我正在尝试通过 Signal 的 Android 消息传递应用程序模拟 MITM 攻击。它是开源的,所以我将 mitmproxy-ca-cert.pem 放在 android 应用程序中用于固定,也放在移动可信证书中。我仍然没有收到对服务器的任何查询。
客户端错误是
NonSuccessfulResponseCodeException: Bad response: 502 Bad Gateway
最佳答案
如果我理解得很好的话,您正试图攻击使用证书固定来连接 API 服务器的移动设备。
如果是这样那么将mitmproxy-ca-cert.pem添加到移动可信存储还不够,您需要配置网络安全文件res/xml/network_security_config.xml 根据 google docs .
如果还是补丢了试试看文章Hands on Mobile Api Security Pinning看看它是否能帮助您重回正轨。
编辑
以下说明适用于 Android API 级别 24 及更高级别。
Another Edit
A better approach then using the bash script that I provide below is to use the free Mobile Certificate Pinning Generator online tool to get the public key pin hash and to generate the proper Android network security config file for us:
Bash script从证书公钥生成哈希:
#!/bin/bash
# Heavily inspired on:
# * https://medium.com/@appmattus/android-security-ssl-pinning-1db8acb6621e#ecea
set -eu
Main()
{
local certificate_path="${1? Missing path to certificate.}"
local certs="$( cat ${certificate_path} )"
local rest=$certs
while [[ "$rest" =~ '-----BEGIN CERTIFICATE-----' ]]; do
cert="${rest%%-----END CERTIFICATE-----*}-----END CERTIFICATE-----"
rest=${rest#*-----END CERTIFICATE-----}
local certificate_name="$( echo "$cert" | grep 's:' | sed 's/.*s:\(.*\)/\1/' )"
if [ -n "${certificate_name}" ]; then
printf "\nCERTIFICATE NAME: \n ${certificate_name} \n"
fi
printf "\nCERTIFICATE PUBLIC KEY HASH:\n\n"
echo "$cert" |
openssl x509 -pubkey -noout |
openssl rsa -pubin -outform der 2>/dev/null |
openssl dgst -sha256 -binary |
openssl enc -base64
echo
exit 0
done
}
Main ${@}
将上面的 bash 脚本保存在您的 bin 路径中,然后像这样使用它:
$ hash-certificate-public-key.sh ~/path/to/mitmproxy-ca-cert.pem
CERTIFICATE PUBLIC KEY HASH:
gsGj6crKw/RebflwkwGIKxngaZaVxP7UsUtuF71VKDw=
现在复制粘贴哈希并将其添加到此文件中 src/main/res/xml/network_security_config.xml :
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<!-- Official Android N API -->
<!--https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html-->
<domain-config>
<domain>the-domain-to-pin.com</domain>
<trust-anchors>
<certificates src="user" />
<!-- <certificates src="system" /> -->
</trust-anchors>
<pin-set>
<!-- THE MITM CERTIFICATE HASH -->
<pin digest="SHA-256">gsGj6crKw/RebflwkwGIKxngaZaVxP7UsUtuF71VKDw=</pin>
</pin-set>
</domain-config>
</network-security-config>
现在将它包含在 AndroidManifest.xml 中:
<application
android:allowBackup="true"
<!--omitted-->
android:networkSecurityConfig="@xml/network_security_config">
如果尚未完成,请将 mitmproxy 证书添加到您 Android 设备中的用户信任存储区,然后重新编译应用程序,现在您应该能够拦截请求。
NOTE:
The code examples have been extracted from the Currency Converter Demo App repository, that was used as part of the article Steal that API Key with a Man in the Middle Attack and article Securing HTTPS with Certificate Pinning on Android
关于android - 具有证书固定应用程序的中间人代理,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53490377/