Intercept Traffic of Proxy Unaware Applications in BurpSuite

Problem Statement

Oftentimes we come across such mobile applications where we can not be able to intercept the traffic. We won’t be able to see any TLS errors for the domain in scope in the Event Log from Burp Dashboard (which essentially suggest SSL Pinning errors), at the same time applications are working perfectly fine and getting data from server.

If you’ve been frustrated by this problem before, welcome to the club. In this article I will first give a glimpse of why this happens before giving potential solutions. So next time you will be well prepared for catching this unknown traffic using intercepting proxy like BurpSuite.

Why BurpSuite not working?

When we encounter this situation, it’s often due to the way mobile applications are written or perhaps the framework it used to write the app. I have come across applications which are written in Xamarin framework which ignore the Wi-Fi proxy settings.

In Flutter’s case, it uses Dart, which is not proxy aware and uses its own certificate store. Hence, The application doesn’t take any proxy settings from the system and sends data directly to server and because of this we cannot intercept the request using any intercepting proxy.

Sometimes applications seems to handle traffic with their own logic or uses the libraries which bypass the proxy settings.

Prerequisites

1. Linux/Windows Host Operating System
2. A Virtual Machine (Ubuntu preferred)
3. Android/iOS Mobile phone

Solution

There can be multiple solutions to this problem. An interesting one is mentioned here by NVISO Labs team.

We will be using a different approach by using a VPN. This method has been tested thoroughly and proven to be effective.

We will do it by setting up a VPN server in the middle between testing mobile device and the host running Burp. It is possible that we may still encounter issues with certificate pinning and have to use Frida to bypass, but running a VPN server forwarding to Burp will at-least let us see all the traffic through either Burp or TLS errors.

Setup

The setup we are using below requires the use of a local VM. Some of these steps may change if we are running our environment differently (Possibly in the cloud).

Step 1: Burp Invisible Proxy Settings

Burp has a really cool feature for this kind of use cases which can be found here.

Below screenshot shows setting proxy to “All interfaces” on a specific port.

In the edit window of the Proxy Listener, we also want to check the “support invisible proxying” option, which ensures that the traffic goes from the mobile device to the VPN, to the proxy, and back.

Step 2: Installing OpenVPN server

We can use a cloud based server or can install the same in a separate VM on our computer. We can install OpenVPN server on Ubuntu by following this article or use scripts to automate the process. We will be using a script in this process to minimize the complexity and save our time. I highly recommend to review script before installing on your device. I have used this script to install the OpenVPN server.

Run the script as root user and provide IP which is our VM’s IP.

Provide details of Port and Protocol

Keep other settings default when asked

Provide client name and select passwordless client

Observe that our VPN file has been created.

Note: We have kept most of the configurations default as we are just deploying for demo purpose.

Step 3 Import ovpn file in device

For importing ovpn file we have to move it to the device. There can be several ways to copy the file but the easiest for me is to run a python server and download it in device.

Run the python server

python3 -m http.server

Import it in OpenVPN for Android

Step 4 Set iptables rules

Now as we have setup server and client we need to set iptables rules to redirect traffic from openvpn server to BurpSuite proxy machine.

If you are not familiar with iptables, I highly recommend you to go through this article.

After setting up the virtual machine and VPN server, now we need to force all the traffic that goes through our VPN to be directed to specific port which is what our Burp Suite proxy listening on.

Flush all rules to start fresh if we have used iptables before on system.

 sudo iptables -F

Set accept all policy to all connections

sudo iptables -P INPUT ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT

Forward all HTTP and HTTPS traffic from the VPN network interface to the listening port in Burp Suite

sudo iptables -t nat -A PREROUTING -p tcp — dport 80 -j DNAT — to-destination [BurpIP]:[ListeningPort]
sudo iptables -t nat -A PREROUTING -p tcp — dport 443 -j DNAT — to-destination [BurpIP]:[ListeningPort]

Step 5 Connect the VPN

Step 6 Observe the traffic in Burp

We can observe that the traffic is going through Burpsuite now. As mentioned earlier we can encounter issues with certificate pinning and have to use Frida or other methods to bypass the check.

References

• https://blog.nviso.eu/2022/08/18/intercept-flutter-traffic-on-ios-and-android-http-https-dio-pinning/
• https://portswigger.net/support/using-burp-suites-invisible-proxy-settings-to-test-a-non-proxy-aware-thick-client-application
• https://www.schellman.com/blog/how-to-catch-mobile-traffic-escaping-burp
• https://medium.com/@meshal_/pentesting-non-proxy-aware-mobile-applications-65161f62a965
• https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/
• https://github.com/Angristan/OpenVPN-install

Hope you learned something new and enjoyed my blog. Stay safe, stay curious.

Thanks for reading!

~Nishith K

Connect with me:

Twitter: https://twitter.com/busk3r

LinkedIn: https://www.linkedin.com/in/nishithkhadadiya