How to Capture HTTPS Traffic in Android

1
463

Network penetration testing is essential for maintaining our network secure from Intruders. Linux possess few pentesting tools for testing our network security. Since Android is linux based platform, It carries all the functions that a linux can perform. All we have to do is unleash the inbuilt power in Android by granting it the super user privilege. Super user in Linux is just like the Administrator in Windows. The process of granting super user permissions to android is what we term as Rooting. It enables the device to become highly functional and customisable. A number of useful applications super user permissions to Run and Dsploit is one of them.

What’s dSploit :

Zanti (Z-Anti Network Toolkit) formerly known as dSploit is a network penetration testing tool used for checking the network security from Android. dSploit was later acquired by Zimperium, few updates were made and released as Z-Anti Network Toolkit. This Zanti has all the tools for performing MITM, SSL trip, Interception and logging HTTP request.

What’s difference between HTTP and HTTPS :

All the network penetration toolkit are capable of sniffing the HTTP request around the network. But they can’t capture the Https traffic since the communication between the end-device and the server are encrypted using modern cipher suite. The latest encryption uses TLS 1.2 which is used by Google and other Big fish in the market. In a HTTP communication, a Man In The Middle can gather nook and corner of your traffic including all your credentials whereas in HTTPS traffic, the Intruder can even see a single piece of info. Tools like wireshark possess options for SSL Decryption also but not without the key file. Wireshark and all other SSL Decryption tools need a KeyFile which is used to decrypt the Traffic in cipher text. That’s why all the websites today has HTTPS communication concerning their users safety.

How to capture HTTPS Request in Android :

Although we cannot capture HTTPS request of other users in our network, we can capture our own HTTPS request generated in our own android device. This is done by using an App called “Packet Capture“. This app doesn’t require any root privileges. It acts as a proxy server and intercepts the HTTP & HTTPS requests generated in our own device. This Packet Capture uses VPN Service to capture the SSL packets generated in our device. But no browser allows a MITM tool to capture the SSL packets unless it is a certified tool. So, the ‘Packet Capture’ application has it’s very own CA certificate. Once the CA certificate is installed in the Android, the device recognises the packet capture application as a trusted tool and allows it’s SSL packet to be interpreted by Packet Capture. This is how packet capture in short, works.

How to use Packet Capture to hook HTTPS request :

  • Install Packet Capture from Google play store : http://corneey.com/wP5PIK
  • To Capture SSL packet, the application has to install it’s CA certificate in the Android device to register as a trusted app. So Open the App and install CA certificate.
Packet capture CA certificate
Packet capture CA certificate
  • Make sure the certificate is installed as “VPN & Apps” in credential use.
  • After installation, Packet Capture tunnels a VPN connection as shown below.
Packet Capture VPN
Packet Capture VPN
  • Now, in packet capture, choose the App in which you’ve to capture the SSL packets. You can choose multiple apps.
Application Selection in Packet Capture
Application Selection in Packet Capture
  • For demonstration, I’ve selected Chrome Browser. So all the SSL & HTTP requests made from Chrome is going to get logged in Packet Capture.
  • Now open your chrome browser and browse for any website secured with HTTPS.
  • Mostly you’ll be able to load the requested page, but sometimes you’ll get an error stating

Your connection is not private Attackers might be trying to steal your information from guce.yahoo.com (for example, passwords,messages, or credit cards).NET::ERR_CERT_COMMON_NAME_INVALID Automatically report details of possible security

  • You can see two options below this error. ‘Back to safety’ and ‘Advanced’.
Proceed to unsafe website
Proceed to unsafe website
  • Click on ‘Advanced’ and ‘Proceed to the unsafe website’.
  • You’ll the page loading. Now get back to the Packet Capture to see the captured Requests.
Captured SSL request in chrome
Captured SSL request in chrome
  • The above picture shows the captured SSL traffic from my android device. I’ve visited Facebook.com and the request made are logged in Packet Capture as you can see. Now to analyse a request and response, Choose any packet which has data.
Captured SSL Request and Response
Captured SSL Request and Response
  • You can have the plain text view of captured request and response.
  • Also we can see the encoded url.
URL encoded in Packet Capture
URL encoded in Packet Capture
  • We can see the request and response in Text as well as Hex Format.
Request and Response in Hex
Request and Response in Hex

That’s it for now. If you found this tutorial useful, Share this and Leave your comments 🙂

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.