Pentesting iOS Applications Part 1 - Intercepting HTTP(S) Traffic with Burp Suite

TL;DR - 深度探索iOS App流量分析方法

ENV(环境):

  • OS:Deiban 8.x
  • iOS:10.x
  • Broswer:Chrome 56.x/Safari 10
  • Burp Suite Pro:v1.7.x
  • App:咕咚运动
Intercepting HTTP(S) Traffic:

Burp 配置:

①.PC和iOS设备连接到同一局域网,启动Burp:cd /Path/to/burpsuite_pro && java -jar -Xmx2G burpsuite_pro.jar

②.配置Burp监听0.0.0.0:8080,勾选Running复选框

iOS设备配置:

③.设置 - Wi-Fi - “SSID” - 点击i - HTTP PROXY - Manual,填写运行Burp的PC的IP地址和端口

④.浏览器里打开http://burp —> 点击CA Certificate —> 安装证书(测试完成后删除证书)

⑤.测试:浏览器(Safari)里分别打开http://z.cnhttps://www.google.com

Bypassing SSL endpoint verification with stunnel:

  • ①.modifying a plist file containing the endpoint URL.
  • ②.配置Stunnel使用Client模式,Stunnel配置文件示例如下:

    ; SSL client mode
    client = yes
    ; service-level configuration   
    [https]   
    accept = 127.0.0.1:80   
    connect = TargetIP:443   
    TIMEOUTclose = 0   
    
  • ③.配置Burp使用invisible proxying并将请求重定向到Stunnel
    Burp —> Proxy —> Options —> Edit(0.0.0.0:8080) —> Request Handling(IP:127.0.0.1 Port:80),勾选Support invisible proxying

iOS networking

iOS network API:

①.the URL loading system(NSURLConnection or NSURLSession)
②.the Foundation NSStream API
③.the Core Foundation CFStream API.
NSStream和CFStream(Lower-Level Networking)用于处理非HTTP类型连接的数据,参考:https://github.com/iSECPartners/tcpprox/

Spotting NSURLSession TLS Bypasses
NSURLSession has a way to avoid TLS checks as well. Apps can just use the didReceiveChallenge delegate and pass the proposedCredential of the challenge received back as a credential for the session,

- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NS
   URLAuthenticationChallenge *)challenge completionHandler:(void (^)(NS
   URLSessionAuthChallengeDisposition disposition, NSURLCredential * credential))
   completionHandler {
   completionHandler(NSURLSessionAuthChallengeUseCredential,
    [challenge proposedCredential]);
}
相关技术(中间人“攻击”和端口镜像/Network Tap)

A.中间人“攻击”,

Linux 服务器(网关)配置:
1.echo 1 > /proc/sys/net/ipv4/ip_forward
2.iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
3.iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
4.Burp Suite 监听 *:8080,勾选Invisible

iOS设备配置:
网关设置为Linux 服务器IP地址

B.端口镜像/Network Tap,
参考:
端口镜像/Network Tap

comments powered by Disqus

作者:Zer0d0y
微信关注:Zer0d0y
本文出处:https://www.zer0d0y.info/post/Pentesting-iOS-Applications-Part-1/
本站评论使用Disqus,如果长时间无法加载,请切换至“自由”互联网。
文章版权归本人所有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接,否则保留追究法律责任的权利。