frida-interception-and-unpinning icon indicating copy to clipboard operation
frida-interception-and-unpinning copied to clipboard

Published 20 hours ago verified publisher icon httptoolkit

cl.com.edenred.ticketjunaeb not working

Open pcamposu opened this issue 1 year ago • 3 comments
trafficstars

It gets stuck in the mfa section, does a request to https://edenred.ionix.cl/ with 401 Unauthorized logcat_output.txt Edit: i forgot frida logs running with frida -U -l ./config.js -l ./native-connect-hook.js -l ./native-tls-hook.js -l ./android/android-proxy-override.js -l ./android/android-system-certificate-injection.js -l ./android/android-certificate-unpinning.js -l ./android/android-certificate-unpinning-fallback.js -f net.veritran.becl.prod


     ____
    / _  |   Frida 16.4.8 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Nokia 2 3 (id=PA51100631005816)
Spawning `cl.com.edenred.ticketjunaeb`...

*** Starting scripts ***
== Redirecting all TCP connections to 192.168.1.4:8000 ==
[+] Patched 2 libssl.so verification methods
== Hooked native TLS lib libssl.so ==
Spawned `cl.com.edenred.ticketjunaeb`. Resuming main thread!
[Nokia 2 3::cl.com.edenred.ticketjunaeb ]-> == Proxy system configuration overridden to 192.168.1.4:8000 ==
Rewriting <class: android.net.PacProxySelector>
Rewriting <class: java.net.ProxySelector>
Rewriting <class: sun.net.spi.DefaultProxySelector>
== Proxy configuration overridden to 192.168.1.4:8000 ==
[+] Injected cert into com.android.org.conscrypt.TrustedCertificateIndex
[ ] Skipped cert injection for org.conscrypt.TrustedCertificateIndex (not present)
[ ] Skipped cert injection for org.apache.harmony.xnet.provider.jsse.TrustedCertificateIndex (not present)
== System certificate trust injected ==

    === Disabling all recognized unpinning libraries ===
[+] javax.net.ssl.HttpsURLConnection setDefaultHostnameVerifier
[+] javax.net.ssl.HttpsURLConnection setSSLSocketFactory
[+] javax.net.ssl.HttpsURLConnection setHostnameVerifier
[+] javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
[ ] com.android.org.conscrypt.CertPinManager isChainValid
[+] com.android.org.conscrypt.CertPinManager checkChainPinning
[+] android.security.net.config.NetworkSecurityConfig $init(*) (0)
[+] android.security.net.config.NetworkSecurityConfig $init(*) (1)
[+] com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
[+] com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] com.android.okhttp.Address $init(String, int, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
[ ] okhttp3.CertificatePinner *
[ ] com.squareup.okhttp.CertificatePinner *
[ ] com.datatheorem.android.trustkit.pinning.PinningTrustManager *
[ ] appcelerator.https.PinningTrustManager *
[ ] nl.xservices.plugins.sslCertificateChecker *
[ ] com.worklight.wlclient.api.WLClient *
[ ] com.worklight.wlclient.certificatepinning.HostNameVerifierWithCertificatePinning *
[ ] com.worklight.androidgap.plugin.WLCertificatePinningPlugin *
[ ] com.commonsware.cwac.netsecurity.conscrypt.CertPinManager *
[ ] io.netty.handler.ssl.util.FingerprintTrustManagerFactory *
[ ] com.silkimen.cordovahttp.CordovaServerTrust *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyHostnameVerifier *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor *
[ ] com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyTrustManager *
== Certificate unpinning completed ==
== Unpinning fallback auto-patcher installed ==
*** Scripts completed ***

Ignoring attempt to override http.proxyHost system property
Ignoring attempt to override https.proxyHost system property
Ignoring attempt to override http.proxyPort system property
Ignoring attempt to override https.proxyPort system property
Ignoring attempt to clear http.nonProxyHosts system property
Ignoring attempt to clear https.nonProxyHosts system property
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
 => android.security.net.config.NetworkSecurityConfig $init(*) (0)
Ignoring unix:dgram connection
Ignoring unix:dgram connection
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 69 to null (-1)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 86 to null (-1)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
 => com.android.okhttp.Address $init(String, int, Dns, SocketFactory, SSLSocketFactory, HostnameVerifier, CertificatePinner, Authenticator, Proxy, List, List, ProxySelector)
Ignoring unix:stream connection
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 69 to null (-1)
 => com.android.okhttp.internal.tls.OkHostnameVerifier verify(String, SSLSession)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 123 to {"ip":"::ffff:192.168.1.4","port":8000} (-1)
 => javax.net.ssl.SSLContext init(KeyManager;[], TrustManager;[], SecureRandom)
Ignoring unix:stream connection
Ignoring unix:stream connection
Connected tcp6 fd 128 to null (-1)
Process terminated

Thank you for using Frida!

pcamposu avatar Aug 12 '24 05:08 pcamposu 

08-12 01:43:18.765  1139  2635 I InputDispatcher: setInputWindows displayId=0 Window{d21eedd u0 ScreenDecorOverlay} Window{490fb34 u0 NavigationBar0} Window{486b0fc u0 StatusBar} Window{4a678e7 u0 cl.com.edenred.ticketjunaeb/cl.com.edenred.ticketjunaeb.onboarding.OnBoardingActivity} Window{9c551a4 u0 cl.com.edenred.ticketjunaeb/cl.com.edenred.ticketjunaeb.onboarding.OnBoardingActivity} Window{5d12ea8 u0 com.android.systemui.ImageWallpaper} 
08-12 01:43:18.776 20135 20169 D Utils   : subject      : O=Mockttp Cert - DO NOT TRUST,L=Unknown,C=XX,CN=edenred.ionix.cl
08-12 01:43:18.776 20135 20169 D Utils   : organization : HTTP Toolkit CA
08-12 01:43:18.777 20135 20169 D Utils   : commonName   : HTTP Toolkit CA
08-12 01:43:18.777 20135 20169 D Utils   : country      : XX
08-12 01:43:18.777 20135 20169 D GuardInterceptor: No es un certificado válido
08-12 01:43:18.781   522  1208 I BufferQueueProducer: [cl.com.edenred.ticketjunaeb/cl.com.edenred.ticketjunaeb.onboarding.OnBoardingActivity#1](id:20a00000146,api:1,p:20135,c:522) disconnect(): api=1

it says "08-12 01:43:18.777 20135 20169 D GuardInterceptor: It is not a valid certificate"

pcamposu avatar Aug 12 '24 06:08 pcamposu

Hmm, it's hard to know what's going on here:

  • The 401 response definitely means that the request is being intercepted, and so that issue is not a problem with these scripts. That must be some kind of rejection from the server (maybe TLS fingerprinting, or maybe you need a client certificate or similar). If there was certificate pinning, you would not be able to see the request & its 401 response.
  • But the GuardInterceptor message here does indeed sound like certificate pinning.

Does that message definitely appear at the same time as the failing 401 response? Do you see any "certificate rejected" or "connection reset" empty rows in HTTP Toolkit? In all certificate pinning cases, something like that should appear. If there's no empty failure rows like that (so on every row you can see the request URL etc) then there is no certificate pinning issue.

If you want to know more about GuardInterceptor anyway, you'll need to do some reverse engineering to dig into the app and find that source code. See here for more info: https://httptoolkit.com/blog/android-reverse-engineering/

pimterry avatar Aug 12 '24 09:08 pimterry

Does that message definitely appear at the same time as the failing 401 response?

Yes

Do you see any "certificate rejected" or "connection reset" empty rows in HTTP Toolkit?

Not really, it's like the app does a check itself and returns the same 401 error.

If you want to know more about GuardInterceptor anyway, you'll need to do some reverse engineering to dig into the app and find that source code. See here for more info: https://httptoolkit.com/blog/android-reverse-engineering/

I found the class and the method in question, but there are other things I still can't figure out because the proxy stops working (no requests appear in HTTP Toolkit, and the app works normally) and I have to delete data from it and start all over again, when I have time I will take it up again.

pcamposu avatar Aug 24 '24 04:08 pcamposu