Hacking Book | Free Online Hacking Learning


one app two way authentication capture

Posted by herskovits at 2020-02-24

Shandong new trend information

Professional focus excellence safety

Statement: original article of tide security team, reprint please state the source! The technologies, ideas and tools involved in this article are only for learning and exchange for safety purposes, and no one is allowed to use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!


With the development and promotion of mobile applications, APP application security has been paid more and more attention. The emergence of various anti grab mechanisms in app makes the test unable to analyze normally. This article is a summary of a recently encountered app that can't catch the package, and provides you with an idea of how to solve the problem of two-way certificate authentication.

Two way authentication of judgment certificate

When I first got the app, I found that as soon as I started the mobile agent, I would prompt for network exceptions. By observing the record of burpsuite, I found that there were only request packets but no response packets. My intuition tells me that I should use SSL pinning to prevent the man in the middle from intercepting attacks. Then I opened ssl-kill-switch2 and found that all the response packets of the app returned 400 no required SSL certificate was sent. According to the error prompt, search and find that the error means that the server side has enabled certificate two-way authentication.

When the server enables certificate two-way authentication, in addition to the client to verify the server's certificate, the server also needs to verify the client's certificate, that is, it will require the client to provide its own certificate. If it fails to pass the authentication, it will refuse to connect. If it passes the authentication, the server will obtain the user's public key.

The app directly encapsulates the client's certificate. Compared with the single authentication, it is just a process of verifying the client's certificate on the server side. In the past, when using the proxy tools such as burp to grab the HTTPS package, except that the browser obtains the proxy tool's certificate, the default is not to send the certificate to the server side. In the process of grabbing HTTPS message, burp also provides two-way authentication certificate sending, but it uses the certificate file provided by burp, that is, CA certificate. The app server does not authenticate the CA certificate provided by burp, so we need to get the matching certificate to match the server.

Breakthrough ideas

Confirm that the app is a certificate two-way authentication, then the app client must save a certificate file. By decompressing the app and entering the payload directory, we find that there is only one certificate file at the end of. P12. An installation password is required to try to click open.

Code logic of APP decryption

After the client sends the data package, it needs to read the certificate file from the app. The password is placed in the code in the form of hard code. The password field in the code is used to decrypt the certificate file. After reading the data package, it is decrypted and sent back to the server for confirmation. It can be inferred that the installation password can be obtained by looking for the certificate name.

Get installation certificate password

First of all, we smash the app. After that, we decompress it and use IDA to load the binary file. Then search the name client of the certificate in the string window, and enter the corresponding class after searching. The certificate key was found by tracking, as follows: the certificate can be successfully installed by testing the use of the key discovery:

Burp add client certificate

Host fills in the primary domain name of the app server. Then select the client.p12 certificate file in the app client and enter the installation password.

The certificate is imported successfully. Check it to use it. OK ~ I found that I can grab the bag normally, as follows.

Thank you for your devotion

Https://se8s0n.github.io/2018/09/11/http series (V) / https://xz.aliyun.com/t/6551ාtoc-14https://juejin.im/post/5c9cbf1df265da60f6731f0ahttps://www.secpulse.com/archives/54027.html




Gu n








Tide security team was formally established in January 2019. It is a security team under the banner of new information, aiming at the research of Internet attack and defense technology. At present, it has gathered more than ten professional security attack and defense technology researchers, focusing on network attack and defense, web security, mobile terminals, security development, IOT / Internet of things / industrial control security and other directions.

For more Tide security teams, please pay attention to team official website: http://www.TideSec.net or long by two-dimensional code, pay attention to official account number: