Sniffing Traffic Android App

So, imagine that a vulnerable app provides a login interface. This login sends the user’s credentials to the App’s server to authenticate the user. However this is done via HTTP, therefore not secure.

If I were inside the user’s LAN network, I could easily perform a MITM and sniff the traffic and therefore the unencrypted credentials.

The questions is, how can I retrieve the credentials of a specific user by knowing this vulnerability WHILST being outside the network? What kind of practical attack vectors would there be?

  • One could be a malicious but disguised app on the user’s phone which monitors this traffic? (but obviously this would require a way of convincing the user of installing this app and also would count as being part of the LAN)

How do crypto coprocessors securely decrypt a disk without allowing bus sniffing?

I’m trying to understand how using a crypto co-processor chip can securely decrypt a disk without someone getting the decryption key by sniffing the bus it communicates on or loading the disk onto another computer and viewing the contents that way. Specifically, I’m trying to figure out how this works when someone has physical access to the device and the device needs to be decrypted without a password.

An example would be an ATM that has an embedded device that will boot on OS only if it is running on trusted hardware that has a crypto chip. In this case it is passwordless (there is no login to be able to use the ATM terminal). A malicious actor can get physical access to the board, but shouldn’t be allowed to sniff the bus between the crypto coprocessor and the main processor nor be allowed to remove the SD card and view the contents on a separate computer.

Consider the following situation:

  • Embedded system running Linux with a crypto chip that communciates over i2c
  • Disk is removable media such as an SD card and has full disk encryption
  • The device is passwordless, but only runs on the trusted hardware
  • The removable media cannot be loaded into another device and analyzed
  • The device/keys can be provisioned in a secure environment

Questions:

  • How is it possible that the decryption key can be transmitted across the i2c bus without being intercepted?
    • I assume it uses public key encryption, but how is the private key on the disk side kept secret?
  • Can this setup work if the removable media is not paired with a specific crypto chip?
    • Example being the device gets a new SD card (but can still be decrypted with the crypto chip)

Sniffing not working in VirtualBox VMs

I need to make a DNS spoofing attack in VMs using VirtualBox.

I have one Kali Linux VM and one Win10 VM. I configured both VMs network settings to Bridged.

My actual host machine is connecting through Wireless network and have Internet connectivity. I use a Wireless network provided by a large accommodation (not my own wireless).

In order to perform DNS spoofing, from Kali Linux VM I use ettercap. The first step in this attack is to start sniffing. From ettercap I click Sniff -> Unified Sniffing. I choose eth0 (which is the only adapter in the VMs).

The sniffing output is as follows:

Listening on:   eth0 -> 08:00:27:XX:XX:XX   Privileges dropped to EUID 0 EGID 0...    33 plugins   42 protocol dissectors   57 ports monitored 20388 mac vendor fingerprint 1766 tcp OS fingerprint 2182 known services Lua: no scripts were specified, not starting up! Starting Unified sniffing... 

It says like this forever. If I stop sniffing and check the host list, I do not see any host in the list.

If I click on hosts -> scan for hosts, I get:

Scanning the whole netmask for -1 hosts... 0 hosts added to the hosts list... 

Can you please help identify what is the problem? How to overcome the situation?

Note: the attack is for educational purposes.

Help to find the encryption on bluetooth sniffing

I have the following Packet of data received to a tablet via Bluetooth from a Sleep monitoring device:

0000 08 83 00 00 09 16 08 7d 09 16 08 7a 00 00 09 12

0010 08 7d 09 05 08 71 00 00 09 0d 08 69 09 08 08 61

0020 00 00 08 ff 08 47 09 01 08 35 00 00 09 01 08 34

0030 08 ee 08 2f 00 00 08 f5 08 32 08 f0 08 28 00 00

0040 08 f0 08 23 08 ec 08 26 00 00 08 f6 08 14 08 e2

0050 08 10 00 00 08 e0 08 1c 00 00 08 e3 08 2a 00 00

0060 00 00 00 00 08 f9 08 29 08 f8 08 35 00 00

I need to find the encryption type so I can send the data to a PC instead of a tablet.

The direct conversion to ASCII is the following:

…….}…z….

.}…q…..i…a

…..G…5…..4

…/…..2…(..

…#…&……..

………….*..

…….)…5..

Sniffing TCP packets using Wireshark

I am trying to reverse engineer a decoder. To do so I need to sniff the packets that the decoder receives from an Android application installed on my phone, this application is what controls the decoder.

I tried using Wireshark at first, but it turned out that the packets are sent over SSL, so they are all encrypted. I then tried to sniff my TCP packets using MITMproxy, which didn’t work since it doesn’t sniff TCP packets, it only logs packets sent over HTTP.

After reading the answers to the following question

How can I capture all traffic network by mitmproxy?. I decided to give Wireshark a second try.

To do this I need to know the location of the private key which I have no idea about. I know what a private key is, but I don’t know where I can find it? or which private key we’re talking about?

I would appreciate some help with this, this is my first time working with packets sniffing.

Trying to debug a network error of a 3rd party application sniffing the HTTPS traffic, but the error stops when enabling the proxy, what can I try?

This is a somewhat silly situation, we have this third party application that stopped working on our work devices, its pretty obvious that some request is failing under the hood, so I set up a HTTPS sniffer on my desktop as a proxy.

But then, everything works flawlessly once I set the proxy on my device… Now I don’t know how to properly debug this.

I’m using CharlesProxy for Windows, I’ve tried mitmproxy but the problematic application wasn’t accepting the mitm certificate.

What can I try here? Is there any way I can sniff the HTTPS traffic from inside the phone? Like an app? Its a very weird error that seems to be solved be having a certificate and a proxy(?), but I need to sniff the request somehow because the application is not giving me any messages.

I can’t use an emulator as this is a device specific issue. The error does not comes up in emulation.

The device I’m using is a Galaxy Tab A Android 5.11

Can we use network hub as an MITM sniffing device?

My intention is to analyze all network traffic which is coming to and originating from a network connected device I have. From the configurations of the device I am able to proxy all the HTTP traffic originating from the device but I believe the device communicates over other protocols too.

The device and my machine both are on a switched network and I do not want to perform ARP cache poisoning to route all the packets through my machine. I am looking for a simpler solution where I would be able to replace the printer with a hub and then connect the printer to one of the ports on the hub. I want to connect my laptop also on one if the ports of this hub I introduced to the network. Technically, the hub would be flooding all the packets to all the ports and I should be able to sniff it from my laptop on promiscuous mode using wireshark.

A problem I identified to this approach was when I started searching for a ‘hub’. The search itself gives results for ‘switches’ which are layer two devices. I am confused regarding the popular usage of the words switches and hubs. What should I buy for this purpose? Should it be a hub or a switch(Technically only a hub can be used for the purpose, but I want to know if the devices listed on websites are actually hubs) ?

Sniffing the printer [on hold]

I am trying to sniff the packages sent by the phone specifically Android phone. I have HP envy 4520. And I am using Kali802.11 in virtual box with alfa AWUS036ACH. I am trying to print a page with my phone and then I wanna capture it and rebuild the printing document. I have successfully captured the packages and decryptes it but they all are unreadable, is there a way that I can convert that tcp flow packages in readable format or may be directly print it? Or may be there is another way to sniff and rebuild the packages?