You’re almost there — sign up to start building in Notion today.
Sign up or login
Reverse Engineering
Traffic Interception Theory in Android

Traffic Interception Theory in Android

Man-In-The-Middle(MITM)

A man-in-the-middle (MITM) attack is a type of cyber attack where a hacker intercepts the communication between two parties to eavesdrop, manipulate or steal information. The attacker positions themselves in between the two parties, making it appear as if they are communicating directly with each other, when in fact, the attacker is intercepting and possibly altering the communication. This can occur in many different types of communication, such as email, instant messaging, or web browsing. MITM attacks can be very dangerous, as they allow the attacker to potentially gain access to sensitive information, such as login credentials or financial data.
Problem:
Setting an HTTP proxy cause the HTTP and HTTPS traffic redirect to us. How about others protocols?
Solution:
We use
nm-connection-editor
.
First we need a router device which should connected to VMware. We need an
Kali
or
Ubuntu
vm and we should pass the router to this vm.
Disable Router DHCP.
Do this instructions.
Done
If the device can’t get IP address just set it manually(Set the shared IP address. Exp: 10.42.0.2). Don’t remember to set DNS too. 😉

In emulators

You can capture your main Network Interface or you can use
-tcpdump
option in android studio emulator.

Forwarding Traffic to The Burp

For this purpose you should first enable port-forwarding in kernel:
echo 1 > /proc/sys/net/ipv4/ip_forward
Next we need to forward IPs from our shared IP interface exp
10.42.0.2
to our Burp Suite.
Note: I consider the Burp Suite is listen on
10.42.0.2:8080
.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.42.0.1:8080
Here is a breakdown of the command:
iptables is the command for managing IP tables on Linux systems. -t nat specifies the table to use. In this case, we're using the "nat" table, which is used for network address translation. -A PREROUTING specifies the chain to append the rule to. In this case, we're appending the rule to the "PREROUTING" chain, which is used for packets arriving at the network interface. -p tcp specifies the protocol to match. In this case, we're matching TCP packets. --dport 80 specifies the destination port to match. In this case, we're matching packets with a destination port of 80 (which is the default port for HTTP traffic). -j DNAT specifies the target of the rule. In this case, we're using the "DNAT" target, which stands for "destination NAT". This means that we're going to modify the destination IP address of the incoming packets. --to-destination 10.42.0.2:8080 specifies the new destination IP address and port. In this case, we're redirecting incoming packets to IP address 10.42.0.2 on port 8080.
Getting List Of Rules You Set:
iptables -t nat -vnL
Delete iptables Rule:
iptables -t nat -D PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.42.0.1:8080
💡 Callout icon
To delete all NAT rules
sudo iptables -t nat --flush
💡 Callout icon
The burp suite proxy must be in
Invisible
mode. This mod cause the HTTP response route back to sender and HTTP requests reforward to the original address. Therefore we have to enable it.
💡 Callout icon
Sometimes
burpsuite
has some problems with
TLS 1.3
. Specially when you patch Certificate Pinning but you still get SSL errors. In these cases always try to use
Man-In-The-Middle Proxy
.