Packet capture tool – Charles

From the public id: DeveloperPython

It takes 7.66 minutes to read this article

caughtIn fact, a lot of programmers are not strange, but really caught the package, analysis of a few.

This article will introduce several simple and easy to use packet capture tools, capture and analyze the current mainstream Http and Https network packets on the Internet, and share the technology of mobile phone packet capture

1. Charles, Fiddler and Wireshark

2. Http, Https and their principles

3. Mobile phone bag capture

4. Charles add-ons

1. Packet capture tool

• Fiddler
  • It was my favorite tool when I used Windows computer, and Fiddler was enough for me to do simple packet capture. Now IT should be updated to Fiddler3. If you use Windows, you can use Fiddler3 to do packet capture.
• Charles
  • I’ve loved this tool since I switched macs, but Charles also has it on Windows.
• Wireshark
  • I don’t often use this tool, this packet capture tool can see the three-way handshake of network request in detail, and can support SPDY, TCP and other network protocols to capture packets, of course the other two are not supported.

I’ll use Charles as an example to fetch Http and Https packages separately:

download

Mac Hack download address:Download.csdn.net/detail/m694…

Win cracked download address:Download.csdn.net/detail/m694…

LisenseKey (LisenseKey)www.charlesproxy.com/

The opening interface is as follows:

Second, Http, Https packets

2.1, Http packet

2.1.1 Clear Charles list to make packet capture clearer

2.1.2 Taking my CSDN as an example (M694449212), click “My Blog” through Chrome to catch the required package

We filter out the package of m694449212, but the filtering process needs to be searched one by one (of course, if you have more experience or good English, you can find that it is actually the package of blog.csdn.net).

2.1.3 analysis package

2.1.4 Reuqest

Among them, the most important isCookieData stored (usually encrypted) on a user’s local terminal by a web site for identification and session tracking.

At the same time, cookies are also an essential thing in our crawler, so how to automatically get cookies? We’ll talk about that later.

2.1.5 Response

To obtain cookies, through my past experience:

A. When obtaining cookies, we first need to ensure that our browser environment is clean. By clean, I meanKnow the cookies saved by the current browserAnd restart the browser.

B. After the restart, we visit www.csdn.net. The current Host Request does not contain the Cookie, so where is the CookieThe Response Headers - > set - cookiesTo be used in the next request.

C. If we log in and carry a Cookie in the Headers request, the Cookie will take effect after the login succeeds. Then all of our requests carrying the Cookie will be a normal request and get the desired results.

For some requests with sign parameters, I will explain how to crack the sign function in the next article (in fact, sometimes it is not a direct crack but the Hook of the function, if you are interested, you can check the Hook of Android or iOS in advance, find the sign function through IDA, and use cycript to call it). In the following articles, I will take Instagram, a well-known foreign App, as an example to Hook its signature function.

For a beauty pick-me-up (from Instagram's Https packet data), keep readingCopy the code

2.2, Https package

2.2.1 introduction to Https

SSL I believe everyone is familiar. In fact, Https is a network transmission encrypted through SSL based on Http.

Asymmetric and symmetric encryption algorithms are used to encrypt passwords and data. See the following figure for details:

1. The Client sends a set of encryption rules and a random number (Random_C) to the server in plaintext.

2. The Server returns the encryption rule of its choice, the CA certificate (Server address, encrypted public key, and certificate authority), plus a random number generated by the encryption rule and the HASH algorithm (Random_S).

3. After receiving the message from the Server, the Client:

a:Verify certificates (whether the address is being accessed and the institution is valid),b:Generate a random password (Pre_master) and encrypt it using the encrypted public key in the CA certificate (enc_pre_master),c:Computes a symmetrically encrypted enc_key using Random_C, Random_S, Pre_master,d:Generate handshake information: Calculates the handshake information using the Hash algorithm and encrypts the message using enc_key and the encryption algorithmCopy the code

4. The Client sends the enc_pre_master encrypted handshake message to the Server

5. The Server receives the message

a:Once the enc_pre_master is received, it is decrypted using the private key (asymmetric encryption algorithm) to obtain the pre_masterb:The negotiated password enc_key is calculated by pre_masrer, Random_C and Random_Sc:Use enc_key to decrypt the handshake information and verify whether the HASH is the same as that sent by the clientd:The handshake information generation also applies to enc_key and the agreed encryption algorithmCopy the code

6. The Server sends a handshake message to the Client. That is, the Server authenticates the Client and sends another message to the Client to authenticate itself

7. The client decrypts the handshake information and the handshake ends. The client decrypts and computes the HASH of the handshake message. If the HASH is the same as that sent by the server, the handshake is complete.

8. Encrypt communication. After the handshake is successful, all communication data will be encrypted and decrypted by the previously negotiated key enc_key and the agreed algorithm.

Https uses the following encryption algorithms:

• Asymmetric encryption algorithms: RSA, DSA/DSS
• Symmetric encryption algorithm: AES, RC4, 3DES
• HASH algorithms: MD5, SHA1, SHA256

2.2.2 Charles crawls Https principle

Charles is itself a protocol proxy tool. In the Https principle of the previous article, all communication between the client and the server is captured by Charles.

The diagram below:

The main steps are as follows:

1. Charles captures the request sent from the Client to the Server and sends a handshake request to the Server disguised as the Client

2. The server responds, and Charles obtains the server CA certificate and decrypts it using the root certificate public key to obtain the server CA certificate public key. Charles then forges his OWN CA certificate and sends it to the client disguised as the server’s CA certificate

3. After receiving the certificate, the client verifies the certificate, generates the password, encrypts the certificate public key disguised by Charles, and generates the negotiated password enc_key for Https communication, as described above

4. Charles captures important information sent by the Client and decrypts the ciphertext using the forged certificate private key to obtain enc_key. Charles then uses the certificate public key previously returned by the server to encrypt the plaintext and send it to the server

5. As before, the server receives the message, unlocks it with the private key, establishes trust, and sends an encrypted handshake message.

6. Charles intercepts the handshake ciphertext sent by the server, unlocks it with the symmetric key, and encrypts it to the client with the private key that forges the certificate

7. After obtaining the encrypted information, the client uses the public key to unlock it and verify the HASH. The handshake process is formally completed, and the client and server have established “trust”.

• In fact, the most important thing in the whole process is enc_key. Since Charles forged and obtained enc_key from the very beginning, Charles acted as a third party in the whole communication process and all information was transparent to him.
• The second is the root certificate, which is the beginning of HTTPS’s chain of trust. This is also the key that Charles forged CA certificate can gain the trust of both parties.

2.2.3. Demonstrate Charles fetching Https

After the principle is clear, in fact, the operation is very simple, the core point of operation is the root certificate.

• Charles Root Certificate
  
  
  
  
  
  
  

• Make the system trust the certificate
  
  
  
  
  
  
  

• Add the Https link to the CharlesSSL proxy rule. 443 is the default Https port
  
  
  
  
  
  
  

  
  Of course, you can use *:443 to grab all HTTPS packets as I did in the last one.

• Use the browser to access the link you want to grab, so that all Https can be displayed in plain text in front of us just like Http.
  
  
  
  
  
  
  

Third, mobile phone grab bag

Phone caught the principle is very simple, keep the cell phone and caught tools are on the same LAN, and mobile phones of WifiProxy agent manually to the computer’s Ip and Charles caught on port Settings, specific operation can be found on the Internet, see blog.csdn.net/richer1997/…

Here I mainly talk about the mobile terminal Https packet grab, in fact, and the browser grab:

• First you need to install Charles’ root certificate on your phone.
  
  
  
  
  
  
  

• After clicking, it will pop up asking you to configure the proxy on the phone to the corresponding Ip and port, and then open CHLS. Pro/SSL from the mobile browser
  
  
  
  
  
  
  

  After accessing this link by mobile phone, it will be automatically recognized as the certificate and jump to :(of course, I have installed it here, if not, click on the upper right corner to install it)

  
  
  
  
  

• The certificate on the mobile end is used as the root certificate and Charles is used to get the enc_key, just like the principle of capturing Https packets on the PC. Make all communication processes transparent.

Fourth, additional features of Charles

When I first started using Charles, I used it as a simple grab interface, until I saw someone using BurpSuite to customize request data and Repeat, and I wondered if Charles had this capability as well. As I expected, Charles was on board, too.

Right click on the interface and the menu pops up. The ones I use a lot are Compose, Repeat, and RepeatAdvanced

Compose: Can directly customize the corresponding request and execute the request. This is very useful for us to catch bags. We can get the required parameters of the interface and so on.

Repeat: Simply perform a Repeat request operation

Repeat Advanved: An advanced operation to Repeat a request, customizing the number of times it is repeated and how many seconds it should be executed. This feature is very useful for our interface pressure measurement.

In addition to these common functions, Charles also has more practical functions, such as filtering, sorting and so on. It’s up to people to use it on their own and find more and better features that work for them.

summary

Sometimes it can be used to debug our interfaces, sometimes it can be used to do good work, and of course it is “not recommended” to attack other people’s networks.

Scan the notice number of “TWO-DIMENSIONAL code”, the code will be automatically executed

Life is not only the present, there are men’s code, and the mouth of bullshit

Personal blog: www.alision.com

Github:www.github.com/xiyouMc