[Less detours] Personal experience on Android packet capture
A few days ago, I posted an article about Android packet capture. At that time, I remembered it and posted it casually. This time, I will talk about some personal experience about Android packet capture (may be repeated with that article). Usually When we test the app, we will capture packets through the simulator. In fact, it is best to get a second-hand physical machine, but after all, there is no mine at home. Then here I have summarized a lot of experience and relatively simple solutions when building a penetration environment.
WeChat public account: Xiaoxi infiltrates, welcome to communicate and progress together
1. Simulator
The choice of simulator is usually the following (I use Thunderbolt and MuMu):
- Lightning Simulator
- Night Simulator
- MuMu simulator
- MEmu Emulator
Here, the Thunderbolt simulator can set the network as a bridge, but other things seem to be impossible, but when the Thunderbolt is Xposed, it always fails (the solution will be written later); then I am really convinced by the Yeshen simulator, I don’t know if it is My computer encountered a very painful bug, that is, the virtual keyboard can’t be tuned out, which is very annoying, but it has an advantage that Xposed in the software store can be installed with one click; It feels much faster than others; I haven't used MEmu Simulator much, so check it yourself.
Since it is an emulator, it has a snapshot function. When we test, we often adjust the network or set the proxy, so I recommend creating snapshots frequently. I thought that the emulator was broken after I adjusted the proxy several times before, and then stuck. 94%, tried various solutions to no avail, had to delete and recreate.
2. Agency Problems
Because some applications will detect whether to use a proxy, so I do not recommend setting the proxy directly in the system when testing. My approach is to use Proxifier to direct the emulator traffic to Burp. The following is the configuration tutorial I wrote before, you can refer to it
I use the Thunderbolt simulator, Burp configuration is as follows:
Proxifier configuration is as follows:
set proxy server
3. Android 7.0 does not trust users to import certificates
After Android 7.0, the system does not trust the certificates imported by users. We want to use Burp to capture packets without importing certificates. Move the certificate from the user certificate directory to the system certificate directory with MT Manager
mt manager mobile certificate : /data/misc/user/0/cacerts-added/The files under this path are copied to /system/etc/security/cacerts
4. Xposed plug-in installation problem
It is best to have the Xposed framework during the infiltration process, but there are various problems in installation, and the online tutorials are also varied and complicated. I also recommend a method that I feel is the easiest.
Normal Raiden is the 32-bit version of Android 7 by default, just download the Xposed framework app from Raiden Game Center and install it
After the app is installed, there is no framework for entering it. Clicking the installation in the app is not easy to use (in the final analysis, it is a network problem). There are many installation methods here, and there are also various online tutorials. I recommend a super simple method here. Next Mavericks Accelerator (Of course there are other accelerators that can be used), then start the service, and then go to the xposed app to install the framework.
After testing Android 64-bit installation Mavericks will flash back
If it still doesn't work, recommend a manual installation tutorial: https://www.bilibili.com/video/BV1fq4y1G7Rt
I recommend two more plugins here, which may be useful:
- inspeckage: Go Baidu Bar is a very powerful plug-in
- JustTrustMe: an xposed module to disable SSL certificate checking
5. Decompilation analysis
In addition to regular packet capture, you can decompile and then look at the code. I recommend decompilation, just 漏了个大洞
reply in the background 0001
. In addition to regular decompilation, this tool will extract some content such as: url, hash, ip, key, etc.
Put the apk file in the apps folder of the software directory, and then click the apkAnalyser.exe main program (wait, the time may be a little longer)
After the extraction is successful, the result is placed in result