Setting#3 Xamarin 피닝 우회

Do you want to capture packets from a Xamarin Android app?

Xamarin android 앱의 패킷을 잡고 싶으신가요?

In the realm of mobile application security, it's crucial to be able to intercept and analyze packets, especially when working with platforms like Xamarin like a Flutter.  If you've faced challenges in this context using Burp Suite, this guide is for you. We'll explore a straightforward three-step process to get you going.

 

Step 1: Set Up iptables Rule Through adb shell

adb 쉘을 통해 iptables 규칙을 설정합니다.

First, Set a right iptables rule set. Here's commands:

This command redirects all locally generated TCP traffic aimed at port 80,443 to the IP address 172.x.y.z on port 8080. It's a common setup when you want to intercept and inspect HTTP traffic.

이 명령어는 모바일 내 밖으로 나가는 TCP traffic 중 80, 443을 향해 가는 패킷을 골라 프록시(172.x.y.z:8080)로 전송합니다. (root 권한 필수)

• Using ProxyDroid: This tool simplifies the process for you. After downloading ProxyDroid, you'll be able to view and execute the iptables binary, offering a hassle-free way to run the required binary. (ProxyDroid 앱을 앱스토어에서 설치하시면 iptables 바이너리가 자동으로 저장됩니다. 모바일 보안 하신다면 추후에도 이용하실 일이 있으니, 설치하시는 것을 추천드립니다.)

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 172.x.y.z:8080
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 172.x.y.z:8080

 

Step 2: Configure Burp Suite Options

Set it to allow 'invisible' proxying, listening on TCP port 8080 from all interfaces.

전 인터페이스에서 들어오는 패킷들을 프록시인 Burp suite가 잡을 수 있도록 Support invisible proxying 를 설정해줍니다.

1. Proxy > Intercept > Edit > Click “All interface” > Click the “OK” button
2. Proxy > Intercept > Edit > Click “Request handling” tab > Click “Support invisible proxying (enable only if needed)” > Click the “OK” button

 

Step 3: Execute the Provided Frida Code

Please execute the code below. If it doesn't work, please leave a comment, and I'll send you the revised code when I have time. :D

아래의 코드를 실행해주세요, 안될경우, 댓글 남겨주시면, 시간 되는 선에서 수정된 코드를 보내드리겠습니다. :D 

adb shell /data/local/tmp/frida-sever

frida-ps -U | grep $(process name) #check the process name for frida
frida -U $(package name) -l pin.js #run the below frida code

-

  var m = Process.findModuleByName("libmono-btls-shared.so");
  var ragnes = "FF C3 04 D1 FC 7B 00 F9 F6 57 10 A9 F4 4F 11 A9 FD 7B 12 A9 FD 83 04 91 56 D0 3B D5 C8 16 40 F9 F4 03 01 AA"
  Memory.protect (m.base,m.size,"rwx");
  Memory.scan (m.base, m.size, ragnes, {
    onMatch: function (address, size) {
      console.log ("\n[+] 'ssl_verify_cert_chain' at: " + address.toString () + "(" + size.toString ()+")");
      Interceptor.attach (address, {
        onLeave: function(retval) {
          retval.replace (0x1);
          console.log("\n[*] The return value was changed to 0x1");
        }
      });
    }
  })

-

SUB SP, SP, #0x130 //hex: FFC304D1
STR X28, [SP,#0x120+var_30] //FC 7B 00 F9 (패턴처리)
STP X22, X21, [SP,#0x120+var_20] //F6 57 10 A9 (패턴처리)
STP X20, X19, [SP,#0x120+var_10] //F4 4F 11 A9 (패턴처리)
STP X29, X30, [SP,#0x120+var_s0] //FD 7B 12 A9 (패턴처리)
ADD X29, SP, #0x120 //hex: FD830491
MRS X22, #3, c13, c0, #2 //56 D0 3B D5 (패턴처리)
LDR X8, [X22,#0x28] //hex: C81640F9
MOV X20, X1 //hex: F40301AA

 

After you've completed your assessment and wish to revert back to the original configurations, you can reset the iptables rule with the following command in the adb shell.

iptables -t nat -F OUTPUT

 

 

Frida Version

pip install frida==15.2.2
pip install frida-tools==11
brew install python@3.8
ln -s -f /usr/local/bin/python3.8 /usr/local/bin/python #link python command to python3.8

 

 

Ref: https://learn.microsoft.com/en-us/xamarin/android/app-fundamentals/http-stack?tabs=macos 

HttpClient Stack and SSL/TLS Implementation Selector for Android - Xamarin