Regular Methods to Enable Proxy

1. Enabling Proxy in Wi-Fi Settings

One of the simplest ways to set up a proxy on an Android device is through the Wi-Fi settings.

1. Go to Settings > Network & Internet > Wi-Fi.

2. Long press on your Wi-Fi network and select Modify network.

3. Enable Advanced options.

4. Set Proxy to Manual and enter the proxy hostname and port.

2. Using ADB Command

ADB (Android Debug Bridge) can be used to set a proxy for your Android device.

1. Connect your Android device to your computer.

2. Open a terminal and enter the following command:

    adb shell settings put global http_proxy <proxy_host>:<proxy_port>
   

3. To clear the proxy settings, use:

    adb shell settings put global http_proxy :0
   

3. Proxy for an Individual App Using Frida Script or Objection Module

Frida and Objection can be used to hook into an app and force it to use a proxy.

Frida Script Example

1. Install Frida on your computer and device.

2. Write a Frida script to hook the app's network functions and redirect traffic through the proxy.

3. Execute the script while the app is running.

Objection Example

1. Install Objection and launch it against the target app:

    objection --gadget <app_package> explore
   

2. Use the following command within Objection:

    network monitor start --proxy <proxy_host>:<proxy_port>
   

Advanced Method: Using iptables

Setting Up iptables

Using iptables requires a rooted device. This method redirects all traffic through the proxy.

1. Gain root access on your device.

2. Use iptables to redirect traffic:

    iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination <proxy_host>:<proxy_port>
    iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination <proxy_host>:<proxy_port>
   

3. Verify that the traffic is being redirected.

New approach: Proxy Using DNS

1. Setting Up DNSChef

DNSChef can be used to redirect DNS requests to a proxy server.

1. Install DNSChef on your computer:

    pip install dnschef
   

2. Run DNSChef to redirect traffic:

    dnschef --fakeip <your_ip> --fakedomains <target_domain>
   

   Alternatively, redirect all traffic:

    dnschef --fakeip <your_ip>
   

2. Configuring Android DNS Settings

Configure your Android device to use the DNSChef server.

1. Go to Settings > Network & Internet > Wi-Fi.

2. Long press on your Wi-Fi network and select Modify network.

3. Enable Advanced options.

4. Set IP settings to Static and enter your computer's IP address as the DNS server.

3. Enabling Transparent Proxy in Burp Suite

Finally, enable transparent proxying in Burp Suite to handle the incoming traffic.

1. Open Burp Suite and go to Proxy > Options.

2. Add a new proxy listener and enable Invisible proxying under Request Handling.

By following these steps, you can effectively proxy non proxy-aware Android apps using various methods tailored to your needs. Whether through simple Wi-Fi settings or more advanced DNS manipulation, each approach provides a way to monitor and intercept app traffic.

The journey begins when we were tasked with testing and an API used for finical transactions, and received A Postman collection from the client for that matter.

We quickly realized that it was not going to be an easy task. As part of our usual practice, we proxied the Postman requests through Burp Suite. However, no matter what we did, we could not get our modified requests to go through successfully.

We tried different methods, but it seemed like the server was always one step ahead of us. We were stuck, feeling like we were trying to hack into the Pentagon without any passwords or clearance.

Sending the request to repeater and submitting the request at the beginning seemed to work but when making the smallest change to any part of the request caused the request to fail.

Worst than that, after a minute or so, even the original request started failing which caused us to assume it has to to with time but still did not explain the modification issue

After banging our heads against the wall for a couple of hours. we suddenly noticed something we missed from the beginning: a Postman pre-request script!

Apparently, the server implemented content HMAC signing which signs every payloads with a secret + the current time-stamp.

The customer had a unique implementation if the technique as it was not intended to be used in a browser.

Postman pre-request scripts are scripts based on JavaScript that run before each request is sent and can read and modify data from the request attributes as well as postman environment variables.

Reading the script taught us that the script generates a variable encryptable (figure 1) which consists or a time stamp (which causes the request to fail after a shot time), the request method, the request URL and finally, the request body (figure 2)

then, the script generates a hash base on the previous variable and a user secret (figure 3)

finally the script appends 2 headers to the request: the timestamp and the hash (figure 4)

We've hit a bit of a roadblock because Burp Suite doesn't offer much in terms of pre-request actions. The Burp macros are quite limited, and there isn't a straightforward way to run a script from within Burp..

But we really needed a way to get it to work as we wanted to run a burp scan on the API.

Then the idea came like a lighting, proxy-chaining!

Nothing prevents us of redirecting burps traffic through a custom proxy written in python or any other flexible programing language that will calculate the correct hash and send append the appropriate headers.

Now we just need to chose the right tools for the mission.

We settled on mitmproxy which for who ever is not familiar with, is a proxy for pentesters similar to burp written in python and best of all, supports custom scripts that can interact with any part of the flow using a robust API.

Converting the script to python did not take too long and finally we got something looking like this

I order to start up the proxy we simply need to run the executable and supply the script we have written as an argument

Now that we have our Proxy up and running we need to tell Burp to Proxy it’s traffic through mitm.

This is done in the settings, under the connection tab in the upstream proxy section.

Bingo! it worked, now we can test any payload we wish with the convenience of burp without the authentication failing due to a signature mismatch

We can also take advantage of burp scanner which was useless without having a way to modify the headers

this is how the traffic generated from burp scanner looks like through mitmproxy’s logs

The pentest results are obviously private but we thought sharing this technique can be useful for people facing similar challenges.

Happy hacking…