The following is a step by step guide to sniff SSL communications coming from and to an Android phone. Note that this guide does not demonstrate any vulnerability in SSL, you will have to add your own trusted CA to your phone. The purpose of the guide is to show how you can easily analyse your own phones SSL communications for doing things like reverse engineering app protocols or finding API endpoints etc.
The following tools will be used:
- pptpd
- mitmproxy
- Wireshark
The tutorial will assume Kali Linux is used. Using Kali will be comfortable since it includes Wireshark and mitmproxy by default but the tutorial will work for any distro as long as you can install those tools.
1. Setup a PPTP VPN using pptpd
Install pptpd:
apt-get install pptpd
Edit /etc/pptpd.conf and add:
localip [The IP of the interface that the server will listen on]
remoteip [The IP that gets handed out to the client]
Edit /etc/ppp/pptpd-options and add the following:
ms-dns [The DNS server that should be used]
nobsdcomp
noipx
mtu 1490
mru 1490
Edit /etc/ppp/chap-secrets and add a username and password pair:
username <TAB> * <TAB> password <TAB> *
Start pptpd with the new configuration:
systemctl restart pptpd
Enable IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
2. Redirect SSL traffic to mitmproxy with iptables
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-ports 8080
3. Setup mitmproxy
Set SSLKEYLOGFILE so that Wireshark can get the SSL keys from mitmproxy:
export SSLKEYLOGFILE=/root/sslkeylog.log
Run mitmproxy in the same shell:
mitmproxy -T
-T is needed so that the proxy will be a tranparent proxy.
4. Configure your android phone
Add the certificate:
Transfer the mitmproxy SSL CA certificate to your phones storage, the certificate should be located in ~/.mitmproxy/mitmproxy-ca-cert.cer. Add the certificate to your phone by going to Settings > Security > Install from storage and importing the certificate.
Connect to the VPN:
Go to Wireless and networks > More > VPN and add a VPN connection for the PPTP server and connect to it.
5. Setup Wireshark
Set the SSL key log file:
Go to Edit > Preferences > Protocols > SSL and set (Pre)-Master-Secret log filename to the SSL key log file path.
Listen on interface ppp0 and you should see the traffic in clear.
Sources: