绕过ssl pinning

本篇文章将讲解如何绕过ssl pingning的常用的几种方法


frida 与 frida-tools 对应关系

frida-tools==1.0.0 ------ 12.0.0<=frida<13.0.0
frida-tools==1.1.0 ------ 12.0.0<=frida<13.0.0
frida-tools==1.2.0 ------ 12.1.0<=frida<13.0.0
frida-tools==1.2.1 ------ 12.1.0<=frida<13.0.0
frida-tools==1.2.2 ------ 12.1.0<=frida<13.0.0
frida-tools==1.2.3 ------ 12.1.0<=frida<13.0.0
frida-tools==1.3.0 ------ 12.3.0<=frida<13.0.0
frida-tools==1.3.1 ------ 12.3.0<=frida<13.0.0
frida-tools==1.3.2 ------ 12.4.0<=frida<13.0.0
frida-tools==2.0.0 ------ 12.5.3<=frida<13.0.0
frida-tools==2.0.1 ------ 12.5.9<=frida<13.0.0
frida-tools==2.0.2 ------ 12.5.9<=frida<13.0.0
frida-tools==2.1.0 ------ 12.5.9<=frida<13.0.0
frida-tools==2.1.1 ------ 12.5.9<=frida<13.0.0
frida-tools==2.2.0 ------ 12.5.9<=frida<13.0.0
frida-tools==3.0.0 ------ 12.6.17<=frida<13.0.0
frida-tools==3.0.1 ------ 12.6.17<=frida<13.0.0
frida-tools==4.0.0 ------ 12.6.21<=frida<13.0.0
frida-tools==4.0.1 ------ 12.6.21<=frida<13.0.0
frida-tools==4.0.2 ------ 12.6.21<=frida<13.0.0
frida-tools==4.1.0 ------ 12.6.21<=frida<13.0.0
frida-tools==5.0.0 ------ 12.6.21<=frida<13.0.0
frida-tools==5.0.1 ------ 12.7.3<=frida<13.0.0
frida-tools==5.1.0 ------ 12.7.3<=frida<13.0.0
frida-tools==5.2.0 ------ 12.7.3<=frida<13.0.0
frida-tools==5.3.0 ------ 12.7.3<=frida<13.0.0
frida-tools==5.4.0 ------ 12.7.3<=frida<13.0.0
frida-tools==6.0.0 ------ 12.8.5<=frida<13.0.0
frida-tools==6.0.1 ------ 12.8.5<=frida<13.0.0
frida-tools==7.0.0 ------ 12.8.12<=frida<13.0.0
frida-tools==7.0.1 ------ 12.8.12<=frida<13.0.0
frida-tools==7.0.2 ------ 12.8.12<=frida<13.0.0
frida-tools==7.1.0 ------ 12.8.12<=frida<13.0.0
frida-tools==7.2.0 ------ 12.8.12<=frida<13.0.0
frida-tools==7.2.1 ------ 12.8.12<=frida<13.0.0
frida-tools==7.2.2 ------ 12.8.12<=frida<13.0.0
frida-tools==8.0.0 ------ 12.10.4<=frida<13.0.0
frida-tools==8.0.1 ------ 12.10.4<=frida<13.0.0
frida-tools==8.1.0 ------ 12.10.4<=frida<13.0.0
frida-tools==8.1.1 ------ 12.10.4<=frida<13.0.0
frida-tools==8.1.2 ------ 12.10.4<=frida<13.0.0
frida-tools==8.1.3 ------ 12.10.4<=frida<13.0.0
frida-tools==8.2.0 ------ 12.10.4<=frida<13.0.0
frida-tools==9.0.0 ------ 14.0.0<=frida<15.0.0
frida-tools==9.0.1 ------ 14.0.0<=frida<15.0.0
frida-tools==9.1.0 ------ 14.2.0<=frida<15.0.0
frida-tools==9.2.0 ------ 14.2.9<=frida<15.0.0
frida-tools==9.2.1 ------ 14.2.9<=frida<15.0.0
frida-tools==9.2.2 ------ 14.2.9<=frida<15.0.0
frida-tools==9.2.3 ------ 14.2.9<=frida<15.0.0
frida-tools==9.2.4 ------ 14.2.9<=frida<15.0.0
frida-tools==9.2.5 ------ 14.2.9<=frida<15.0.0
frida-tools==10.0.0 ------ 15.0.0<=frida<16.0.0
frida-tools==10.1.0 ------ 15.0.0<=frida<16.0.0
frida-tools==10.1.1 ------ 15.0.0<=frida<16.0.0
frida-tools==10.2.0 ------ 15.0.0<=frida<16.0.0
frida-tools==10.2.1 ------ 15.0.0<=frida<16.0.0
frida-tools==10.2.2 ------ 15.0.0<=frida<16.0.0
frida-tools==10.3.0 ------ 15.0.0<=frida<16.0.0
frida-tools==10.4.0 ------ 15.0.0<=frida<16.0.0
frida-tools==10.4.1 ------ 15.0.0<=frida<16.0.0
frida-tools==10.5.0 ------ 15.0.0<=frida<16.0.0
frida-tools==10.5.1 ------ 15.0.0<=frida<16.0.0
frida-tools==10.5.2 ------ 15.0.0<=frida<16.0.0
frida-tools==10.5.3 ------ 15.0.0<=frida<16.0.0
frida-tools==10.5.4 ------ 15.0.0<=frida<16.0.0
frida-tools==10.6.0 ------ 15.0.0<=frida<16.0.0
frida-tools==10.6.1 ------ 15.0.0<=frida<16.0.0
frida-tools==10.6.2 ------ 15.0.0<=frida<16.0.0
frida-tools==10.7.0 ------ 15.0.0<=frida<16.0.0
frida-tools==10.8.0 ------ 15.0.0<=frida<16.0.0
frida-tools==11.0.0 ------ 15.2.0<=frida<16.0.0
frida-tools==12.0.0 ------ 16.0.0<=frida<17.0.0
frida-tools==12.0.1 ------ 16.0.0<=frida<17.0.0
frida-tools==12.0.2 ------ 16.0.0<=frida<17.0.0
frida-tools==12.0.3 ------ 16.0.0<=frida<17.0.0
frida-tools==12.0.4 ------ 16.0.0<=frida<17.0.0
frida-tools==12.1.0 ------ 16.0.0<=frida<17.0.0
frida-tools==12.1.1 ------ 16.0.9<=frida<17.0.0
frida-tools==12.1.2 ------ 16.0.9<=frida<17.0.0
frida-tools==12.1.3 ------ 16.0.9<=frida<17.0.0
frida-tools==12.2.0 ------ 16.0.9<=frida<17.0.0
frida-tools==12.2.1 ------ 16.0.9<=frida<17.0.0
frida-tools==12.3.0 ------ 16.0.9<=frida<17.0.0

苹果

ssl-kill-switch2

https://github.com/nabla-c0d3/ssl-kill-switch2/releases

//绕过ssl pingning
scp com.nablac0d3.sslkillswitch2_0.14.deb root@192.168.137.21:/tmp
//ssh连接iphone
dpkg -i com.nablac0d3.sslkillswitch2_0.14.deb 
killall -HUP SpringBoard

使用objection绕过

客户端环境准备:

pip install frida==14.2.18
pip install frida-tools==9.2.5
pip install objection==1.11.0

服务端安装:

//frida-server指定版本的安装
//frida-server的版本与frida的版本要匹配
//指定版本frida-server的获取
https://github.com/frida/frida/releases/tag/14.2.18

scp frida_14.2.18_iphoneos-arm.deb root@192.168.137.48:/tmp
cd /tmp
dpkg -i frida_14.2.18_iphoneos-arm.deb

objection绕过:

//注入进程
objection -g com.chinamobile.xc.MobileUShield explore(输入后会自动打开app) 
//关闭ssl校验 
ios sslpinning disable
objection -g com.central.mbomc explore
objection -g com.asiainfo.ima.base explore

VPN绕过

可以使用小火箭Shadowrocket进行绕过,设置好代理ip和端口,如果没有检测,就可以直接抓包,若有检测反编译后,观察观察相关代码进行绕过

eg:以下为绕过CFNetworkCopySystemProxySettings检测

//frida -U -n xxxx -l bypass_vpn_ios.js
var CFNetworkCopySystemProxySettings = Module.findExportByName("CFNetwork", "CFNetworkCopySystemProxySettings");

if (CFNetworkCopySystemProxySettings) {
    Interceptor.attach(CFNetworkCopySystemProxySettings, {
        onLeave: function (retval) {
            if (!retval.isNull()) {
                var proxySettings = new ObjC.Object(retval).mutableCopy();

                // 设置为关闭代理
                proxySettings.setObject_forKey_(0, 'HTTPEnable');
                proxySettings.setObject_forKey_(0, 'HTTPSEnable');
                proxySettings.setObject_forKey_(0, 'FTPEnable');
                proxySettings.setObject_forKey_(0, 'SOCKSEnable');

                // 清除代理服务器地址和端口
                proxySettings.removeObjectForKey_('HTTPProxy');
                proxySettings.removeObjectForKey_('HTTPSProxy');
                proxySettings.removeObjectForKey_('HTTPPort');
                proxySettings.removeObjectForKey_('HTTPSPort');

                // 清除其它相关设置
                proxySettings.removeObjectForKey_('ExceptionsList');
                proxySettings.removeObjectForKey_('__SCOPED__');

                // 替换原始的返回值
                retval.replace(proxySettings.handle);
            }
        }
    });
} else {
    console.log("CFNetworkCopySystemProxySettings没有找到!");
}

安卓

使用objection的时候本机python需要在3.7以上

1.模拟器安装frida服务端

使用adb查看设备abi信息(需要打开逍遥模拟器):

adb shell getprop ro.product.cpu.abi

下载frida服务端地址:https://github.com/frida/frida/releases

下载时对应电脑上的frida版本下载

下载后解压,把解压后的文件使用adb命令上传到设备的/data/local/tmp 目录下

adb push frida-server-16.0.2-android-x86_64 /data/local/tmp

给frida-server-16.0.2-android-x86可执行权限,并执行

adb shell

cd /data/local/tmp

chmod 777 frida-server-16.0.2-android-x86

./frida-server-16.0.2-android-x86

按下回车后没有反应,说明此时已经执行成功了

方式一:使用objection绕过sslpinning

objection.exe -g 包名 explore(输入后会自动打开app)
objection.exe -g com.xx.xx explore

然后输入 android sslpinning disable

在进行抓包就可以绕过sslpinning了。

ps:如果还是显示网络错误需要按照第二步重新做一下,输入完第一个命令后,等app打开后在输入android sslpinning disable ,输入完毕后此时还不能抓包,需要把app在后台关闭后在重新打开,这样就能抓包了。

方式二:使用js-frida绕过

sslpinning、root、代理检测

查包名:

adb shell pm list packages -3
frida -U -l zhihuibangong.js -f cn.cmit.xxxx
frida -U -l mbomc2.js -f  centralize.xxx.ebomc.xxx

单向双向证书校验

推荐阅读
DroidSSLUnpinning

查看CA证书

cd /system/etc/security/cacerts
ls -liat

免责声明

免责声明:本博客的内容仅供合法、正当、健康的用途,切勿将其用于违反法律法规的行为。如因此导致任何法律责任或纠纷,本博客概不负责。谢谢您的理解与配合!

微信公众号

本文链接:

https://sanshiok.com/archive/5.html

# 最新文章