pinning App, seeJustTrustMe. The cracking principle is roughly as follows: Hook to create SSLContext and other methods related to TrustManager to remove the fixed certificate. Verify the source location of pin:NetworkSecurityTrustManager#checkPins(Please point out any mistakes)
  4. Specifies the trust certificate, if usedOkHttp, is set to the specifiedTrustManager
    //TrustManager
    TrustManagerFactory trustManagerFactory =
            TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    trustManagerFactory.init(getKeyStore());

    TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
    if(trustManagers.length ! = 1 | |! (trustManagers[0] instanceof X509TrustManager)) { throw new IllegalStateException("Unexpected default trust managers:"
             + Arrays.toString(trustManagers));
    }

    //SSLContext
    SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, trustManagers, new SecureRandom()); / / OkHttp builder builder. SslSocketFactory (sslContext. GetSocketFactory (), (X509TrustManager) trustManagers [0]).Copy the code

Stringder (); stringder ();

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Copy the code

If you’ve set up to trust all certificates with OkHttp, be aware that your information will be visible.

Finally, how to configure trust certificate, fixed certificate, you can check the Android official websiteNetwork Security Configuration

Charles

You can check it out for yourself. PS: You have to pay, but a lot of crack sites on the Internet…