How to bypass SSL pinning of android applications using FRIDA framework. | Shahul Hameed

 Introduction

        

    Frida framework used to break the SSL pinning in the android application which we can intercept the data in the burp suite for testing purposes.

Required tools:

    1. Appie - ADB
    2. Genymotion
    3. Python(V3.9.9)

Step 1: Config Genymotion Emulator device (Prefer below config device)



Step 2: Download and install python in our system.


    To check the python version in your system: CMD: python --version


We need to install some python packages for the Frida server. For this enter the following command in the terminal:

python -m pip install Frida
python -m pip install objection
python -m pip install frida-tools

Or

I prefer below commands:

pip install Frida
pip install objection
pip install frida-tools


Step 3: We need to download the fridascript.js file and place it below the directory.



Step 4: Connect device to ADB

    We need to connect our device to adb to run commands on the device. But first, go to settings >> Developer options and enable debugging mode in the device so that adb can communicate with the device.

    Go to the folder where platform tools have been extracted and run the following command to connect the device to adb.

    CMD : $ adb connect 192.168.1.190.5555

Click on 'Allow' if a pop-up appears on the device.


To check if the device is connected to adb:

    Note: You should see the IP of your device along with the device name.

    CMD: $ adb devices

Step 5: Download Firda server for supported android devices arch version:
    
    We need to download the frida server package for our android device according to our device's arch version.


To find out the arch version of the device, run the following command.

    CMD: $ adb shell getprop ro.product.cpu.abi

        frida-server-12.4.7-android-x86_64.xz

To cut short download following if device configuration is the same as mentioned above:

    frida-server-12.4.7-android-x86.xz or frida-server-12.4.7-android-x86_64.xz


Step 6: Install the target application on the device
    
    Install your application whose SSL pinning has to be bypassed in our device. Open the application and keep it running in the background.

Frida Server Setup

We need to run the Frida server into the device before injecting our script. Follow the steps below:

1. Push Frida-Server into device:
    
      Now we need to push our frida-server file into the device. Extract and Copy “frida-server-12.4.7-android-x86” file in adb folder rename the file as “frida-server”. After this, run following command.

       CMD: //adb push <path_of_frida_server_folder><space></data/local/tmp>
        
       Push from(Localhost) -> device
       $ adb push C:\ADB\frida-server /data/local/tmp

2. Give permissions to frida-server:

    CMD: $ adb shell chmod 777 /data/local/tmp/frida-server

Step 7: Setup burp suite and install a certificate into the device

    Follow this awesome guide to set proxy in burp for android device:

Pushing the proxy's CA certificate into the device

    In order to be able to intercept the traffic, frida needs to have access to our Burpsuite’s CA certificate. We will push the same certificate downloaded in step 5. in BurpSuite Setup. Push the certificate into the device and into the same location as the frida-server, name it cert-der.crt (as this name and path has been already mentioned in fridascript.js to avoid any issues)

    CMD: // adb push <path to cacert.der> /data/local/tmp/cert-der.crt 
                    $ adb push cacert.der /data/local/tmp/cert-der.crt
Step 8: Script injection to bypass SSL pinning
    Now it's time for real magic. We will inject 'fridascrip.js' into the target application.

1. Push fridascript.js into the device:

    Copy fridascript.js into adb folder and run the following command to push fridascriot.js into the device.
        CMD: //adb push <path_to_fridascript.js_folder> /data/local/tmp
                     adb push C:\ADB\fridascript.js /data/local/tmp
2. Check and run frida server in the device
        CMD: $ adb shell /data/local/tmp/frida-server &
    This will run frida-server into the device. Maybe you will not get any output of this command in the
terminal.
3. List all running processes on the device. (Open new command prompt in appie and 
run below command)
    Now, we need to find out the id of our target application. We will list all running services on 
devices including your application process.
    Open a new terminal and type the following command.
        CMD: $ frida-ps-U
4.Locate your appliaction's package name.
Note: if not found package name in the below list use MOBSF scan and het the package name.

Step 9: Hook fridascript.js into the target appliaction
    Finally, we will hook fridascript.js into the native appliaction with the following command:


Finally we bypassed SSL Pinning and intercept the data.




                                                          

Comments

Post a Comment

Popular posts from this blog

Using Burp Suite - Brute Force payloads using XSS Validator(Extension) | Shahul Hameed

Image
XSS Brute Force Payloads using Burp Suite  Step 1: Get the parameter variable from the scope URL. Step 2: Intercept the parameter value using the burp suite application as shown in the below screenshot. Step 3: Clear and add the variable position which goes to perform an attack on the brute force of XSS payloads. Step 4: Install xssValidator extension in the burp suite and we can also add custom payloads in the below payloads box. Step 5: Set the following options in the Payloads option. Step 6: In Intruder clear, the Grep-Match and Grep-Payloads checked option search responses for payload strings. Step 7: Copy the grep phase from xssValidator and paste it into the intruder grep-match. Step 8: Unchecked the option from the payload encoding. Step 9: Start the attack and check the results with the grep value is 1 manually in the web browser which exploited the XSS attack payload.
Read more

Janus Vulnerability Exploitation

Image
  Janus Vulnerability(Exploitation) In brief, Applications that are signed only with v1 when installed on devices having an android version(5.0–8.0) are vulnerable to Janus Vulnerability. Step 1: Use the  apksigner tool and verify the signature v1 is only true , Hence it's highly possible to exploit the Janus vulnerability in the android application. CMD: apksigner verify -verbose h5.apk(Victim app) Before that we need to make sure that this application can be made to run on vulnerable Android versions  5.x, 6.x, 7.x & 8.0 (i.e., api level 21–26). Step 2:  Now let's check with min android version running on the application use apktool . CMD: apktool -s d H5.apk && cat H5/apktool.yml | grep minSdk The below application can be run on API Level 15(Android 4.0.4 Ice Cream Sandwich), so we can choose any device from  5.x, 6.x, 7.x & 8.0  to exploit it. A serious vulnerability in Android allows attackers to inject a DEX file into an APK file without affecting the sig
Read more

SQL Basics | Shahul Hameed

Image
  SQL _Queries   Resource: https://balanced-quince-db1.notion.site/SQL-7347f5956fe347f887b4132c716cd236#17bc403a1add453db519621da47c1de3 Database queries CREATE DATABASE LOGICFIRST; -- creates a new database -- TO DELETE A DATABASE DROP DATABASE LOGICFIRST; DROP SCHEMA LOGICFIRST; -- same as above. u can use DATABASE Or SCHEMA DROP SCHEMA IF EXISTS LOGICFIRST; -- prevents error if db not found   SHOW DATABASES; -- shows all the databases SHOW SCHEMAS; -- same as above. shows schemas/db   USE SYS; -- uses this database for all further commands SHOW TABLES;-- shows all tables in the database being used Table - Create,Delete,Alter primary key - uniquely identifies a row in a table //creating a table CREATE TABLE student(                id INT PRIMARY KEY,     name VARCHAR(30),     gpa DECIMAL(3,2) ); -- ----or----- CREATE TABLE student(                id INT,     name VARCHAR(30),     gpa DECIMAL(3,2),     PRIMARY KEY(id) );  
Read more