--- title: Android Https 抓包 for 6.0 or upper tags: 資安,抓包 --- # Android https 抓包 for 6.0 or upper ##### 適用 一般 app 只驗憑證 https抓包 ##### 繞過app不相信使用者安裝憑證 ## 前置 rooted android ## 安裝burp 憑證到 andoird system ### download burp key `curl -x http://burpproxy:8080/ http://burp/cert > cacert.der` ### turn it to pem `openssl x509 -inform der -in cacert.der -out burp.pem ` ### get hash - `openssl x509 -inform PEM -subject_hash_old -in burp.pem |head -1` - 會得到一組hash 要當檔名 - eg `9a5ba575` ### rename pem to hash +副檔名 `.0` - eg `cp burp.pem 9a5ba575.0` ### install to android - 取得root - `adb root` - 讓系統可寫 - `adb shell "mount -o rw,remount /"` - `adb shell "mount -o rw,remount /system"` - 把檔案推上去 - `adb push 9a5ba575.0 /system/etc/security/cacerts` - 改權限 - `adb shell "chmod 664 /system/etc/security/cacerts/9a5ba575.0"` ### Reboot and enjoy - `adb reboot` ## 延伸 ### app 自檢查憑證 - Xposed+JustTrustMe - JustTrustMe 是將 APK 中所有用於校驗 SSL 證書的 API 都進行了 Hook，從而繞過證書檢查 ##### bluestack 用上述方法導入憑證 1. 用vbox 建立ubuntu 虛擬機 然後 gui mount C:\Program Data\BlueStacks\Engine\Program Data\Engine\<虛擬機名稱Nougat64.bstk>\Root.vdi 2. 將xxxxxxxx.0複製進去 /system/etc/security/cacerts 3. BS5 啟用proxy方法 /data/system/users/0/settings_global.xml ``` <setting id="100" name="global_proxy_pac_url" value="" package="android" /> <setting id="97" name="global_http_proxy_host" value="192.168.1.2" package="android" /> <setting id="98" name="global_http_proxy_port" value="8888" package="android" /> <setting id="99" name="global_http_proxy_exclusion_list" value="" package="android" /> <setting id="96" name="http_proxy" value="192.168.1.2:8888" package="com.android.shell" /> ``` 然後reboot