Install Burp Certificate

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Websec | Uw Cybersecurity Specialist

On a Virtual Machine

Kwanza kabisa unahitaji kupakua cheti cha Der kutoka Burp. Unaweza kufanya hivyo katika Proxy --> Options --> Import / Export CA certificate

Export cheti katika muundo wa Der na hebu kubadilisha kuwa fomu ambayo Android itaweza kuelewa. Kumbuka kwamba ili kuunda cheti cha burp kwenye mashine ya Android katika AVD unahitaji kuendesha mashine hii ikiwa na chaguo la -writable-system. Kwa mfano unaweza kuendesha kama:

C:\Users\<UserName>\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system

Kisha, ili konfigura cheti cha burp fanya:

openssl x509 -inform DER -in burp_cacert.der -out burp_cacert.pem
CERTHASHNAME="`openssl x509 -inform PEM -subject_hash_old -in burp_cacert.pem | head -1`.0"
mv burp_cacert.pem $CERTHASHNAME #Correct name
adb root && sleep 2 && adb remount #Allow to write on /syste
adb push $CERTHASHNAME /sdcard/ #Upload certificate
adb shell mv /sdcard/$CERTHASHNAME /system/etc/security/cacerts/ #Move to correct location
adb shell chmod 644 /system/etc/security/cacerts/$CERTHASHNAME #Assign privileges
adb reboot #Now, reboot the machine

Mara mashine itakapokamilisha kuanzisha tena, cheti cha burp kitakuwa kinatumika!

Kutumia Magisc

Ikiwa umepata root kwenye kifaa chako kwa kutumia Magisc (labda emulators), na huwezi kufuata hatua zilizopita za kufunga cheti cha Burp kwa sababu faili ya mfumo ni ya kusoma tu na huwezi kuifunga tena kuwa ya kuandika, kuna njia nyingine.

Imeelezwa katika hii video unahitaji:

Kufunga cheti cha CA: Tu vuta na uachie cheti cha DER Burp ukibadilisha kiendelezi kuwa .crt kwenye simu ili kuhifadhiwa kwenye folda ya Downloads na nenda kwenye Install a certificate -> CA certificate

Hakikisha cheti kimehifadhiwa vizuri kwa kwenda kwenye Trusted credentials -> USER

Fanya iwe ya kuaminika kwa Mfumo: Pakua moduli ya Magisc MagiskTrustUserCerts (faili .zip), vuta na uachie kwenye simu, nenda kwenye programu ya Magics kwenye simu kwenye sehemu ya Modules, bonyeza Install from storage, chagua moduli ya .zip na mara itakapofungwa anzisha tena simu:

Baada ya kuanzisha tena, nenda kwenye Trusted credentials -> SYSTEM na hakikisha cheti cha Postswigger kiko hapo

Baada ya Android 14

Katika toleo la hivi karibuni la Android 14, mabadiliko makubwa yameonekana katika usimamizi wa cheti cha Mamlaka ya Cheti (CA) kinachokubalika na mfumo. Awali, vyeti hivi vilihifadhiwa katika /system/etc/security/cacerts/, vinavyoweza kufikiwa na kubadilishwa na watumiaji wenye ruhusa za root, ambayo iliruhusu matumizi ya haraka katika mfumo mzima. Hata hivyo, na Android 14, mahali pa kuhifadhiwa kumehamishwa kwenda /apex/com.android.conscrypt/cacerts, saraka ndani ya njia ya /apex, ambayo ni isiyoweza kubadilishwa kwa asili.

Jaribio la kufunga tena njia ya APEX cacerts kuwa ya kuandika linakutana na kushindwa, kwani mfumo haukuruhusu operesheni kama hizo. Hata jaribio la kuondoa au kuweka saraka hiyo na mfumo wa faili wa muda (tmpfs) halipuuzi isiyoweza kubadilishwa; programu zinaendelea kufikia data za cheti asilia bila kujali mabadiliko katika kiwango cha mfumo wa faili. Uthabiti huu unatokana na /apex kufungwa kwa usambazaji wa PRIVATE, kuhakikisha kwamba mabadiliko yoyote ndani ya saraka ya /apex hayaathiri michakato mingine.

Kuanza kwa Android kunahusisha mchakato wa init, ambao, unapozindua mfumo wa uendeshaji, pia huanzisha mchakato wa Zygote. Mchakato huu unawajibika kwa kuzindua michakato ya programu na nafasi mpya ya kufunga ambayo inajumuisha kufunga binafsi ya /apex, hivyo kuzuia mabadiliko katika saraka hii kutoka kwa michakato mingine.

Hata hivyo, kuna njia mbadala kwa wale wanaohitaji kubadilisha vyeti vya CA vinavyokubalika na mfumo ndani ya saraka ya /apex. Hii inahusisha kufunga tena kwa mikono /apex ili kuondoa usambazaji wa PRIVATE, hivyo kuifanya iwe ya kuandika. Mchakato huu unajumuisha nakala ya maudhui ya /apex/com.android.conscrypt kwenda mahali pengine, kuondoa saraka ya /apex/com.android.conscrypt ili kuondoa kizuizi cha kusoma tu, na kisha kurejesha maudhui kwenye mahali pake pa asili ndani ya /apex. Njia hii inahitaji hatua za haraka ili kuepuka kuanguka kwa mfumo. Ili kuhakikisha matumizi ya mabadiliko haya katika mfumo mzima, inapendekezwa kuanzisha tena system_server, ambayo kwa ufanisi inaanzisha tena programu zote na kuleta mfumo katika hali thabiti.

# Create a separate temp directory, to hold the current certificates
# Otherwise, when we add the mount we can't read the current certs anymore.
mkdir -p -m 700 /data/local/tmp/tmp-ca-copy

# Copy out the existing certificates
cp /apex/com.android.conscrypt/cacerts/* /data/local/tmp/tmp-ca-copy/

# Create the in-memory mount on top of the system certs folder
mount -t tmpfs tmpfs /system/etc/security/cacerts

# Copy the existing certs back into the tmpfs, so we keep trusting them
mv /data/local/tmp/tmp-ca-copy/* /system/etc/security/cacerts/

# Copy our new cert in, so we trust that too
mv $CERTIFICATE_PATH /system/etc/security/cacerts/

# Update the perms & selinux context labels
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*

# Deal with the APEX overrides, which need injecting into each namespace:

# First we get the Zygote process(es), which launch each app
ZYGOTE_PID=$(pidof zygote || true)
ZYGOTE64_PID=$(pidof zygote64 || true)
# N.b. some devices appear to have both!

# Apps inherit the Zygote's mounts at startup, so we inject here to ensure
# all newly started apps will see these certs straight away:
for Z_PID in "$ZYGOTE_PID" "$ZYGOTE64_PID"; do
if [ -n "$Z_PID" ]; then
nsenter --mount=/proc/$Z_PID/ns/mnt -- \
/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
fi
done

# Then we inject the mount into all already running apps, so they
# too see these CA certs immediately:

# Get the PID of every process whose parent is one of the Zygotes:
APP_PIDS=$(
echo "$ZYGOTE_PID $ZYGOTE64_PID" | \
xargs -n1 ps -o 'PID' -P | \
grep -v PID
)

# Inject into the mount namespace of each of those apps:
for PID in $APP_PIDS; do
nsenter --mount=/proc/$PID/ns/mnt -- \
/bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts &
done
wait # Launched in parallel - wait for completion here

echo "System certificate injected"

Bind-mounting through NSEnter

Kuweka Saraka Inayoweza Kuandikwa: Kwanza, saraka inayoweza kuandikwa inaanzishwa kwa kufunga tmpfs juu ya saraka ya cheti ya mfumo isiyo ya APEX iliyopo. Hii inafanywa kwa amri ifuatayo:

mount -t tmpfs tmpfs /system/etc/security/cacerts

Kuweka Vyeti vya CA: Baada ya kuanzisha saraka inayoweza kuandikwa, vyeti vya CA ambavyo mtu anakusudia kutumia vinapaswa kunakiliwa kwenye saraka hii. Hii inaweza kujumuisha kunakili vyeti vya kawaida kutoka /apex/com.android.conscrypt/cacerts/. Ni muhimu kurekebisha ruhusa na lebo za SELinux za vyeti hivi ipasavyo.
Kufunga Mount kwa Zygote: Kwa kutumia nsenter, mtu anaingia kwenye eneo la mount la Zygote. Zygote, ikiwa ni mchakato unaohusika na kuzindua programu za Android, inahitaji hatua hii ili kuhakikisha kwamba programu zote zinazozinduliwa kuanzia sasa zinatumia vyeti vya CA vilivyowekwa upya. Amri inayotumika ni:

nsenter --mount=/proc/$ZYGOTE_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts

Hii inahakikisha kwamba kila programu mpya inayozinduliwa itafuata mipangilio ya cheti cha CA kilichosasishwa.

Kuweka Mabadiliko kwa Programu Zinazoendesha: Ili kuweka mabadiliko kwa programu ambazo tayari zinaendesha, nsenter inatumika tena kuingia kwenye eneo la jina la kila programu kibinafsi na kufanya mtego wa kufunga sawa. Amri inayohitajika ni:

nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts

Njia Mbadala - Upya wa Laini: Njia mbadala inahusisha kufanya bind mount kwenye mchakato wa init (PID 1) ikifuatiwa na upya wa laini wa mfumo wa uendeshaji kwa kutumia amri stop && start. Njia hii itasambaza mabadiliko katika majimbo yote, ikiepuka hitaji la kushughulikia kila programu inayofanya kazi kwa kibinafsi. Hata hivyo, njia hii kwa ujumla haitafutwa sana kutokana na usumbufu wa kuanzisha upya.