search

httptoolkit / frida-interception-and-unpinning

Frida scripts to directly MitM all HTTPS traffic from a target mobile application
https://httptoolkit.com/android/
GNU Affero General Public License v3.0
1.04k stars 194 forks source link

cl.com.edenred.ticketjunaeb not working #106

Open pcurz opened 1 month ago

pcurz commented 1 month ago

It gets stuck in the mfa section, does a request to https://edenred.ionix.cl/ with 401 Unauthorized logcat_output.txt Edit: i forgot frida logs running with frida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android/android-proxy-override.js -l ./android/android-system-certificate-injection.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js -f net.veritran.becl.prod


     ____
    / _  |   Frida 16.4.8 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Nokia 2 3 (id=PA51100631005816)
Spawning `cl.com.edenred.ticketjunaeb`...

*** Starting scripts ***
== Redirecting all TCP connections to 192.168.1.4:8000 ==
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
Spawned `cl.com.edenred.ticketjunaeb`. Resuming main thread!
[Nokia 2 3::cl.com.edenred.ticketjunaeb ]-> == Proxy system configuration overridden to 192.168.1.4:8000 ==
Rewriting <class: android.net.PacProxySelector>
Rewriting <class: java.net.ProxySelector>
Rewriting <class: sun.net.spi.DefaultProxySelector>
== Proxy configuration overridden to 192.168.1.4:8000 ==
[+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex
[ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present)
[ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present)
== System certificate trust injected ==

    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
*** Scripts completed ***

Ignoring attempt to override http.proxyHost system property
Ignoring attempt to override https.proxyHost system property
Ignoring attempt to override http.proxyPort system property
Ignoring attempt to override https.proxyPort system property
Ignoring attempt to clear http.nonProxyHosts system property
Ignoring attempt to clear https.nonProxyHosts system property
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
Ignoring unix:dgram connection
Ignoring unix:dgram connection
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 69 to null (-1)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 86 to null (-1)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 69 to null (-1)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 123 to {"ip":"::ffff:192.168.1.4","port":8000} (-1)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 128 to null (-1)
Process terminated

Thank you for using Frida!
pcurz commented 1 month ago 
08-12 01:43:18.765  1139  2635 I InputDispatcher: setInputWindows displayId=0 Window{d21eedd u0 ScreenDecorOverlay} Window{490fb34 u0 NavigationBar0} Window{486b0fc u0 StatusBar} Window{4a678e7 u0 cl.com.edenred.ticketjunaeb/cl.com.edenred.ticketjunaeb.onboarding.OnBoardingActivity} Window{9c551a4 u0 cl.com.edenred.ticketjunaeb/cl.com.edenred.ticketjunaeb.onboarding.OnBoardingActivity} Window{5d12ea8 u0 com.android.systemui.ImageWallpaper} 
08-12 01:43:18.776 20135 20169 D Utils   : subject      : O=Mockttp Cert - DO NOT TRUST,L=Unknown,C=XX,CN=edenred.ionix.cl
08-12 01:43:18.776 20135 20169 D Utils   : organization : HTTP Toolkit CA
08-12 01:43:18.777 20135 20169 D Utils   : commonName   : HTTP Toolkit CA
08-12 01:43:18.777 20135 20169 D Utils   : country      : XX
08-12 01:43:18.777 20135 20169 D GuardInterceptor: No es un certificado válido
08-12 01:43:18.781   522  1208 I BufferQueueProducer: [cl.com.edenred.ticketjunaeb/cl.com.edenred.ticketjunaeb.onboarding.OnBoardingActivity#1](id:20a00000146,api:1,p:20135,c:522) disconnect(): api=1

it says "08-12 01:43:18.777 20135 20169 D GuardInterceptor: It is not a valid certificate"

pimterry commented 1 month ago

Hmm, it's hard to know what's going on here:

Does that message definitely appear at the same time as the failing 401 response? Do you see any "certificate rejected" or "connection reset" empty rows in HTTP Toolkit? In all certificate pinning cases, something like that should appear. If there's no empty failure rows like that (so on every row you can see the request URL etc) then there is no certificate pinning issue.

If you want to know more about GuardInterceptor anyway, you'll need to do some reverse engineering to dig into the app and find that source code. See here for more info: https://httptoolkit.com/blog/android-reverse-engineering/

pcurz commented 3 weeks ago

Does that message definitely appear at the same time as the failing 401 response?

Yes

Do you see any "certificate rejected" or "connection reset" empty rows in HTTP Toolkit?

Not really, it's like the app does a check itself and returns the same 401 error.

If you want to know more about GuardInterceptor anyway, you'll need to do some reverse engineering to dig into the app and find that source code. See here for more info: https://httptoolkit.com/blog/android-reverse-engineering/

I found the class and the method in question, but there are other things I still can't figure out because the proxy stops working (no requests appear in HTTP Toolkit, and the app works normally) and I have to delete data from it and start all over again, when I have time I will take it up again.