Skip to content

Instantly share code, notes, and snippets.

@arbu

arbu/android-mitm-guide.md

Created November 25, 2019 21:54
Show Gist options
  • Save arbu/c423f4d0be801bc4ae8a59b414facab0 to your computer and use it in GitHub Desktop.
Save arbu/c423f4d0be801bc4ae8a59b414facab0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
android-mitm-guide.md

How to intercept all SSL connections from an Android x86 VM

This guide shows how to setup an Android VM in order to intercept all HTTPS requests. This was originally intended to reverse PlayServices but should work with any app that does not use certificate pinning (i.e. every app that relies on the system certificate authorities).

Inspired by this guide how to install Android x86 in VirtualBox, this guide how to install a system certificate on Android and this guide how to use mitmproxy with VirtualBox.

  1. Download a recent Android x86 ISO from here.

  2. Download a recent Kali Linux VirtualBox Image from here. (You can also use an other distribution, but Kali comes pre-installed with the tools we need)

  3. Install VirtualBox and create a new VM:

    • Set Type to Linux and Version to Linux 2.6 / 3.x / 4.x (64-bit) (Linux 2.6 / 3.x / 4.x (2-bit) if you are using a 32-bit image).

    • Select a reasonable amount of RAM (e.g. 3GB) and create a disk with enough space (e.g. 8GB).

    • Open the settings of your newly created VM.

    • Under System > Processor increase the number of CPUs to at least 2.

    • Under Display > Screen set the Graphics Controller to VBoxVGA. (You may also increase the Video Memory)

    • Under Network > Adapter 1 select Attached to Internal Network and enter a Name for the internal network (e.g. android).

  4. Start the VM and install Android:

    • Select the android image you downloaded as your start-up disk

    • Choose Installation. (Live CD won't work for this tutorial as you cannot add a root certificate)

    • Select Create/Modify partitions.

    • If you are asked if you want to use GPT, choose No.

    • Create a new partition by selecting New then Primary and confirm the default size.

    • Select Bootable to mark the partition as bootable.

    • Select Write to save the partition table then Quit the partitioning tool.

    • Choose the newly created partition to install to.

    • Choose ext4 as filesystem and confirm with Yes.

    • Confirm installing the bootloader with Yes.

    • Install the /system directory as read-write by choosing Yes.

    • Reboot or start android. Make sure to disconnect the installation image.

  5. Setup the VM for Kali Linux:

    • Import the Kali Linux OVA file (or your distribution of choice) into VirtualBox.

    • Open the settings of the imported VM and go to Network.

    • Under Adapter 1 choose attached to NAT. (Should be the default)

    • Under Adapter 2 check Enable Network Adapter and enter the same options as on the Android VM (e.g. Attached to: Internal Network and Name: android).

    • Start the VM and login with username root and password toor.

    • Install adb by running apt install adb from command line.

    • If you are not using Kali you may have to install dnsmasq and mitmproxy, too.

  6. Setup network forwarding in the Kali VM:

    • Run nm-connection-editor from command line.

    • Click on the + at the bottom to add a connection and choose Ethernet as type.

    • In the Ethernet tab set Device to eth1.

    • In the IPv4 Settings tab select Shared to other computers as Method.

    • Click Save and close the connection editor.

  7. Connect the Android VM:

    • Click Start, then See all Wi-Fi networks and select the VirtWifi network.

    • Once connected click the back arrow. You will be at the Wi-Fi selection screen again, where you can see the IP address.

    • Inside the Kali VM connect adb with adb connect <IP>.

  8. Install the SSL certificate in the Android VM:

    • Run mitmproxy from command line and then quit it with q. This will generate a root certificate under ~/.mitmproxy/.

    • Calculate the hash of the certificate with openssl x509 -in .mitmproxy/mitmproxy-ca.pem -subject_hash_old -noout to use in the following commands. (This is most likely c8750f0d for this certificate)

    • Convert it to the Android format:

      cp .mitmproxy/mitmproxy-ca.pem c8750f0d.0
openssl x509 -text -in .mitmproxy/mitmproxy-ca.pem -text -noout >>c8750f0d.0

    • Copy the certificate to Android with adb push c8750f0d.0 /data/local/tmp.

    • Install it in the system and reboot:

      adb shell
su
mv /data/local/tmp/c8750f0d.0 /system/etc/security/cacerts/
chown root:root /system/etc/security/cacerts/c8750f0d.0
chmod 644 /system/etc/security/cacerts/c8750f0d.0
reboot

  9. Setup transparent proxying rules in iptables so every connection is forwarded to mitmproxy (you may need to adapt the interface name on other distributions):

    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j REDIRECT --to-port 8080

  10. Run mitmproxy --mode transparent -w <name>.dump to open an interactive session as well as write save the session into a dumpfile.

  11. You should now see every request made from the android device.

@whyorean
Copy link

whyorean commented Nov 26, 2019

Perfect !

@elig0n
Copy link

elig0n commented May 2, 2021
edited
Loading

On Android x86 9.0-r2-k49 iptables complains it cannot find table 'nat'.
On Android x86 6.0 there is no wifi device actually needed for external network. IP address can be found in Settings -> Status.

Nonetheless I could not get the whole Android guest to connect to mitmproxy with Android x86 6.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment