hacktricks/mobile-pentesting/android-app-pentesting/android-burp-suite-settings.md
2022-07-21 22:04:48 +02:00

6.1 KiB

Burp Suite Configuration for Android

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

{% hint style="danger" %}

Through Security Skills as a Service, we help organizations to defend against the Dark Hacking Arts. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering high-quality penetration testing results. Security Hubs bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a complete assessment of any risks.

{% embed url="https://securityhubs.io/" %} {% endhint %}

This tutorial was taken from: https://medium.com/@ehsahil/basic-android-security-testing-lab-part-1-a2b87e667533

Add a proxy in Burp Suite to listen.

Address: 192.168.56.1 & Port: 1337

Choose All Interfaces option.

Adding listener in Android device.

Setting → Wifi →WiredSSID (Long press)

Choose Modify network → Check Advance options.

Select Proxy to the manual

Testing connection over http and https using devices browser.

  1. http:// (working) tested — http://ehsahil.com

2. https:// certificate error — https://google.com

Installing burp certificate in android device.

Download burp certificate. — Use your desktop machine to download the certificate.

https://burp

Click on CA certificate download the certificate.

The downloaded certificate is in cacert.der extension and Android 5.* does not recognise it as certificate file.

You can download the cacert file using your desktop machine and rename it from cacert.der to cacert.crt and drop it on Android device and certificate will be automatically added into file:///sd_card/downloads.

Installing the downloaded certificate.

Settings →Security →Install certificate from SD cards

Now, goto: sdcard →Downloads → Select cacert.crt

Now, Name it as anything “portswigger”

You also need to setup the PIN before adding certificate. Verifying the installed certificate using trusted certificates.

Trusted certificates →Users

After installing Certificate SSL endpoints also working fine tested using → https://google.com

{% hint style="info" %} After installing the certificate this way Firefox for Android won't use it (based on my tests), so use a different browser. {% endhint %}

{% hint style="danger" %}

Through Security Skills as a Service, we help organizations to defend against the Dark Hacking Arts. Security Skills as a Service is an offensive cybersecurity consultancy model that combines an Intelligent Platform with the top-class, globally distributed, offensive security engineers, delivering high-quality penetration testing results. Security Hubs bring together offensive penetration testing tactics with human behavioral science, providing real-time insights into threat actors' tradecraft and a complete assessment of any risks.

{% embed url="https://securityhubs.io/" %} {% endhint %}

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.