未经作者允许,禁止转载!
最近项目需要对某银行app进行测试,由于该app对模拟器和使用了SSL pinning防抓包,这里参考某社区的一篇SSL pinning绕过文章,简单进行记录。
准备:安卓手机一台(已root!!!已root!!!已root!!!)、Frida工具,我这里以我小米8为例,安卓10版本,其他安卓机自行参考
首先,进入开发者模式,开启USB调试
或者开启远程调试
使用adb工具连接,使用adb devices查看设备是否已经连接成功
现在下载frida服务器软件包(https://github.com/frida/frida/releases/),使用命令查看arch版本(adb shell getprop ro.product.cpu.abi)
找到咱们对应的server版本,这一步很重要,别选错了
解压xz,使用命令(adb push C:Usersfrida-server位置 /data/local/tmp)
将下面文件保存为fridascript.js,同上(adb push C:Usersfridascript.js /data/local/tmp)到tmp目录下
/* Android SSL Re-pinning frida script v0.2 030417-pier$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt $ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pausehttps://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/ UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !*/setTimeout(function(){Java.perform(function (){console.log("");console.log("[.] Cert Pinning Bypass/Re-Pinning");var CertificateFactory = Java.use("java.security.cert.CertificateFactory");var FileInputStream = Java.use("java.io.FileInputStream");var BufferedInputStream = Java.use("java.io.BufferedInputStream");var X509Certificate = Java.use("java.security.cert.X509Certificate");var KeyStore = Java.use("java.security.KeyStore");var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");var SSLContext = Java.use("javax.net.ssl.SSLContext");// Load CAs from an InputStreamconsole.log("[+] Loading our CA...")var cf = CertificateFactory.getInstance("X.509");try {var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt"); }catch(err) {console.log("[o] " + err); }var bufferedInputStream = BufferedInputStream.$new(fileInputStream);var ca = cf.generateCertificate(bufferedInputStream); bufferedInputStream.close();var certInfo = Java.cast(ca, X509Certificate);console.log("[o] Our CA Info: " + certInfo.getSubjectDN());// Create a KeyStore containing our trusted CAsconsole.log("[+] Creating a KeyStore for our CA...");var keyStoreType = KeyStore.getDefaultType();var keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(null, null); keyStore.setCertificateEntry("ca", ca);// Create a TrustManager that trusts the CAs in our KeyStoreconsole.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();var tmf = TrustManagerFactory.getInstance(tmfAlgorithm); tmf.init(keyStore);console.log("[+] Our TrustManager is ready...");console.log("[+] Hijacking SSLContext methods now...")console.log("[-] Waiting for the app to invoke SSLContext.init()...")SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {console.log("[o] App invoked javax.net.ssl.SSLContext.init..."); SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);console.log("[+] SSLContext initialized with our custom TrustManager!"); }});},0);将burp证书保存为cert-der.crt,同上,将CA证书导入(adb push C:Userscert-der.crt /data/local/tmp)到tmp目录下,我们使用adb shell进入手机,查看文件
给予执行权限(chmod +x frida-server),然后执行
然后进行python包安装
python -m pip install Frida
python -m pip install objection
python -m pip install frida-tools
or
pip install Frida
pip install objection
pip install frida-tools
进入到frida目录
打开cmd窗口,使用(frida-ps.exe -U)查看手机进程
当正常使用burp抓包时,会显示网络错误,一片白
然后我们将fridascript.js注入到目标应用程序中(frida -U -p 25244 C:Usersfridascript.js --no-pause),-p是app进程的PID现在就能愉快的抓包了
原文始发于微信公众号(渗透学习日记):对一次绕过SSL pinning踩坑记录
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论