How To Capture All Android Network Traffic

So you are performing a pentest on an android app and you have got into a situation where basic certificate pinning bypass doesn’t work. Or you have been dealing with custom protocol instead of good ol’ HTTP. The goal of this post is to teach you how to capture any network traffic on your android device (no root required).

How does it work you ask? We are going to use a fantastic app, provided by Andrey Egorov(@egorovandreyrm.), pcap remote. It works by creating a VPN connection and capturing all the traffic going through that connection and redirecting it to the wireshark where we can analyze it in real-time.

Prerequisites:

Let’s start…

If you are testing on an android version greater than 7.0 you are going to need to tamper with an apk a little, since google changed network security policy and made it “harder” for us to play. Basically what we need to do is to modify the application to accept any self-signed CA so we can intercept and decrypt the traffic. For this example, I’m going to use ‘twitter’ android app. Let me show you.

Modify target app

Use apktool to decompile your apk.

apktool d twitter.apk

In AndroidManifest.xml edit application tag and add ‘networkSecurityConfig’ parameter. Your target application might already have this value set, in that case you can skip this step.

android:networkSecurityConfig="@xml/network_security_config"

twitter-android-manifest-modified

Create/edit network security configuration file. It is stored at location specified in the application tag in AndroidManifest. By default its location is: ‘res/xml/network_security_config.xml’.

Edit it to look like this:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>

Recompile the apk, sign it and install it on the device.

apktool b twitter -o twitter-patch.apk
keytool -genkey -v -keystore key.keystore -alias sign -keyalg RSA -keysize 2048 -validity 10000
jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore key.keystore twitter-patch.apk sign

Setup pcap remote

Now let’s setup pcap remote.

First we are going to install ssl certificate. Tap on 3 dots in top right corner, then settings and then ‘Install’ under ‘SSL Certificate’ category, follow the installation dialogs and set the device password if prompted.pcap-remote-install-cert

Make sure to select ‘SSH Server’ as capturing mode and toggle ‘Make HTTPS/TLS connections decryptable’ .pcap-setup

On the top click on the triangle icon with number one in it and select your target application.pcap-setuppcap-setup

Setup wireshark

Now it’s time to connect wireshark with pcap remote.
NOTE: If you are using android emulator for testing, make sure to portforward the port.

adb forward tcp:15432 tcp:15432

Open wireshark and select ‘SSH remote capture: sshdump’.pcap-setup

Enter your phone’s IP address (or 127.0.0.1 if you are working with an emulator) and port that pcap remote is running on. Also on the ‘Authentication’ tab enter any ssh username and password and click start.pcap-setuppcap-setup

Start your application and analyze decrypted traffic in realtime.pcap-setuppcap-setup

The end!

Source: exandroid

Happy learning!

4 Likes

hey brother i don’t find ssh remote capture:sshdump in wireshark :face_with_hand_over_mouth: