https://github.com/kensh1ro/flutter-ssl-bypass

Flutter SSL pinning bypass using IP forwarding
https://github.com/kensh1ro/flutter-ssl-bypass

burpsuite bypass flutter okhttp3 pinning proxy ssl ssl-bypass ssl-pinning xamarain

Last synced: 6 months ago
JSON representation

Flutter SSL pinning bypass using IP forwarding

• Host: GitHub
• URL: https://github.com/kensh1ro/flutter-ssl-bypass
• Owner: kensh1ro
• Created: 2021-04-05T08:55:28.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2022-06-13T12:30:16.000Z (almost 3 years ago)
• Last Synced: 2024-08-05T17:40:46.224Z (9 months ago)
• Topics: burpsuite, bypass, flutter, okhttp3, pinning, proxy, ssl, ssl-bypass, ssl-pinning, xamarain
• Homepage:
• Size: 28.3 KB
• Stars: 47
• Watchers: 1
• Forks: 10
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-hacking-lists - kensh1ro/flutter-ssl-bypass - Flutter SSL pinning bypass using IP forwarding (Others)

README

        
# flutter-ssl-bypass

### tested on linux and osx

## i will assume that you already have burp's certificate installed to system CA store, if not then follow along

ATTENTION: this needs a rooted device

after exporting Burp's DER certificate, we need to change it to PEM format, although this isn't necessary, but it seems that Android CA store doesn't like DER format

`openssl x509 -inform der -in $CERT_NAME -out certificate.pem`

`openssl x509 -inform PEM -subject_hash_old -in certificate.pem | head -1` #my output was 9a5ba575

rename "certificate.pem" to the above command's output, for example:

`mv certificate.pem 9a5ba575.0`

now make sure you have an ADB connection to your device

`adb push 9a5ba575.0 /sdcard`

`adb shell`

`su`

`mount -o rw,remount /system`

`cp /sdcard/9a5ba575.0 /system/etc/security/cacerts`

`chmod 644 /system/etc/security/cacerts/9a5ba575.0`

`chown root:root /system/etc/security/cacerts/9a5ba575.0`

after that you should REBOOT!

**i will demonstrate by example to make the method easier to apply**

You will need:

- Android device (rooted physical phone preferred)

- a PC with linux installed

- a brain ;)

lets assume that our android device has the IP address 192.168.1.7

and linux PC got 192.168.1.9

## 1) **First step is to add the linux PC as a gateway for our Android device**

![image](https://user-images.githubusercontent.com/46089361/115142889-ccde2000-a04c-11eb-859f-9d5501a83f5c.png)

## 2) **Second step is to forward http/https traffic to Burp Suite** 

this step here only differs for osx users

### for linux:

`iptables -t nat -A PREROUTING -p tcp -j REDIRECT --dport 443 --to-ports 8080`

`sysctl -w net.ipv4.ip_forward=1`

NOTE: you can also add a redirect for port 80 to 8080 by changing `--dport 443` to `--dport 80`

### for osx:

`sudo sysctl -w net.inet.ip.forwarding=1`

`echo 'rdr pass inet proto tcp from any to any port {80,443} -> 127.0.0.1 port 8080' > pfctl.txt`

`sudo pfctl -f pfctl.txt -e`

## 3) **Third step is to let Burp Suite capture the forwarded traffic**

make sure to enable invisible proxying

![image](https://user-images.githubusercontent.com/46089361/115143520-868ac000-a050-11eb-9fad-5e3829a1f7da.png)

also you might want to listen on all interfaces, to avoid ip configuration hastle

![image](https://user-images.githubusercontent.com/46089361/115143599-0ca70680-a051-11eb-85b8-1eda41c4fce3.png)

at the end it should look something like this (pay attention to the User Agent):

![image](https://user-images.githubusercontent.com/46089361/115143751-dae26f80-a051-11eb-9d25-a74a9219d451.png)

## NOTE: This is applicable on all non-proxy aware libraries (Xamarin, Okhttp3..)