Intercepting Non-Proxy Aware Mobile Applications
Preface
When encountering escaped network traffic, the root cause often lies in the architecture of the mobile app you're dealing with. It might also extend beyond the application itself, possibly influenced by the underlying framework used for development, leading to complex traffic patterns and, consequently, troubleshooting challenges. This type of challenge usually occurs due to Xamarin or Flutter-based applications.
For instance, in our experience with mobile app penetration testing, we've observed that apps built with the Xamarin framework sometimes disregard Wi-Fi proxy settings. Additionally, intricate apps with intensive network operations tend to manage their traffic autonomously, either through their custom logic or by utilizing lower-level libraries, bypassing proxy configurations.
Given this knowledge, you might be tempted to reverse-engineer the application to gain a deeper understanding of its behavior. However, you don't necessarily need to resort to such extensive measures. There's a lesser-known yet remarkably effective method to direct requests and responses to your HTTP proxy tab.
In a nutshell, if you're testing a mobile device and need to capture all its traffic, consider using a VPN.
While conventional practice involves adjusting Wi-Fi settings for proxy configurations, VPNs offer a more robust solution. VPNs are inherently designed to route all network traffic through them. Think of it this way: if an app were to bypass the VPN connection, it could raise privacy and security concerns, warranting a thorough investigation.
Assuming your VPN functions correctly, creating a VPN server between your mobile device and the host running Burp becomes a reliable way to gain control over the network traffic.
As a disclaimer, it's essential to note that even with this approach, you might still encounter challenges related to certificate pinning. In such cases, you may need to employ tools like Frida for further investigation. However, as a fundamental solution, configuring a VPN server to forward traffic to Burp ensures visibility into all traffic, whether it passes through Burp or results in TLS errors.
Setting up OpenVPN
Firstly we setup an OpenVPN instance and we need to ensure that the traffic is redirected to our internal IP (Kali VM in my case). To setup OpeVPN on Kali, it is easy to implement the OpenVPN setup script as follows:
https://github.com/smhuda/openvpn-install/blob/master/openvpn-install.sh
The script detects our Kali as a Debian OS, but fails to determine the version and will therefore exit. That’s why I added a step to delete the exit
statement in the Debian version check. I used a bit of bash hacking, but if it doesn’t work anymore, just remove the line manually.
sudo wget https://git.io/vpn -O openvpn-install.sh sudo sed -i "$(($(grep -ni "debian is too old" openvpn-install.sh | cut -d : -f 1)+1))d" ./openvpn-install.sh sudo chmod +x openvpn-install.sh sudo ./openvpn-install.sh
Now when we run the script, we can enter the following options:
Which IPv4 address should be used?
Kali VM Internal IP
Public IPv4 address/hostname:
Kali VM Internal IP
Protocol
1 (UDP)
Port
1194
DNS Server
1 (Default)
Name [client]:
mobile-pentest (any name you prefer)
The script will set everything up and create an OpenVPN configuration located in the /root/
home directory. If you run sudo ifconfig
now, you can see that a tun0
interface has been added.
Finally, start the OpenVPN service:
sudo service openvpn start
Install the OpenVPN client on your iPhone and start a python HTTP server to host the OpenVPN configuration:
sudo mv /root/mobile-pentest.ovpn /home/kali cd /home/kali sudo python3 -m http.server 9000
Navigate to http://KALi-IP:9000 on from your mobile device and download the OVPN config, then open it using OpenVPN connect client you have on your device to add this configuration to it.
Setting up IP Tables for Routes
We need to intercept the traffic when it leaves either the WIFI interface or the OpenVPN interface and before it goes to the eth0 interface. We can do this by using iptables. Modify 192.168.10.0
with the actual IP address where your traffic enters the network.
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080 && sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 443 -j REDIRECT --to-port 8080 && sudo iptables -t nat -A POSTROUTING -s 192.168.5.59/24 -o eth0 -j MASQUERADE && sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080 && sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8080 && sudo iptables -t nat -A POSTROUTING -s 192.168.5.59/24 -o eth0 -j MASQUERADE
Now we can restart the OpenVPN server for the IP tables changes to take affect:
sudo service openvpn restart OR sudo systemctl restart openvpn
Saving IP Table Rules
Rebooting the machine might wipe the IP tables configurations, so either use IP tables save or persistent commands if you want to save these permanently for reboot of VM.
## Debian-based distributions: sudo /sbin/iptables-save > /etc/iptables/rules.v4 ## Centos-based distributions: sudo /sbin/iptables-save > /etc/sysconfig/iptables
Setting Up Burp Listener
Start up Burp, enable a listener on port 8080 on either 10.x (tun0 IP) or 192.168.5.59 (eth0 IP) or set it to ‘all interfaces’ and enable ‘Invisible proxy’ mode:
References:
https://blog.nviso.eu/2020/06/12/intercepting-flutter-traffic-on-ios/
https://nirajkharel.com.np/posts/ios-pentesting-ssl-pinning-on-flutter/
https://www.schellman.com/blog/cybersecurity/how-to-catch-mobile-traffic-escaping-burp-suite
https://github.com/GoSecure/frida-xamarin-unpin/tree/master