APP and Mini Program—Information Collection
- 1 Introduction
- 2. Build a test environment
- 3. Install the certificate
- 4. APP application information collection
- 5. Small program capture packet
1 Introduction
Usually, in some enterprises, there are not only WEB websites, but also APP software and applets, etc. These are all to provide better services for users, but there are also many security problems at the same time.
At present, APP applications are mainly divided into Android and iOS, but because Apple's iOS operating system is not open source, the operating system is relatively closed compared to Android, and it will be more difficult to decompile the iOS system, so while infiltrating the APP system The tests are all tested in Android.
1.1. APK introduction
APK is an Android application package. Of course, you can say that it is an installation package. It is mainly used to distribute and secure mobile applications and middleware.
1.2. Introduction to APP penetration testing
In essence, there is basically no difference between APP penetration testing and WEB penetration testing. APP applications are actually integrating WEB websites into APPs. In simple terms, you use a computer to access a page that is "/index.php". If There are related vulnerabilities in this page, so if you use your mobile phone to access this page in the APP, there will also be related vulnerabilities. Because the logic used in the development of the program is the same, but in the packaging, a different packaging method is adopted, so that the pages you see in the APP seem to be slightly different from the WEB pages you see on the computer, but After all, it is logically consistent.
Of course, if the APP uses the http or https protocol, then when capturing packets, you can use the browser to directly access and capture packets, just like digging for WEB vulnerabilities, so that you can conduct penetration tests on the APP, but it is not ruled out. Some APPs use other protocols. At this time, it is necessary to use the network interface to capture packets and obtain their contents.
2. Build a test environment
The establishment of a test environment here is actually to build a simulator, let the APP run on the simulator, and then capture packets.
2.1. Fiddler
In fact, the packet capture tool can also use Burp, but Burp is not so easy to use in capturing app packages, so here we use fiddler to capture APP packages. Of course, the subsequent tests can be tested in Burp.
2.1.1. Download Fiddler
It is recommended to download Fiddler from the official website here, and there are no restrictions, so it is recommended to download from the official website.
Here I used the page to translate it. The previous English is the original meaning. After filling in the information, it can be downloaded. It is recommended to use some small means to download, otherwise it may be slower.
2.1.2. Installation complete page
The installation here is very simple, so I won’t introduce it here. Let’s mainly look at the page where the installation is completed.
2.1.3. Language
Here, since the page is in English, if it doesn’t look too convenient, you can use the Sinicization package for Sinicization, but this Sinicization and No Sinicization are basically the same. Use the tutorial.
Fiddler patch package extraction code: vqj5
2.2. Install the simulator
I am using the Yeshen emulator here, and adjusted the version to Android 7.0. I will not talk about downloading and installing, and I will not release the link to the official website. You should be able to find it on this official website.
2.2.1. Adjust the version
The default download may be a relatively high version. Here I adjust the version and open the Yeshen Simulator Assistant. This is installed together with the simulator by default. Click Add Simulator in the lower right corner and select Android7.0 (as for the number of digits Just click it, it will be downloaded and installed automatically, and then it can be turned on.
2.2.2. Adjust the page
The emulator just downloaded is in tablet mode, it is recommended to switch to mobile phone mode.
2.2.3. Adjust the network
The adjustment network here is not to set it to the bridge mode, and it must not be set to the bridge mode here, including if the network fails after debugging later, please check whether it is adjusted to the bridge mode.
3. Install the certificate
The reason for the security certificate here is that protocols such as https may be generated during the packet capture process, and such data packets need to use certificates for permission.
But if the device is an android 7.0+ system and the application sets targetSdkVersion >= 24, then the application does not trust the installed Fiddler user certificate by default, so you cannot catch the https request initiated by the application, and then you will see it in Fiddler To a bunch of 200 HTTP Tunnel to xxx.xxx.xxx:443 request logs, these are https requests that were not successfully captured.
The following method is to install the Fiddler certificate into the system certificate directory and disguise it as a system certificate, then there will be no problem that the fiddler certificate cannot be captured because the fiddler certificate is not trusted.
3.1. FiddlercertMaker tool download
fiddlercertMaker is Bouncy Castle证书生成器because the new version of Android rejects certificates that are valid for more than two years. Double-click the downloaded one fiddlercertmaker.exe(make sure to close Fiddler), and a dialog box prompting that the certificate was imported successfully will pop up. If the content that pops up is wrong, please download the latest version. .
3.1.1. Fiddler settings
Click here > tools> options> https> check the check, a pop-up window will appear to select yes, and the port httpsnext to it connectionsis set. The default is 8888. If you don’t modify it, just do it.
3.1.2. Export certificate
Click Tools-> Options-> HTTPS-> Actions-> Export Root Certificate to Desktop, and after exporting, you can see a certificate on the desktop, and we will need to use this certificate at that time.
3.2. Download openssl for Windows
Pull down to the bottom, select the top 64-bit EXE and click to download and install.
3.2.1. Add environment variables
This needs to be executed in cmd, so an environment variable needs to be added.
3.2.2. Executing commands
Here, if there is a return message in the center of cmd openssl, it proves that the operation was successful.
3.3. Certificate format conversion and renaming
3.3.1. Convert to pem certificate
cer证书Turn Fiddler pem证书and enter the following command in cmd to convert:
openssl x509 -inform DER -in FiddlerRoot.cer -out FiddlerRoot.pem
3.3.2. View MD5
As you can see from the following, the hash value of the Fiddler certificate we generated ise5c3944b
openssl x509 -inform PEM -subject_hash_old -in 证书.pem
3.3.3. Rename the pem certificate
You can see an e5c3944b.0 certificate on the desktop.
ren FiddlerRoot.pem e5c3944b.0
3.4. Upload certificate
Here you need to upload the certificate to the emulator, and prepare an Android 7.0 emulator here.
3.4.1. Transmission certificate
Click on the sidebar of the Yeshen Simulator 电脑图标, select 打开电脑文件夹, it will jump to open the directory of the computer C:\Users\Administrator\Nox_share, and copy the converted one Fiddler证书e5c3944b.0to ImageSharethe directory.
3.4.2. Mobile Certificate
Download MT Manager , drag and drop it into the emulator to complete the installation, click to open the application, and open the Pictures directory on the left to see the computer ImageSharedirectory just nowFiddler证书e5c3944b.0
After downloading the MT manager here, upload the APK file to the emulator.
3.4.3. Transfer directory
Click on the right to enter system/etc/security/cacertsthe directory, then press and hold the file on the left e5c3944b.0, and click Copy to copy to the directory opened on the right.
3.4.4. Add permissions
You will find that compared with other existing system certificates, e5c3944b.0there is no read permission at all. Then you will 信任的凭据not be able to find this Fiddler certificate. Click MT管理器on the upper left corner to find打开终端
After entering the terminal, enter the following command to e5c3944b.0set the file as readable.
Look at the permissions of the files system/etc/security/cacertsin the directory e5c3944b.0and find that they do have read permissions.
3.4.5. Finding Certificates
设置Click -> 安全-> -> 信任的凭据-> in the emulator 系统, and finally see our Fiddler certificate when you pull down. It is no problem to try to capture the packet.
3.5. Emulator proxy settings
After setting up the proxy here, you can capture the packet.
3.5.1. Setting up the network
设置-> WLAN-> - 长按网络> 修改网络-> 保存, the proxy IP here needs to be written into the IP address of the computer, the port is the setting port of fd, and the default is 8888. After setting, you will find that you cannot access the Internet, so you need to restart Fiddler here , Generally, restarting is enough, and restarting the computer can also solve the problem.
3.5.2. Packet capture test
Here I open a game download page in the game center of the Yeghen emulator, and I can see that the picture information on the page has been successfully obtained, and it is also the management traffic of https, and the traffic of http can also be obtained at the same time.
4. APP application information collection
In the normal WEB penetration testing process, the first step is to collect information on the website, so the first step in APP penetration testing is also information collection, but the information collection of APP is a bit different from that of WEB information collection. It is encapsulated, so it is necessary to decompile the APK file or capture packets when accessing the APP to obtain information such as the domain name, port, and parameters accessed.
4.1. AppInfoScanner project
AppInfoScanner is a mobile terminal (Android, iOS, WEB, H5, static website) information collection and scanning tool suitable for HW operations/red team/penetration testing team scenarios. It can help penetration testing engineers, attack team members, and red teams Members quickly collect key asset information on mobile or static WEB sites and provide basic information output, such as: Title, Domain, CDN, fingerprint information, status information, etc.
4.1.1. AppInfoScanner depends on libraries
First download the file here. I will not demonstrate the download here. After the download is complete, you need to download the dependent library first. The screenshot here is a reminder that the installation has been completed, and the display has met the requirements.
python -m pip install -r requirements.txt
4.1.2. Using AppInfoScanner
Here I randomly found an apk file, pay attention, it is best not to use the APP software of a big factory for testing, it is best to find some illegal ones, I am using a concubine here...
From the obtained information, the authority can be raised to the relevant URL addresses, and these URL addresses can be used for testing.
At the same time, the APK programs produced by large manufacturers may be packaged, but not necessarily for small manufacturers. The main function of packaging is to prevent others from modifying APK files or cracking them at will, so as to avoid others from messing around.
python app.py android -i <Your apk file>
4.1.3. Verify URL
What's a little embarrassing here is that the concubine does not seem to provide services, so the website has been closed, but I still found some content, and seeing these lines, I should understand what it is.
4.1.4. Summary
Through this tool, the website address and URL address that will be accessed in the application package can be obtained through the APK file without capturing the package, and the in-depth penetration test is carried out through these addresses.
Of course, you can also use the Fiddler mentioned above to capture these domain names, but you need to click on each item to achieve it, but all the tools are not percentages, so you can get all the data in the package.
4.2. APK decompilation
There are actually many software and tools used in decompilation, but many of them are not updated, such as Android killer, Android modification master, etc.
Android modification master seems to be revived, but it is required, and although there are many cracked versions on the Internet, I have tested a lot, but they cannot be activated successfully. At the same time, Android modification master was suspected of having a supply chain virus infection before, and the latest version may have been resolved. Yes, but there is no latest version of the crack, many of them are selling dog meat, saying that it is a 10+ version, but after downloading, they are all 8+ versions, and after downloading at the same time, the software starts to call cmd, which is quite confusing , it’s nothing more than calling it when it’s running, and it starts calling without opening it, so I didn’t use it.
The Android killer will not be updated in September 2020. Let’s use this as a demonstration this time, mainly to introduce the content obtained by decompilation. It is not necessary to use this, and it is not a professional cracking.
Of course, there are still many APP decompilation tools on the Internet, I will not introduce them here, you can search on Baidu yourself.
4.2.1. Android killer download
4.2.2. Basic configuration steps
In the downloaded Android killer, some configuration is required before it can be used.
4.2.2.1. Configure java
The first time you open it, it will display the configuration of the java SDK environment, so don't worry about it for now.
After entering, it is in English. At this time, click on the configuration and you can see the option to adjust the language in the routine. After the adjustment, you can restart. Configure java here, preferably 1.8 java.
4.2.2.2. Update and replace Apktool
Here you need to update Apktool first, just go to the official website to download the latest one and replace it.
binHere you can see that if there is a > apktool> in the root directory, apktoolyou can see one apktool_2.4.1, replace it with the latest one, the latest one after I downloaded it here is version 2.7.0.
4.2.2.3. Modify related information
Modify the and files under > AndroidKillerin the root directory .binapktoolapktool.batapktool.ini
Modify apktool.bat, replace the original apktool_2.4.1.jar inside, and replace it with apktool_2.7.0.jar.
This is also the same.
4.2.2.4. Modify APKtool
After modifying the above, the test does not work. It needs to be added to this manager, otherwise an error will be reported.
4.2.3. Use
I don't know much about detailed decompilation. What we need is to obtain relevant information in the APP. The main thing is that some IPs convert the page into a web interface for penetration testing.
4.2.3.1. Project Search
Just drag the downloaded APK file into it for analysis, and then search for the address starting with http:// or https:// in the project search.
4.2.3.2. Project Manager
You can also see a lot of pages in the project manager, you can click to see, for example, you can see a lot of IP addresses here.
4.2.4. Packing
The APPs developed by some big companies are basically packed, just to avoid being cracked or decompiled. If they are packed, they need to be unpacked. Of course, there are many one-key unpacking, but there may be some problems. , there is no way to do this, just to provide an idea.
Of course, you can also directly use some tools for checking and packing. If you have a shell, if you are authorized, you can actually find someone to test it directly. If you are not authorized, and you don’t know much about APP development, just...
4.3. Fiddler Information Collection
Regarding this fiddler information collection, it is actually capturing packets, let’s just see the effect.
But I still need to mention it here. I found that after the emulator was closed, I restarted and found that Fiddler could not capture the packet, and the data could not be obtained directly. Later, I checked the IP of the network in my dormitory and the network in the office. It is not the same, restarting after the replacement is still invalid, and then turn off the proxy of the emulator to allow it to access the Internet, then set the proxy, and restart Fiddler at the same time, so it is more troublesome to capture packets above Android 7.0. At the same time, there are many problems, but there is no solution.
4.3.1. Get data
This is the data I got when I tested a concubine. In fact, I can see the php version, IP address, URL and other information, which are enough for penetration.
4.3.2. IP address utilization
The IP address is obtained here, so is it possible to use this IP address for penetration testing? You can use some online port scanning for testing.
4.4. Packet monitoring
In some cases, the proxy can be set differently to listen to the accessed address and port, similar to using Tinder Sword locally, the tool here is the same, I use the Yeshen Simulator here, but once the packet monitoring is turned on, the tool will automatically exit, it may be Can't use it, the Thor simulator seems to work.
Here I put the link of the tool, which also has related tutorials.
4.5. APK resource extraction
In some cases, the extraction of the APK file may not be available, so you need to use the APK resource extraction tool. There are many online tools here. I will take a screenshot here, but I haven’t seen the useful APK resource extraction for the time being, so I just Not provided, let's take a look at the effect here.
4.5.1. Extraction
Here is to package the APK files that cannot be obtained, and then you can obtain them after packaging.
4.5.2. Viewing resources
In fact, the APK file can be decompressed by decompression, and the relevant APK resources can be seen after decompression.
5. Small program capture packet
It is actually a bit troublesome to capture packets in the small program. Due to the WeChat problem, in some cases, the packets cannot be captured. At the same time, the packets captured by Fiddler are all http by default. If you want to capture https, you need to use The certificate is installed in the default browser.
5.1. Install the certificate
Here, the installation certificate must be 控制面板opened in internet选择the installation certificate, and at the same time, it must be selected during installation 受信任的根证书颁发机构, so that the installed certificate will be effective.
5.2. Packet capture test
After the certificate is installed here, the packet capture test can be performed. As for the information collection, I will not go into details here, and the information collection method is the same as that of the APP.
