How to happily capture packets on Android 10
foreword
I have been doing some app-related penetration tests recently, and found that there are always some strange problems in the Android emulator environment, and it is very inconvenient to use, so I bought an Android machine, so I have this article, Record the process, and also step on the pit in advance for all the masters who may encounter the same problem. Here, I would like to thank Master T for giving me a lot of help when I encountered problems.
Early preparation
- science online
- Google Pixel 3 Android 10 (If it is not Android 10, you can use the following method to brush)
- adb and fastboot tools, you need to download Google's SDK Platform-Tools independent software package
Install Platform-Tools on Windows
Download the windows version of the sdk and unzip it
Add the decompressed directory to the system environment variable, so that you can use the SDK platform tools in any location
Open the cmd window at any location and enter adb, and a display similar to the following indicates that the environment variable has been added successfully
Install Platform-Tools on Mac
install homebrew
ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
Install the Platform-Tools tool
brew cask install android-platform-tools
Use fastboot to flash Android 10
If you are on a version below Android 10, you need to install Android 10. The download address is https://developers.google.com/android/images#blueline, click the link to download. If you are on another phone model, please use the corresponding version of the package
Enter developer mode
Find Settings—Options—About Phone—Version Number—Click the version number 8 times, then find Settings—System—Advanced Developer Options——Allow USB debugging, connect the phone to your computer through a data cable
unlock OEM
Command line input adb reboot bootloader
Use the volume up and down keys to select and adjust to Unlock the bootloader, press the power key to confirm, wait for the unlock to complete, and restart
Open the developer option OEM is grayed out and the bootloader is unlocked, which means the unlock is successful
Finally, enter the previously downloaded Android10 package, decompress it, enter the directory of the package, open the command line window, and enter. ./flush-all.sh
Wait for the flashing to complete. Windows users use .\flush-all.bat
the command to flash in. (This method is also applicable if you want to flash other versions of Android)
ROOT Android device
The current mainstream way to obtain root privileges is to use Magisk, the download address is https://github.com/topjohnwu/Magisk/releases/download/v23.0/Magisk-v23.0.apk The latest Magisk version when writing this article is The v24.3 link given by me is the v23 version. After trying the latest version, the online function cannot be used. Masters who do not believe in evil can try it.
Install Magisk
1. Directly use adb install magisk.apk
2. Manually transfer the apk to the mobile phone for installation
ROOT
- Open the Android 10 package downloaded before, decompress the compressed file in the package, and extract the boot.img from the decompressed package
adb push boot.img /sdcard/Download/
to the download directory of the phone using the command
-
Open Magisk, select the top installation - select and patch a file - find the boot.img in the Android download directory and wait for the repair to complete. After the repair is completed, an img file beginning with magisk will also be generated in the download directory
-
Open the command line window of the computer and use
adb pull /sdcard/Download/magisk_xxx.img
the command to download to the computer -
Use
adb reboot bootloader
the command to switch to bootloader mode -
Due to the dual partitions of the pixel, use the command to determine which partition it is currently.
fastboot getvar current-slot
I return to b, so use the commandfastboot flash boot_b magisk_xxx.img
command to flash in. -
reboot
fastboot reboot
After restarting, root will be completed directly, verify it
happy grab bag
Since Android 7 and above systems no longer trust user-level certificates, only system-level certificates are trusted, so how to import the certificate into the system directory of Android 10 has become a problem. Many online tutorials are mounted via mount /system The directory imports certificates for read and write permissions, but I have not succeeded in this method. Here I use the Move Certificates of the magisk module. This module can help you automatically import user certificates to the system partition.
- Export Burp certificate, export certificate in DER format
- Convert certificate format, convert der format to pem format (or rename it to cer)
openssl x509 -inform DER -in burpsuite.der -out burpsuite.pem
- Put the burp certificate into the phone
adb push burpsuite.pem /sdcard/Download
- Open Settings—Security—Encryption and Credentials—Install from a storage device and select the previously imported certificate
- Install Move Certificates
Open magisk, search for Move Certificates on the module interface, click Install and restart, or go to https://github.com/Magisk-Modules-Repo/movecert to manually download the zip package, click Install locally, and restart
- Verify that the certificate is imported successfully
Settings—Security—Encryption and Credentials—Trusted Credentials—The system checks whether it has a PortSwigger certificate
At this point, most of the apps can capture packets.
Bypass SSL pinning
SSL pinning is a technology to prevent man-in-the-middle attacks, that is, the server trusts the certificate of the APP, and other proxy certificate servers do not trust it, resulting in the inability of the app client to perform data interaction. Here, the TrustMeAlready framework in the EdXpoed framework is used to bypass it.
TrustMeAlready is an xp framework that requires root privileges. It can prevent software from detecting and capturing packets and ensure the sustainable performance of capturing packets.
Install the Riru framework
First, install Riru in magisk . Here you need to use the v25.4.4 version because this is the highest version supported by the EdXposed framework. After downloading the zip, import it from the local installation and restart it.
Install the Edxposed framework
- Search Riru-EdXposed online directly in the module to install and restart
- Install EdxposedManager apk
First download the apk and enter:
adb install EdxposedManager.apk
After opening Edxposed, you can see that the framework has been activated, indicating a successful installation
- Install TrustMe Already
First download the apk, you can also directly search and download online in the Edxposed app
https://github.com/ViRb3/TrustMeAlready/releases/download/v1.11/TrustMeAlready-v1.11-release.apk
adb install TrustMeAlready.apk
- Open the Edxposed app and click on the upper left corner to select the module to activate TrustMeAlreay
Bypass root detection
Some apps will detect whether your phone is rooted, especially some banking apps, which will cause the app to be unusable or fail to open.
- Open the settings on the Magisk home page, find magiskhide, click the switch, and then follow the prompts to confirm, and then open the test app and there will be no security prompts
Summarize
Finally, let's have fun using Burpsuite to capture packets.