Project 4: ExploitMe Mobile Lab 1: Sniffing Insecure Connections with Burp (15 points)

What You Need for This Project

Purpose

To intercept password transmission from the vulnerable app, observe its inecurity, and improve it with encryption.

Setup

Launch Android Studio and the Nexus 5 emulator. Swipe up to get to the home screen of the emulated phone.

Installing the Client App

In a Web browser, go to https://github.com/securitycompass/AndroidLabs On the right side, click "Download ZIP".

Unzip the file you just downloaded. A folder named AndroidLabs-master appears.

In Android Studio, click File, "Import Project".

Navigate to the AndroidLabs-master folder.

When the project loads, click Run, "Run 'app'".

Select the Nexus 5 emulator.

You see a bank login screen, as shown below.

Enter anything in the username and password fields and click Done.

Note: the keyboard on your computer won't work in the emulator. You must use the mouse to click on letters on the on-screen keyboard.

You see the message "Couldn't communicate with server", as shown above.

This is expected--we haven't yet set up the server.

Installing Python

If you are using a Mac or a Linux computer, Python is already installed.

If you have a PC, in a Web browser, go to

http://www.python.org/downloads/ Click Python 2.7.9.

Install the software with the default options.

Installing Setup Tools (Windows Only)

If you are using Windows, you need to do this.

Right-click the link below and save the file on your desktop.

https://bootstrap.pypa.io/ez_setup.py

Double-click the ez_setup.py file.

Installing Required Libraries

If you are using a Mac, execute this command in the Terminal:
sudo easy_install blinker cherrypy flask flask-sqlalchemy simplejson
Enter your password when you are prompted to.

If you are using a PC, open an Administrator Command prompt and execute this command:

c:\python27\Scripts\easy_install blinker cherrypy flask flask-sqlalchemy simplejson
If you are using Ubuntu 14.04, CherryPy does not install correctly with easy_install. Execute this command:
sudo pip install CherryPy

Installing the Server Component

In a browser, go to

https://github.com/securitycompass/LabServer

On the right side, click "Download ZIP".

Find the LabServer-master.zip file and unzip it. A LabServer-master folder appears.

Find the complete path to this folder. When I did it on my Mac, it was:

/Users/sambowne/Downloads/LabServer-master
If you are on a Mac, execute these commands, adjusting the path in the first command to the correct path for your machine:
cd /Users/sambowne/Downloads/LabServer-master

python app.py

If you are using Windows, execute these commands, adjusting the path in the first command to the correct path for your machine:
cd c:\Users\student\Downloads\LabServer-master\LabServer-master

app.py

You should see the message: "Serving HTTP on port 8080", as shown below.

Leave this window open.

Logging In

In the Nexus 5 emulator, enter a username of jdoe and a password of password

Click Done.

You see the message "Please configure a local password", as shown below.

Enter a password of P@ssw0rd in both fields and click Done.

You now see the main app page, as shown below.

Click each of the three items and explore the app. It has basic banking functionality.

Stopping the Server App

Click in the Terminal or Command Prompt window running App.py.

Press Ctrl+C to stop the server, as shown below.

Don't close this window--you'll need it again later.

Installing Burp

Burp is a very popular proxy, enabling you to view and alter network traffic.

In a Web browser, go to http://portswigger.net/burp/download.html

At the bottom of the "Free Edition" column, click "Download now".

A "burpsuite_free_v1.6.jar" file downloads. Double-click it to launch it.

Burp opens, as shown below.

In Burp, click the Proxy tab. Click the Intercept button. Make sure the button label reads "Intercept is off", as shown below.

Configuring Burp to Redirect Requests

In Burp, click the Proxy tab.

Click the Options tab.

Burp is listening on 127.0.0.1:8080, as shown below.

This is good, because the emulated Android phone is using that address and port number to reach the server.

So the requests from the emulated Android phone will reach Burp. We now need to tell Burp where the real server can be found.

In Burp, click the Edit button.

In the "Edit proxy listener" box, click the "Request handling" tab.

Enter these values, as shown below:

Click OK. Burp now shows an Interface of 127.0.0.1:8080 and a Redirect of 127.0.0.1:8081, as shown below.

Starting the Server on Port 8081

In the Terminal or Command Prompt window you used before, execute this command:
python app.py --port 8081
You should see the message: "Serving HTTP on port 8081", as shown below.

Leave this window open.

Viewing Accounts from the Android Phone

On the emulated Android phone, open the Accounts item. You will be asked for your password. Enter P@ssw0rd

You should see your account balances, as shown below.

Viewing Traffic in Burp

In Burp, on the Proxy tab, click the "HTTP history" tab.

Click a "POST /login" line.

The lower pane shows the data the banking app sent to the server.

The username of jdoe and password of password are visible in cleartext, as shown below.

Saving a Screen Image

Make sure jdoe and password are visible in Burp, as shown above.

Save a full-desktop image of this screen. On a Mac, press Commmand+3. On a PC, press Shift+PrntScrn and paste into Paint.

YOU MUST SUBMIT A FULL-SCREEN IMAGE FOR FULL CREDIT!

Paste the image into Paint.

Save the image with the filename "YOUR NAME Proj 4", replacing "YOUR NAME" with your real name.

Turning in your Project

Email the image to cnit.128sam@gmail.com with the subject line: Proj 4 from YOUR NAME

Solution

The data should be sent via HTTPS, not HTTP. This app is supposed to have that capability, but I was unable to get it to work so I didn't include it in the project.

Sources

ExploitMe Mobile Android Labs


Last modified 3-10-15 8:56 pm