search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.79k stars 2.34k forks source link

Non-Proxy Aware Apps DNS method addition #1645

Open DemanNL opened 4 years ago

DemanNL commented 4 years ago

The MSTG currently deals with non-proxy aware apps using one of the two methods:

I performed a pentest using DNS hosts file method explained below. The root free version related to DNS is DNS spoofing. Let me know what you think about this potential addition to the MSTG.

Test setup: Tested on Genymotion Android 8.0 - API 26 -- Applied Genymotion ARM Translation for 8.0 App tested: ORTEC Employee Self Service (Xamarin, no certificate pinning, root cert accepted)

Description hosts file method: Add root Burp CA (see MSTG) Genymotion: Network mode NAT

Set-up a Burp listener:

Proxy -> Options -> Proxy Listeners -> Add
Bind to port: 443 (if you want to intercept a different port choose something else)
Specific address: 192.168.56.1 (Genymotion NAT)
Request handling tab -> support invisible proxying enabled

Run TCPdump to discover the outgoing DNS requests:

tcpdump -i wlan0 port 53

Edit /etc/hosts using adb shell:

vi /etc/hosts
192.168.56.1    example.com

To test the set-up, start for example the ORTEC ESS app and fill in the domain example.com. You should now be able to intercept all the domains you added to the hosts file.

Description DNS spoofing method: For some reason Bettercap DNS spoofing doesn't really work to well for me. But here is how it can be done.

Genymotion: Network mode Bridged (eth0 for example) Android Wi-Fi settings: set gateway to the Burp listener IP. (unsure about this, Bettercap seems to work randomly with and without a static gateway)

Set-up a Burp listener:

Proxy -> Options -> Proxy Listeners -> Add
Bind to port: 443 (if you want to intercept a different port choose something else)
Specific address: 192.168.83.51 (eth0 IP)
Request handling tab -> support invisible proxying enabled

Run TCPdump to discover the outgoing DNS requests:

tcpdump -i wlan0 port 53

Start bettercap and execute the following one-liner:

set dns.spoof.address 192.168.83.51; set dns.spoof.domains example.com; dns.spoof on

Start the ORTEC ESS app and fill in the domain example.com. You should be able to intercept the request!

sushi2k commented 4 years ago

Thanks for sharing and apologies for the late response @HiddeSmit.

Routing the traffic via /etc/hosts and DNS is of course also one way and thanks for describing the steps in detail.

You could add the /etc/hosts as a seperate section after bettercap (https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05b-Basic-Security_Testing.md#bettercap) and include the DNS spoofing to bettercap. Do you want to raise a PR for it?