欢迎来到课桌文档! | 帮助中心 课桌文档-建筑工程资料库
课桌文档
全部分类
  • 党建之窗>
  • 感悟体会>
  • 百家争鸣>
  • 教育整顿>
  • 文笔提升>
  • 热门分类>
  • 计划总结>
  • 致辞演讲>
  • 在线阅读>
  • ImageVerifierCode 换一换
    首页 课桌文档 > 资源分类 > DOCX文档下载  

    2024双向认证APP自吐证书密码与抓包.docx

    • 资源ID:1340570       资源大小:135.31KB        全文页数:16页
    • 资源格式: DOCX        下载积分:5金币
    快捷下载 游客一键下载
    会员登录下载
    三方登录下载: 微信开放平台登录 QQ登录  
    下载资源需要5金币
    邮箱/手机:
    温馨提示:
    用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)
    支付方式: 支付宝    微信支付   
    验证码:   换一换

    加入VIP免费专享
     
    账号:
    密码:
    验证码:   换一换
      忘记密码?
        
    友情提示
    2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
    3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
    4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。
    5、试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。

    2024双向认证APP自吐证书密码与抓包.docx

    双向认证APP自吐证书密码与抓包双向认证APP读密码HOOk网络框架抓包批量hook查看调用筑迹HOOk强混淆APP抓包总结参考资料、,一刖百在许多业务非常聚焦比如行业应用银行公共交通游戏等行业C/S架构中服务器高度集中,对应用的版本控制非常严格这时候就会在服务器上部署对app内置证书的校验代码双向认证APP读密码当抓包出现如下提示时,我们确定出此APP为服务器校验app客户端证书,JHjHmi,.tetajMiWIMMMGMCtwWBVlMCMMMlCmmbom<1mWiEmlZM M4wOMM<MMCJM Slit。UNV<VWvMWIIUW3m<MKMM.MtIMMOtI8»41JIEM.UWtM<MMMWMtf<>Mb*l9fltwiI<KTmBmM4M)IFHItdiIFaQ三nItaxna.IteOM*W<M4tOVWWMI.W,tMteiMd>,MlMlt45<9l4<t><WWIIMccM0*I,HIJSB”Ac<fftMMgOT*.3M对于此类APP抓包血1通常需要完成两项内容:PlainTextQ复制代码1 1找到证书文件2 2找到证书密码服务器对客户端进行校验过程中客户端将证书公钥发送给服务器,以及从服务器获取SeSSiOn和私钥解密过程中,需要APl进行操作APl存在于java层框架内,所以hook框架层代码java.security.KevStore,使密码自吐PlainTextQ复制代码1#frida-U-fcn.soulapp.android-1ssl.js-no-pause-nopamefIFnda12.11.lAworld*clltsdyn«ucIftStruwntationtoolkitICiI>_ICflflMnds:/Ilhlp*>Displaysthehelpsystea.obje<t?->DisplayInfonMtiOnabout'object*itquit»Exit.MorinfoatMtpcwwtf.frda.rdocVM/Sp*m*dcn.Mlap.adreM.KswlngMinthread*(PxlX1.:cn.souIpp.android»hookKeyStorwlo«d.)»va.lang.Throwableatjava.security.KeyStore.lo>d(ltotiveMethod)atcoa.android.orQ.cmcrypt.KeyRafWQerfactorylBpl.engrwlnt(KeyMafWQerfdctorylHpl.java:67)at)<v*.ssl.KeyMafugerF*ctory.mt(KeyManAgerFACtory.JivA:2721atCaB.ndrod.org.cncrpf.SSlFarwfersIapl.creatH>tfaultr(SS1.ParwtertIapl.java:471)atcob.android.org.cnscrpt.SSlFaramtersIepl.gtfaultX3MKryManagr(SSlFarawtersIapl.)ava:43)atca.android.0r9.cmcrypt.SS1.FaraMrterilapl.<init>(SS1.arawtersKapl.java:125)atc.android.org.CanSCrpt.QpenSS1.ContcxtIapl.engnelnt(OPenSSuOr)textIapl.jw:IeI)atJaVaIUnet.tl.SS1.Context.InitlSSlContext.Jav<:316>atca.android.okhttp.OicWttpCUent.9etOefaultS1.SocketFactory<QtontpCUe11t,jaa632)«tcob.android.okhttp.OkHttpCUcnt.COpyVithtefMUs(O¼MttpCUnt.jwc½l)atco*android.okhttp.OkUrlFactory.op*n(OkUrlFactory.pva:59)atcm.android.okhttp.OkUrlFactory.Open(OkUflFactoryJavarM)atco.android.okhttp.Httpandlr.OpvnConrwction(HttPHandI”.java:44)at)*.UR1.op<<<fwe<tlon(UR1.)»vi:992>atco*.tffnt.bu9ly.proguard.s,a(BUGtY:75)atcob.tencent.bugly.proguard.s.aIBUG1.Y:52)atcob.ter>cnt.bugly.proguard.s.a<0UG1.Y13)atCMtemcent.bugly.proguard.v.njn(BUG1.Y:41)atcoB.tenccnt.bugly.proguard.u$l.run(BUG1.Y:1)atjava.lang.Thread.nm<TrMd.)ava:7M)Keytore.load2:nullnull)avA.l11g.Thr(Mbleatpva.MCurty.K*yStorload<Nafv*fthod)atC.I.<int>(T1.SSocketFactory.*vazllatcn.Mulapp.a11drod.fWt.k.(SoulNtStorag.j«va:l).9.AiokHttpCUeotHelper.java:18)atC.oulNetw>rkOK.a(SoulMetworlKSOK.jav«:7i)atCA.p.a.b.d.a<NetFroxy.java:1).p.«.b.a.accept<UnknownSOUrc«:6).0.j.b.onNext(leC(XiSUBer.)ava:2)atio.rMtvex.internal.operators.obrvM)le.c2M.b<ObcrvableOberven.javaz8)atio.rctv.internal.operators.ob$«rvatole.c21a.11m<0bservable<X>54rn.j«va:3>atio.rectivex.internal.schedulers.a.run(ScKeduledRurtnAble.jaifa:2)atio.rectvx.internal.SCheAJIc.callSdZUlBRMngbI。.java:1)atW.utxl.COfKurrent.FutureTMk.run(RitureTMk.Java:266)*t)ava.util.concurrwt.SctwduledThrMdPooU*cutorSSchduldFuturtak.nm(chduldThradP00Ucutor.java:Ml)atjava.util.concurrent.TbrMdRiolUwcutor.ru11ttorkr(DradPooUxcutor.java:1152)atjava.util.concurrentTbreadPoolExecutorSUorlter.run(ThrMdFoolEjrecwtor.java:6X>at)*va.lang.11rM.11M<Tbrad.java:7M)Ky¾tor.lod2:IndrOid.conCnt.r9.AstMgr33HnpurCra75¾7d3Vft*0SsPFlwX可以发现我们通过hook框架层代码得到了证书密码PlainTextQ复制代码1%2R+0SsjpP!w%X这时我们还需要拿到证书文件,首先使用常规方式解压搜索app包里的证书文件一般apk进斤解包,直接过滤搜索后缀名为p12的文件即可,一般常用的命令为tree-NCfhlIgrep-ipl2直接打印出p12文件的路径.*Desto,12双向金居叩2IzXsoulchannelsoul.apk7Zip(6416.82:Copyright(C)1999-216IgorPavlov:2616-5-21p7zipVersion16.82(localeaenUS.utf8«Utfl6>otHugeFileseon,64bits,4CPUsIntel(R)Core(TM)iScanningthedriveforarchives:1file,83351124bytes(8MiB)Extractingarchive:soulchannelsoul.apkPath三soulchannelsoul.apkType三zipPhysicalSize三83351124EverythingisOkFiles:7592Size:95x31Size:144123783Coapressed:83351124:一,DMr。口12双向证书”,treeNCFhlIgreP-ipl2I|2.5Kclient.pl2D.ktop12,双向MwC如果在安装包内找不到证书的话也可以进行hkjava.io.FilePlainTextQ复制代码#androidhookingwatchclass_methodjava.io.File.$2init:tobjectiongc11.soulapp.androidexploreCheckingforanewerversionofobjection.UsingUSBdvic'PixelXl'Agentinjectedandrespondsok!I1.IJI1.IJIIIIIIIIIIII1.I1.I-1.IJII(object)Inject(ion)vl.9.6RuntiMMobileExplorationby:QleonjzafroaQsenseposttabforcomandsuggestions(google:8.1.)androidhookingwatchclassmethodjava.io.File.$Initjava.10.File.Snt(java.o.Fle.ii11it()java.io.File.Sinit(java.io.File.Sint(java.io.File.$init(java.10.File,Sinit()agent)AttenptingtowatchclassJava.10.FileandIBethodSinit.(agent)Hooking(agent)Hooking(agent)Hooking(agent)Hooking(agent)Hooking(agent)Hooking(agent)Registeringjob.Type:watchmethodfor:java.io.File.Simt,dr:dm(google:8.1.6)(a9ent)Calledjava.io.File.File(agent)Calledjava.10.File.File(agent)Calledava.10.F1le.F1;e(agent)Calledava.o.Fle.Fle(aent)Calledvao.Fle.F'.e(通过hook也可以找到该证书文件PlainTextQ复制代码1#objection-gcn.soulapp.androidexplorestartup-command"androidhookingwatchclassmethodjava.io.File.$initdump-args”然后再使用抓包工具点击导入证书(burp同理)SS1.ProxyingServerjCertificatesClientCertificatesRootCertificateYoumustcreateaCharlesSecureStoretoimportprivateSS1.CertificatesintoCharles,CreateSecureStoreUriloCl,.pc.pIcfpNeetSe:1etoreCharlesSecureStore×EnterapasswordtoprotecttheCharlesSecureStore.ThesecurestoreisusedtostoreyourprivateSS1.Certrficates.Ifyouforgetthispassword,youwillneedtoresetthesecurestoreandaddyourcertificatestoCharlesagain.Password:Confirmpassword:Rememberpassword码随意设置然后进去之后导入p12证书和密码(自吐出的密码%2R+os三jpP!w%x)host和POrt输入SS1.ProxygSettingsS1.ProxyingServerCertificatesClientCertificatesRootertificateConfigurePKCSOI2certificatesforselectedhoststoenableclientSS1.certificateauthentication.HostCertificateAddRmovHelpCancelOK可以看到可以成功抓到了数据包M6(hr5,2243MJ2<Te.'?4i»*Ae1.2247m-I÷>244Re;2?4341.»W4J41M邙一二4$:274344K三三三二a-,XrxZM7zJ1.三4:EN5t>»:1*vtf;*Q09e'*wH,.*i0ofrWIJo2”33cr工*m)j”S4-JWbXJMMMINMI,:li*l.mmS11Hook网络框架抓包当然除了通过hook底层框架自吐证书和证书密码的方式外,我们还可以通过hook网络层框架来直接抓包1首先确定使用的框架,主流框架为okhttpHttpUR1.connection我们使用ObjeCtiOn来进行分析首先打印内存中所有的类PlainTextQ复制代码1#androidhookinglistclasses然后搜索过滤类文件中值得怀疑的框架:.objection#cat.objection#cat.objection#catobjection.loggrepobjection.logIgrePobjection.logIgreP-i-i-ivolleyokhttpHttpUR1.connectionPlainTextQ复.制M弋S马可以看到当我们在APP上操作时候,经过了OkhttP框架sun.util.locale.Base1.ocaleSCachesun.util.locale.Base1.ocaleSKeysun.util.locale.Internal1.ocaleBuildersun.util.locale.Internal1.ocaleBuilderscaseInsensitiveCharsun.util.locale.1.anguageTagsun.util.locale.1.ocaleObjectCachesun.util.locale.1.ocaleobjectCacheSCacheEntrysun.util.locale.1.ocaleSyntaxExceptionsun.util.locale.1.ocalelltilssun.util.locale.ParseStatussun.util.locale.StringTokenIteratorsun.util.logging.1.oggingProxysun.util.logging.1.oggingSupportsun.utiI.logging.1.oggingsupportSlsun.util.logging.Platform1.oggersun.util.logging.Platform1.oggerJlsun.util.logging.Platform1.oggerS1.evelvoidFound7515classescom.cz.bobySisteron(google:8.1.0)usbj.objectioncatobjection.logIgrep-iHttpUR1.Connectioncom.android.okhttp.internal.hue.HttpUR1.C.HttpUR1.Connection,objectioncatobjection.logIgrep-okhttp.android.okhttp.CipherSuite;.android.okhttp.ConnectionSpec;.android.okhttp.HttpUrlSBuilderSParseResult;.android.okhttp.Protocol;.android.okhttp.TlsVersion;com.android.okhttp.Addresscom.android.okhttp.Authenticatorcom.android.okhttp.CacheControlcom.android.okhttp.CacheControliBuildercom.android.okhttp.CertificatePinnercom.android.okhttp.CertifIcatePinnerSBuildercom.android.okhttp.CipherSuiteCorTl.android.OkhttD.COnfIaAWareConneCtIOnPOolFrida12.11.10-Aworld-classdynamicinstrumentationtlkitesultlbytearry,inti,int2>undefinedobjectObject0189202f6966792043334642740da6365707426673a20677o6970d0o2d4167656e743q206f6b687431366S632e31313174696f6e0d0a41636e5831Zd2313732726S6174494e6e486f732e32313a204b20486e7474696e2d65542d6f6e6c6f63757272502f312e79706S3qZf6a736f4b65793q0a436f70Zd41456e6355736569766564696e6S6e74Zf7S736S31d0a436f6e74206170706c69636e0d0a582d476f724b743q370d6565Ccxnmands:helpobject?e×itquit找到APP使用的框架后如OkhttP然后通过frida加载js脚本来进行绕过同样可以看到数据请求和返回->Displaysthehelpsystem->Displayinformationabout,object,->Exit-no-pause*hread!.MrKC.c-*htt三v/www.frido.redocsbomepawning,二ampawned.Pixel3Iook.SSTTPwr.2cfd5e0002cfd5e0102cfd5e202cfd5e032cfd5e0402cfd5eS02cfd5e6O2cfdSe72cfd5e082cfdSe0902cfdSeoe474554GETcurrentuserHTTP/1.1.Content-Type:QPPliCation/json.X-Gotify-Key:CINnrKXl-e3FBt.Host:172.16.111.217.Connection:Keep-Alive,.Accept-Encoding:gzp.«User-Agent:okht批量hook查看调用轨迹下面推荐一款批量hook查看调用轨迹的工具ZenTracerPlainTextQ复制代码1#gitclonehttps:/w三>o<fi,7*3ThTMd*>w«.nMHnpUR1.CwvweeongMF4MHd*etsO020Z19V2fMS2M1S"18M56W-01-1VTMMIOZI-OI-HirMMMSBIMS21XM10Z1(r-11MMX>21-OI-WICMM”他MM(八)C4maRoctn9fMlHtWUR1.C4fweflcn_MaMgRWyo)Mctdft*HnmMlX4fwwctte11.MC9tfMtMMhdMJ*gBm*gMr<oi0n*wEMnCuR1.CemectMn,.Enc>yw<yggxn>(jAocMrMR*JlttX4nmcftn-MatflRthS*mnto<teft)(MMtM.AMHNpUR1.CfV*CH.MCRWd1.(i*RM*flMM(M)(Jftoctan*v*-nMMrwURlCerwwcttenMt*dlngtt4*wnnMo4nn,t一A1tI<x三*5fWVWir<jw.1.u<KV¾<yrwr*ppowIr/(JMeiitnf0wfMRIAJR1.C<vCMnMVCfWMdStrMrtrtgMMMMj三mmtMtwun1.CcnmciienIJFxXrVW.<W<1.U.WV9OrY*V¾.<XWJ然后使用objectionhk该方法PlainTextQ复制代码#androidhookingwatchclass_.HttpUR1.Connection.getFollowRedirects-dump2-args-dump-return-dump-backtracecloi.ethod).HttiilM1.connection.QetFollowAedirecti-du*pOrS-au*pretur-du*p-bocktroct0gnt)Attwptingto«otchcl<ns)vont,HttpUK1.Cofv)<tonand*t0d9tFollMRdrct1,*ger>t)Noorgjvnet.NttptNi1.Connecton.9etFolIo1*Aedrcts()>ent)MeQittertneIObk6t>6dpt2v.Type:wotch-<Rethodfor:j.HttpUK1.Connectton,“"©IIoaAedirectsw.CibySstr8(googl:.1.)'*(oent)kCMedr>,Cotiedjv,ntHUMK<xmcrto0.tfOtU”19*Ooge11t)fc*r-dpt2vt>jBacktrace:JHttUR1.Connect101.9tF0llOMRedire<ts(NatlveMethod)co«.android.okhttp.HttpHondltr.crotHttpOkVrlFactory(RttHan<llr.jev«:S2)com.ardroid.okbttp.HttpMondler.n*OUrIFactory(HttpMandler.java:59)ca*.androd.OkMtp1HttpHandler.openC<xv>e<11on(HtpHondle>>.)avo:44).U*l.op<oConnfCtlon(UR1.jovo:992)ca.c.babySxstr.c.a.o(Httf>Clnts.ova:22)com.c<.bc*ySister.octivity.y.run<1.oginActivity.jova:2)Java.Ian9,Thread.run(THrtd.)v764)agent)*6btwdp2vt>ReturnValue:(X*CtbabySiftteron(google:8.1.)u*bTKtBfjtcijtrjcom.cz.Daoybiscerc.a.aHttpciients.java:zz)直接定位到了收发包函数的地址然后查看收发包的内容如下:PlainTextQ复制代码1#androidhookingwatchclass_methodcom.cz.babySister.c.a.a-dump-args-dump-backtrace-dump-return同样可以发现了接口请求88-duRp-bocktroce-duwp-return(ogent)AtteaptingtoMtcclasscon.cz.babySttr.c.oandMethoda.(agent)Hookingcoa.C2bat>y5istrc.a.a<)(O0«nt)Hookingcon.C.bobyStster.c.a.o<.)(ogent)Hookingco.cz.babySister.c.a.a<)(ognt)Registeringjob«lyle(三Sp.Type:watch-methodfor:com.ex.babySistr.c.a.aIcotCfI>ot>y5¼nron(0ogl:t.l.)ub(ognt)»ly(kr»ejrCalldcom.cx.babyStr.c.o.a(p>tr',1;uvoIJ2-;)1(agent)*lyler-Mlptocktroc:com.cz.babySstr.c.a.a(Hatv«Method)coR.cx.bobySi$ter.activtty.y.rvn(1.oQtnActtvity.)avo:2)avo.lOng.Threod.rnCTreod.java:764(ogent)<lylec<fK:pArgumentscom.cibat>ySlster.<.o,o(I,-.!J*,.!t,:.!*<agcnt),Colld)avanet.NttpUR1.Connection.QetFoHowftedirectsOHOOk强混淆APP抓包如果APP做了代码混淆那么我们靠hook的方式来分析网络框架会变得此较困难当然可以使用大佬的伦子OkHttP1.ogger-Frida进行解决1首先导。khttpfind.dex拷口至U手机/data/IOCaItmp目录下PlainTextQ复制代码1 #adbpushOkhttpfind.dexdatalocaltmp2 #chmod777*2执行命令启动frida-U-Iokhttp_poker.js-fcom.example.demono-PaIJSe可追力口-ooutputfilepath保存到文件PlainTextQ复制代码1#frida-U-1okhttp_poker.js-forg.Sfjboldyvukzzlpp-no-pausePixelX1.:org.SfjboldyvukzzlppJ->find()被混淆(仅参考)IikelyClazz1.istsize:1764StartFind一一><F1nSUItvarClsCall="h.e"varClsCaUBack=Mh.fw;varClsOkHttpClient=wh.y-;varClsRequest=wh.b"varClsResponse三wh.f"varClsResponseBody="h.h”;varClsokioBuffer=wi.fh;varFheaderamesAndValues=waw;varFreqbody="d"varFreqheaders=wcw;varFreqmethod="b"varFrequrl="a"varFrspSbuilderbody="gM;varFrspbody="g"varFrspcode="cw;varFrspheaders三"f"varFrspmessage=W;varFrsprequest="a";varMCallBackOnFailure="a”;varMCallBackOnResponse=wa"varMCallenqueue="a";varMCallexecute="b";varMCallrequest=n"varMClientnewCall='"a"varMbufferTeadByteArray="f;varMContentTypecharset=wa"然后复制被混淆后的类名,粘贴到Okhttp_poker.js文件中重新运行后运行hoid()开启hook拦截,然后操作APP后会出现拦截的内容如下:PlainTextQ复制代码1#nanookhttp_poker.js同样也可以抓到做了强混淆APP的数据包,如下OkHttpPokerbySingleMan(V.22ll301*<API:»>HndOH竟是否侵用了Okhttp&是否可累濡&丐找okttp3关类41Anl»>sdtch1.oader("OkhttpJ.OkHttpClienf)*R:小分析尉的OkhttPClient类名»>hold()开JBHOoK法。>»HstoryO打卬可帼凌遥的束>»resend(index)跖暹米(PixelX1.:or9.Sfjboldyvukzzlpp)>>(PixelX1.:org.Sfjboldyvukzzlpp>hold()(PixelX1.:org.Sfjboldyvukzzlpp)>notfountcloneMethod!bkRe<lCaU:h.j18IUR1.:httpt:/api.klttday*ar.coaipdocuM<tlogin16113688776IIMethod:PVTIIRequestHeaders:3Ir-C<*>tntType:application”son;Charset-UTF8I11-Content1.ength:328If-X-SPRIMGsession:Irx-SPRIMGSECRET:IlX-SPRINGSIGN:GCEVJhckCDKPPg8*DTeUWszA)EdeB58HtIKxp7THUeet6GSAVcEUkElZEI8MkHXtMfeo-IIRequestBody:IYjtpe6pqbZrfTsj0)wveh8fysseyx7enb4eHp6Kyes1.SgfHhKCl9o0zU7aXF2d)w7IzsoIShISEhIsbU>s102i2d3w7IzsyIS87MTt4WlPfGs7Izsr1tyg3KTcp0zU7fXxvW33fTsj03I52dnSlfDsl0318bld4dHw7IztJcGF8dTlBTsl0318b3B6fFB90yH7fH97eyx6egeC4sKD0qSh6NCAsfCweeC8te36q1.B1.ios0zU7d)7IztYd3lrdnB90zU7dBpPfGs7l2shMyg3KTs102x6Idnl80yH7ISAKAs11tkI->ENDIIUR1.:httpszaplettdayeare.c<Mapid<xuBentl9in71lll368776IIStatusCode:26/IIResponseHeaders:10Ir-<tote:Wed,26Jan262168:18:55(WI(-content-type:text/plainIcookie:AwSA1.BU3lcoXpTsK6nrJlomt90BQXPU*6FH7aV*ii7SYNKPhUVYY61IbZ(XXM5rfm8B*bepbrj2EYfn)radPOoiMiTMFbOZJMPHe3ffluWaYSFrrldcFiEkZrv7IAcRM0UasUFqtTBIiSrNsx1.ax98krr3ZhA9(S8794vKbvyd9;Ejire三Wed,27Jan2021ee:lS:S5GMT;Path-/Ir-

    注意事项

    本文(2024双向认证APP自吐证书密码与抓包.docx)为本站会员(夺命阿水)主动上传,课桌文档仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知课桌文档(点击联系客服),我们立即给予删除!

    温馨提示:如果因为网速或其他原因下载失败请重新下载,重复下载不扣分。




    备案号:宁ICP备20000045号-1

    经营许可证:宁B2-20210002

    宁公网安备 64010402000986号

    课桌文档
    收起
    展开