2024双向认证APP自吐证书密码与抓包.docx

《2024双向认证APP自吐证书密码与抓包.docx》由会员分享，可在线阅读，更多相关《2024双向认证APP自吐证书密码与抓包.docx（16页珍藏版）》请在课桌文档上搜索。

1、双向认证APP自吐证书密码与抓包双向认证APP读密码HOOk网络框架抓包批量hook查看调用筑迹HOOk强混淆APP抓包总结参考资料、，一刖百在许多业务非常聚焦比如行业应用银行公共交通游戏等行业C/S架构中服务器高度集中,对应用的版本控制非常严格这时候就会在服务器上部署对app内置证书的校验代码双向认证APP读密码当抓包出现如下提示时，我们确定出此APP为服务器校验app客户端证书,JHjHmi，.tetajMiWIMMMGMCtwWBVlMCMMMlCmmbom1mWiEmlZM M4wOMMMMCJM Slit。UNVVWvMWIIUW3mMKMM.MtIMMOtI841JIEM.UWtM

2、MMMWMtfMb*l9fltwiIKTmBmM4M)IFHItdiIFaQ三nItaxna.IteOM*W,MlMlt459l4WWIIMccM0*I，HIJSB”Ac_ICflflMnds:/Ilhlp*Displaysthehelpsystea.objeDisplayInfonMtiOnaboutobject*itquitExit.MorinfoatMtpcwwtf.frda.rdocVM/Sp*m*dcn.Mlap.adreM.KswlngMinthread*(PxlX1.:cn.souIpp.androidhookKeyStorwlod.)va.lang.Throwableatjav

3、a.security.KeyStore.lod(ltotiveMethod)atcoa.android.orQ.cmcrypt.KeyRafWQerfactorylBpl.engrwlnt(KeyMafWQerfdctorylHpl.java:67)at)tfaultr(SS1.ParwtertIapl.java:471)scrpt.SSlFaramtersIepl.gtfaultX3MKryManagr(SSlFarawtersIapl.)ava:43)atca.android.0r9.cmcrypt.SS1.FaraMrterilapl.(SS1.arawtersKapl.java:125

4、)atc.android.org.CanSCrpt.QpenSS1.ContcxtIapl.engnelnt(OPenSSuOr)textIapl.jw:IeI)atJaVaIUnet.tl.SS1.Context.InitlSSlContext.Javatca.android.okhttp.OicWttpCUent.9etOefaultS1.SocketFactoryQtontpCUe11t,jaa632)tcob.android.okhttp.OkHttpCUcnt.COpyVithtefMUs(OMttpCUnt.jwcl)atco*android.okhttp.OkUrlFactory

5、.op*n(OkUrlFactory.pva:59)atcm.android.okhttp.OkUrlFactory.Open(OkUflFactoryJavarM)atco.android.okhttp.Httpandlr.OpvnConrwction(HttPHandI”.java:44)at)*.UR1.opfweatco*.tffnt.bu9ly.proguard.s,a(BUGtY:75)atcob.tencent.bugly.proguard.s.aIBUG1.Y:52)atcob.tercnt.bugly.proguard.s.a0UG1.Y13)atCMtemcent.bugl

6、y.proguard.v.njn(BUG1.Y:41)atcoB.tenccnt.bugly.proguard.u$l.run(BUG1.Y:1)atjava.lang.Thread.nmTrMd.)ava：7M)Keytore.load2:nullnull)avA.l11g.Thr(Mbleatpva.MCurty.K*yStorloadNafv*fthod)atC.I.(T1.SSocketFactory.*vazllatcn.Mulapp.a11drod.fWt.k.(SoulNtStorag.jva：l).9.AiokHttpCUeotHelper.java:18)atC.oulNet

7、wrkOK.a(SoulMetworlKSOK.jav:7i)atCA.p.a.b.d.aNetFroxy.java:1).p.b.a.acceptUnknownSOUrc:6).0.j.b.onNext(leC(XiSUBer.)ava:2)atio.rMtvex.internal.operators.obrvM)le.c2M.bObcrvableOberven.javaz8)atio.rctv.internal.operators.ob$rvatole.c21a.11m0bservable54rn.jva：3atio.rectivex.internal.schedulers.a.run(S

8、cKeduledRurtnAble.jaifa:2)atio.rectvx.internal.SCheAJIc.callSdZUlBRMngbI。.java:1)atW.utxl.COfKurrent.FutureTMk.run(RitureTMk.Java:266)*t)ava.util.concurrwt.SctwduledThrMdPooU*cutorSSchduldFuturtak.nm(chduldThradP00Ucutor.java:Ml)atjava.util.concurrent.TbrMdRiolUwcutor.ru11ttorkr(DradPooUxcutor.java:

9、1152)atjava.util.concurrentTbreadPoolExecutorSUorlter.run(ThrMdFoolEjrecwtor.java：6Xat)*va.lang.11rM.11MotHugeFileseon,64bits,4CPUsIntel(R)Core(TM)iScanningthedriveforarchives:1file,83351124bytes(8MiB)Extractingarchive：soulchannelsoul.apkPath三soulchannelsoul.apkType三zipPhysicalSize三83351124Everythin

10、gisOkFiles：7592Size:95x31Size:144123783Coapressed:83351124：一,DMr。口12双向证书”,treeNCFhlIgreP-ipl2I|2.5Kclient.pl2D.ktop12,双向MwC如果在安装包内找不到证书的话也可以进行hkjava.io.FilePlainTextQ复制代码#androidhookingwatchclass_methodjava.io.File.$2init：tobjectiongc11.soulapp.androidexploreCheckingforanewerversionofobjection.Using

11、USBdvicPixelXlAgentinjectedandrespondsok!I1.IJI1.IJIIIIIIIIIIII1.I1.I-1.IJII(object)Inject(ion)vl.9.6RuntiMMobileExplorationby:QleonjzafroaQsenseposttabforcomandsuggestions(google:8.1.)androidhookingwatchclassmethodjava.io.File.$Initjava.10.File.Snt(java.o.Fle.ii11it()java.io.File.Sinit(java.io.File

12、.Sint(java.io.File.$init(java.10.File,Sinit()agent)AttenptingtowatchclassJava.10.FileandIBethodSinit.(agent)Hooking(agent)Hooking(agent)Hooking(agent)Hooking(agent)Hooking(agent)Hooking(agent)Registeringjob.Type:watchmethodfor：java.io.File.Simt，dr：dm(google：8.1.6)(a9ent)Calledjava.io.File.File(agent

13、)Calledjava.10.File.File(agent)Calledava.10.F1le.F1；e(agent)Calledava.o.Fle.Fle(aent)Calledvao.Fle.F.e(通过hook也可以找到该证书文件PlainTextQ复制代码1#objection-gcn.soulapp.androidexplorestartup-commandandroidhookingwatchclassmethodjava.io.File.$initdump-args”然后再使用抓包工具点击导入证书（burp同理）SS1.ProxyingServerjCertificatesCl

14、ientCertificatesRootCertificateYoumustcreateaCharlesSecureStoretoimportprivateSS1.CertificatesintoCharles,CreateSecureStoreUriloCl,.pc.pIcfpNeetSe：1etoreCharlesSecureStoreEnterapasswordtoprotecttheCharlesSecureStore.ThesecurestoreisusedtostoreyourprivateSS1.Certrficates.Ifyouforgetthispassword,youwi

15、llneedtoresetthesecurestoreandaddyourcertificatestoCharlesagain.Password：Confirmpassword：Rememberpassword码随意设置然后进去之后导入p12证书和密码（自吐出的密码%2R+os三jpP!w%x）host和POrt输入SS1.ProxygSettingsS1.ProxyingServerCertificatesClientCertificatesRootertificateConfigurePKCSOI2certificatesforselectedhoststoenableclientSS1.

16、certificateauthentication.HostCertificateAddRmovHelpCancelOK可以看到可以成功抓到了数据包M6(hr5,2243MJ2244Re；2?4341.W4J41M邙一二4$：274344K三三三二a-，XrxZM7zJ1.三4:EN5t：1*vtf;*Q09e*wH,.*i0ofrWIJo2”33cr工*m)j”S4-JWbXJMMMINMI,：li*l.mmS11Hook网络框架抓包当然除了通过hook底层框架自吐证书和证书密码的方式外,我们还可以通过hook网络层框架来直接抓包1首先确定使用的框架,主流框架为okhttpHttpUR1.c

17、onnection我们使用ObjeCtiOn来进行分析首先打印内存中所有的类PlainTextQ复制代码1#androidhookinglistclasses然后搜索过滤类文件中值得怀疑的框架：.objection#cat.objection#cat.objection#catobjection.loggrepobjection.logIgrePobjection.logIgreP-i-i-ivolleyokhttpHttpUR1.connectionPlainTextQ复.制M弋S马可以看到当我们在APP上操作时候，经过了OkhttP框架sun.util.locale.Base1.ocale

18、SCachesun.util.locale.Base1.ocaleSKeysun.util.locale.Internal1.ocaleBuildersun.util.locale.Internal1.ocaleBuilderscaseInsensitiveCharsun.util.locale.1.anguageTagsun.util.locale.1.ocaleObjectCachesun.util.locale.1.ocaleobjectCacheSCacheEntrysun.util.locale.1.ocaleSyntaxExceptionsun.util.locale.1.ocal

19、elltilssun.util.locale.ParseStatussun.util.locale.StringTokenIteratorsun.util.logging.1.oggingProxysun.util.logging.1.oggingSupportsun.utiI.logging.1.oggingsupportSlsun.util.logging.Platform1.oggersun.util.logging.Platform1.oggerJlsun.util.logging.Platform1.oggerS1.evelvoidFound7515classescom.cz.bob

20、ySisteron(google:8.1.0)usbj.objectioncatobjection.logIgrep-iHttpUR1.Connectioncom.android.okhttp.internal.hue.HttpUR1.C.HttpUR1.Connection,objectioncatobjection.logIgrep-okhttp.android.okhttp.CipherSuite;.android.okhttp.ConnectionSpec;.android.okhttp.HttpUrlSBuilderSParseResult;.android.okhttp.Proto

21、col;.android.okhttp.TlsVersion;com.android.okhttp.Addresscom.android.okhttp.Authenticatorcom.android.okhttp.CacheControlcom.android.okhttp.CacheControliBuildercom.android.okhttp.CertificatePinnercom.android.okhttp.CertifIcatePinnerSBuildercom.android.okhttp.CipherSuiteCorTl.android.OkhttD.COnfIaAWar

22、eConneCtIOnPOolFrida12.11.10-Aworld-classdynamicinstrumentationtlkitesultlbytearry,inti,int2undefinedobjectObject0189202f6966792043334642740da6365707426673a20677o6970d0o2d4167656e743q206f6b687431366S632e31313174696f6e0d0a41636e5831Zd2313732726S6174494e6e486f732e32313a204b20486e7474696e2d65542d6f6e6c

23、6f63757272502f312e79706S3qZf6a736f4b65793q0a436f70Zd41456e6355736569766564696e6S6e74Zf7S736S31d0a436f6e74206170706c69636e0d0a582d476f724b743q370d6565Ccxnmands:helpobject?eitquit找到APP使用的框架后如OkhttP然后通过frida加载js脚本来进行绕过同样可以看到数据请求和返回-Displaysthehelpsystem-Displayinformationabout,object,-Exit-no-pause*hre

24、ad!.MrKC.c-*htt三v/www.frido.redocsbomepawning,二ampawned.Pixel3Iook.SSTTPwr.2cfd5e0002cfd5e0102cfd5e202cfd5e032cfd5e0402cfd5eS02cfd5e6O2cfdSe72cfd5e082cfdSe0902cfdSeoe474554GETcurrentuserHTTP/1.1.Content-Type:QPPliCation/json.X-Gotify-Key:CINnrKXl-e3FBt.Host:172.16.111.217.Connection:Keep-Alive,.Acce

25、pt-Encoding:gzp.User-Agent:okht批量hook查看调用轨迹下面推荐一款批量hook查看调用轨迹的工具ZenTracerPlainTextQ复制代码1#gitclonehttps:/w三ow.nMHnpUR1.CwvweeongMF4MHd*etsO020Z19V2fMS2M1S18M56W-01-1VTMMIOZI-OI-HirMMMSBIMS21XM10Z1(r-11MMX21-OI-WICMM”他MM（八）C4maRoctn9fMlHtWUR1.C4fweflcn_MaMgRWyo)Mctdft*HnmMlX4fwwctte11.MC9tfMtMMhdMJ*gB

26、m*gMryw(jAocMrMR*JlttX4nmcftn-MatflRthS*mntoteft)(MMtM.AMHNpUR1.CfV*CH.MCRWd1.(i*RM*flMM(M)(Jftoctan*v*-nMMrwURlCerwwcttenMt*dlngtt4*wnnMo4nn,t一A1tIx三*5fWVWirjw.1.uKVyrwr*ppowIr/(JMeiitnf0wfMRIAJR1.CvCMnMVCfWMdStrMrtrtgMMMMj三mmtMtwun1.CcnmciienIJFxXrVW.W1.U.WV9OrY*V.XWJ然后使用objectionhk该方法PlainTextQ复制

27、代码#androidhookingwatchclass_.HttpUR1.Connection.getFollowRedirects-dump2-args-dump-return-dump-backtracecloi.ethod).HttiilM1.connection.QetFollowAedirecti-du*pOrS-au*pretur-du*p-bocktroct0gnt)Attwptingtootchclns)vont,HttpUK1.Cofv)t)Noorgjvnet.NttptNi1.Connecton.9etFolIo1*Aedrcts()ent)MeQittertneIObk

28、6t6dpt2v.Type:wotch-,Cotiedjv,ntHUMKjBacktrace:JHttUR1.Connect101.9tF0llOMRedirets(NatlveMethod)co.android.okhttp.HttpHondltr.crotHttpOkVrlFactory(RttHanllr.jev:S2)com.ardroid.okbttp.HttpMondler.n*OUrIFactory(HttpMandler.java:59)ca*.androd.OkMtp1HttpHandler.openCe.)avo:44).U*l.opClnts.ova:22)com.c.b

29、c*ySister.octivity.y.runReturnValue:(X*CtbabySiftteron(google:8.1.)u*bTKtBfjtcijtrjcom.cz.Daoybiscerc.a.aHttpciients.java:zz)直接定位到了收发包函数的地址然后查看收发包的内容如下：PlainTextQ复制代码1#androidhookingwatchclass_methodcom.cz.babySister.c.a.a-dump-args-dump-backtrace-dump-return同样可以发现了接口请求88-duRp-bocktroce-duwp-return(

30、ogent)AtteaptingtoMtcclasscon.cz.babySttr.c.oandMethoda.(agent)Hookingcoa.C2baty5istrc.a.a)(O0nt)Hookingcon.C.bobyStster.c.a.o.)(ogent)Hookingco.cz.babySister.c.a.aoty5nron(0ogl:t.l.)ub(ognt)ly(krejrCalldcom.cx.babyStr.c.o.a(ptr,1；uvoIJ2-；)1(agent)*lyler-Mlptocktroc:com.cz.babySstr.c.a.a(HatvMethod)

31、coR.cx.bobySi$ter.activtty.y.rvn(1.oQtnActtvity.)avo:2)avo.lOng.Threod.rnCTreod.java:764(ogent)lylecySlster.o,o(I,-.!J*,.!t,：.!*find()被混淆(仅参考)IikelyClazz1.istsize:1764StartFind一一F1nSUItvarClsCall=h.e;varClsCaUBack=Mh.fw;varClsOkHttpClient=wh.y-;varClsRequest=wh.b;varClsResponse三wh.f;varClsResponseBo

32、dy=h.h”;varClsokioBuffer=wi.fh;varFheaderamesAndValues=waw;varFreqbody=d;varFreqheaders=wcw;varFreqmethod=b;varFrequrl=a;varFrspSbuilderbody=gM;varFrspbody=g;varFrspcode=cw;varFrspheaders三f;varFrspmessage=W;varFrsprequest=a；varMCallBackOnFailure=a”；varMCallBackOnResponse=wa;varMCallenqueue=a；varMCal

33、lexecute=b；varMCallrequest=n;varMClientnewCall=a;varMbufferTeadByteArray=f;varMContentTypecharset=wa;然后复制被混淆后的类名，粘贴到Okhttp_poker.js文件中重新运行后运行hoid()开启hook拦截,然后操作APP后会出现拦截的内容如下：PlainTextQ复制代码1#nanookhttp_poker.js同样也可以抓到做了强混淆APP的数据包,如下OkHttpPokerbySingleMan(V.22ll301*HndOH竟是否侵用了Okhttp&是否可累濡&丐找okttp3关类4

34、1Anlsdtch1.oader(OkhttpJ.OkHttpClienf)*R:小分析尉的OkhttPClient类名hold()开JBHOoK法。HstoryO打卬可帼凌遥的束resend(index)跖暹米(PixelX1.:or9.Sfjboldyvukzzlpp)(PixelX1.:org.Sfjboldyvukzzlpphold()(PixelX1.:org.Sfjboldyvukzzlpp)notfountcloneMethod!bkRelCaU:h.j18IUR1.:httpt:/api.klttday*ar.coaipdocuMtlogin16113688776IIMetho

35、d:PVTIIRequestHeaders：3Ir-CtntType:application”son；Charset-UTF8I11-Content1.ength:328If-X-SPRIMGsession：Irx-SPRIMGSECRET:IlX-SPRINGSIGN:GCEVJhckCDKPPg8*DTeUWszA)EdeB58HtIKxp7THUeet6GSAVcEUkElZEI8MkHXtMfeo-IIRequestBody:IYjtpe6pqbZrfTsj0)wveh8fysseyx7enb4eHp6Kyes1.SgfHhKCl9o0zU7aXF2d)w7IzsoIShISEhIsb

36、Us102i2d3w7IzsyIS87MTt4WlPfGs7Izsr1tyg3KTcp0zU7fXxvW33fTsj03I52dnSlfDsl0318bld4dHw7IztJcGF8dTlBTsl0318b3B6fFB90yH7fH97eyx6egeC4sKD0qSh6NCAsfCweeC8te36q1.B1.ios0zU7d)7IztYd3lrdnB90zU7dBpPfGs7l2shMyg3KTs102x6Idnl80yH7ISAKAs11tkI-ENDIIUR1.:httpszaplettdayeare.cMapidxuBentl9in71lll368776IIStatusCode:26/IIResponseHeaders:10Ir-tote:Wed,26Jan262168:18:55(WI(-content-type:text/plainIcookie:AwSA1.BU3lcoXpTsK6nrJlomt90BQXPU*6FH7aV*ii7SYNKPhUVYY61IbZ(XXM5rfm8B*bepbrj2EYfn)radPOoiMiTMFbOZJMPHe3ffluWaYSFrrldcFiEkZrv7IAcRM0UasUFqtTBIiSrNsx1.ax98krr3ZhA9(S8794vKbvyd9；Ejire三Wed,27Jan2021ee：lS:S5GMT；Path-/Ir-