Test android app using nogotofail

[bcna...@gmail.com]

I have an Android app running either on my windows desktop or my ubuntu virtualbox(it can be run on either so whichever is easier I'll run it on that). My android app connects to a C# server that is running locally, once again either on Windows or Linux.

 I want to use nogotofail to test for any vulnerabilities.

I'm a little confused on how to get things running. I'm confused on the commands to get nogotofail running and if I need to provide a certificate. I'm also confused what I put as the host name in the nogotofail android app. 

I seen one tutorial in a forum where the command was "python -m nogotofail.mitm -a -v" but when I run this, I get an error saying -a -v are unrecognized commands.

[bryan nafegar]

Ok I read that -a -v are now defaults apparently so that answers that. But I still get no information from the nogotofil.mitm..Just a bunch of connection established and closed over and over again.  

[Chad Brubaker]

Hi Bryan,

Sorry I missed your earlier email,

Could you include a bit of the logs you're seeing? If all the traffic you're device is making is using SSL you probably wont see anything besides connection start/close unless an attack succeeds. You can also get more output with the -d flag, but I'm not sure that will help.

If you're doing HTTP and you don't see any httpdetection messages then something is not selecting those handlers, either the Android client has the "Custom list of attacks" checked in Settings->Attacks or the mitm was started with some attacks set with the -A and -D flags.

Chad

--
You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/645d734e-000a-44f4-bc12-5d68897fbf49%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[bryan nafegar]

this is the log I get:

2015-01-21 13:33:15,609 [INFO] [10.0.11.197:43694<=>10.0.11.197:443 logging](Unknown) Connection closed

2015-01-21 13:33:15,610 [INFO] [10.0.11.197:43697<=>10.0.11.197:443 logging](Unknown) Selected for connection

2015-01-21 13:33:15,610 [INFO] [10.0.11.197:43696<=>10.0.11.197:443 logging](Unknown) Connection established

2015-01-21 13:33:15,610 [INFO] [10.0.11.197:43695<=>10.0.11.197:443 logging](Unknown) Connection closed

2015-01-21 13:33:15,611 [INFO] [10.0.11.197:43698<=>10.0.11.197:443 logging](Unknown) Selected for connection

2015-01-21 13:33:15,611 [INFO] [10.0.11.197:43697<=>10.0.11.197:443 logging](Unknown) Connection established

2015-01-21 13:33:15,611 [INFO] [10.0.11.197:43696<=>10.0.11.197:443 logging](Unknown) Connection closed

2015-01-21 13:33:15,612 [INFO] [10.0.11.197:43699<=>10.0.11.197:443 logging](Unknown) Selected for connection

2015-01-21 13:33:15,612 [INFO] [10.0.11.197:43698<=>10.0.11.197:443 logging](Unknown) Connection established

2015-01-21 13:33:15,612 [INFO] [10.0.11.197:43697<=>10.0.11.197:443 logging](Unknown) Connection closed

2015-01-21 13:33:15,613 [INFO] [10.0.11.197:43700<=>10.0.11.197:443 logging](Unknown) Selected for connection

2015-01-21 13:33:15,613 [INFO] [10.0.11.197:43699<=>10.0.11.197:443 logging](Unknown) Connection established

2015-01-21 13:33:15,614 [INFO] [10.0.11.197:43698<=>10.0.11.197:443 logging](Unknown) Connection closed

2015-01-21 13:33:15,615 [INFO] [10.0.11.197:43701<=>10.0.11.197:443 logging](Unknown) Selected for connection

2015-01-21 13:33:15,615 [INFO] [10.0.11.197:43700<=>10.0.11.197:443 logging](Unknown) Connection established

2015-01-21 13:33:15,616 [INFO] [10.0.11.197:43699<=>10.0.11.197:443 logging](Unknown) Connection closed

2015-01-21 13:33:15,618 [INFO] [10.0.11.197:43702<=>10.0.11.197:443 logging](Unknown) Selected for connection

2015-01-21 13:33:15,618 [INFO] [10.0.11.197:43701<=>10.0.11.197:443 logging](Unknown) Connection established

2015-01-21 13:33:15,618 [INFO] [10.0.11.197:43700<=>10.0.11.197:443 logging](Unknown) Connection closed

2015-01-21 13:33:15,619 [INFO] [10.0.11.197:43703<=>10.0.11.197:443 logging](Unknown) Selected for connection

2015-01-21 13:33:15,619 [INFO] [10.0.11.197:43702<=>10.0.11.197:443 logging](Unknown) Connection established

2015-01-21 13:33:15,619 [INFO] [10.0.11.197:43701<=>10.0.11.197:443 logging](Unknown) Connection closed

2015-01-21 13:33:15,621 [INFO] [10.0.11.197:43704<=>10.0.11.197:443 logging](Unknown) Selected for connection

This log just repeats over and over again, and sometimes I get the error that "too many files are open"

For reference here is my setup:

Linux Ubuntu with IP address is 10.0.11.197

I type in:  sudo python -m nogotofail.mitm --port 443

In the Android Client app that comes with nogotofail for the host I put 10.0.11.197 with port 443

The C# server that I can connect to from my personal android app that uses SSL and certificates is running on the same Ubuntu machine, though I can run in on the windows side(same machine) or on another windows machine with a different IP address...I never get an notifications on the Android client saying there could be vulnerabilities though I believe there should be. Do I needs to follow the Walkthrough and use proxy chains for testing android?   Also, I can't run the C# server and nogotofail on Linux at the same time because it says the address is already in use so I can change the port for mitm and ngogotfail android. 

On Wednesday, January 14, 2015 at 9:46:26 AM UTC-6, bryan nafegar wrote:

[Chad Brubaker]

Ack, that looks like its getting into a connection loop...

Can you give me the output of
$ iptables -t mangle -L -v
And
$ IP rule show

It should avoid trying to mitm connections to the local device to prevent this, not sure why it isn't in your setup.

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/dc5f332b-3a1b-4b43-8478-f9383ca6c93a%40googlegroups.com.

[bryan nafegar]

Here is iptables:

Chain PREROUTING (policy ACCEPT 861 packets, 151K bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 861 packets, 151K bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 835 packets, 80373 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 835 packets, 80373 bytes)

 pkts bytes target     prot opt in     out     source               destination   

  ip rule show:

  0: from all lookup local 

32766: from all lookup main 

32767: from all lookup default 

        

Chain POSTROUTING (policy ACCEPT 835 packets, 80373 bytes)

 pkts bytes target     prot opt in     out     source               destination   

On Wednesday, January 14, 2015 at 9:46:26 AM UTC-6, bryan nafegar wrote:

[Chad Brubaker]

Try running nogotofail with --mode tproxy and then with --mode redirect and see of either works, you may be hitting a routing issue...

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/015fed4e-0cb0-4f5b-9e97-675668fcf1d4%40googlegroups.com.

[bryan nafegar]

Same thing with both modes.. When you routing issue would it be something I can change?

On Wednesday, January 14, 2015 at 9:46:26 AM UTC-6, bryan nafegar wrote:

[Chad Brubaker]

Wait, do you set the port for client to 443? That might be the problem.

The port set by --port is the one used for the MiTM itself, the port used to listen for clients is currently hardcoded to 8443.

In general nogotofail reacts poorly if you try and connect to the listening socket itself since it expects to be connecting to the destination of the original connection, leading to a loop. I'll add some checking to prevent this as it tends to kill the mitm when it happens.

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/54164067-53f8-453e-9073-9d53d3c182d6%40googlegroups.com.

[bryan nafegar]

Ok so just so I understand:

When you say client are you talking, which are you talking about? I set the Host Address in the Android client that comes with nogotofail to: IPaddress: 10.0.11.197 port:443.

My C# server that I can connect to listens on port 443 though I can change it if needed., I input the address and port number in MY android app and set port to 443

The command I give for MITM is: python -m nogotofail.mitm --port 443 --mode whichever

So which of these should I change??

I can't change the command to 8443 because it said the address is already in use, but if I leave port out completely it runs..Sorry to be asking so many questions but I've been trying this for 6 days with no luck

On Wednesday, January 14, 2015 at 9:46:26 AM UTC-6, bryan nafegar wrote:

[Chad Brubaker]

The mitm uses two ports, the one specified by --port is for the MiTM socket itself, you don't want to be connecting to it directly ever. The socket that the android client should be connecting to is listening on 8443.

Set your Android client to connect to 10.0.11.197 8443 instead of 10.0.11.197 443 and it should work.

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/9020c269-4b01-4773-92b2-f24bd9110ad4%40googlegroups.com.

[bryan nafegar]

Ok so here is what I have now:

I run: $python -m nogotofail.mitm --port 443 

In the Android Client that comes WITH nogotofail I put: 10.0.11.197 port 8443

In the client I get Connection closed by peer, with nothing happening in the log. 

In MY app what do I connect to, my original server at 10.0.11.197 port 8443?

This is what I think is supposed to happen, let me know If I'm confused:

MY CLIENT(connect to server via 8443)-->  <--(8443)--MITM--(443)--> <--(443)Server 

On Wednesday, January 14, 2015 at 9:46:26 AM UTC-6, bryan nafegar wrote:

[Chad Brubaker]

On Wed, Jan 21, 2015 at 2:03 PM, bryan nafegar <bcna...@gmail.com> wrote:

Ok so here is what I have now:

I run: $python -m nogotofail.mitm --port 443 

In the Android Client that comes WITH nogotofail I put: 10.0.11.197 port 8443

In the client I get Connection closed by peer, with nothing happening in the log. 

The Android client connects over SSL, you'll need to run nogotofail.mitm with the `--serverssl server.crt` argument to have the mitm listen for ssl connections instead of cleartext, see https://github.com/google/nogotofail/blob/dev/docs/getting_started.md for how to generate server.crt. 

In MY app what do I connect to, my original server at 10.0.11.197 port 8443?

This is what I think is supposed to happen, let me know If I'm confused:

MY CLIENT(connect to server via 8443)-->  <--(8443)--MITM--(443)--> <--(443)Server 

This isn't quite right. There are basically two connections

CLIENT APP <--> MITM:8443. No device traffic goes over this connection, this is only for diagnostics and configuration on the client

CLIENT DEVICE <---> MITM:443 <----> INTERNET. This is where the actual MITM is. The port you use here for the MITM doesn't matter as the MiTM will set up routing rules such that all traffic passing through is routed to it. All your TCP traffic from the client device goes through this except for traffic destined for the MITM itself(ie: the client<->MITM connection).

When you connect to, for example, 111.222.333.444:5678 from your client device you will see a connection like:

CLIENT DEVICE <--> MITM:443 <---> 111.222.333.444:5678

On Wednesday, January 14, 2015 at 9:46:26 AM UTC-6, bryan nafegar wrote:

I have an Android app running either on my windows desktop or my ubuntu virtualbox(it can be run on either so whichever is easier I'll run it on that). My android app connects to a C# server that is running locally, once again either on Windows or Linux.

 I want to use nogotofail to test for any vulnerabilities.

I'm a little confused on how to get things running. I'm confused on the commands to get nogotofail running and if I need to provide a certificate. I'm also confused what I put as the host name in the nogotofail android app. 

I seen one tutorial in a forum where the command was "python -m nogotofail.mitm -a -v" but when I run this, I get an error saying -a -v are unrecognized commands.

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/c68f72b9-d33e-4bc7-9d78-9f77ef6e4124%40googlegroups.com.

[bryan nafegar]

OK So I generated the server.crt and I run the command just like in the Walkthrough except for the port, still not sure which port I should put there.

In the Android Client that comes with nogotofail I put the address 10.0.11.197 and port 8443 and I get nothing in the log and it still says connection closed by peer. Now because my server is on the my local machine I'm not sure if that will affect anything. 

On Wednesday, January 14, 2015 at 9:46:26 AM UTC-6, bryan nafegar wrote:

[Chad Brubaker]

The android client should show a notification asking you to trust the MiTM server the first time you connect to it, do you see one?

You don't normally need to set --port, it is only if you have some other service using 8080 and need to resolve a conflict.

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/1cc93356-e245-4029-a63f-ae824c364086%40googlegroups.com.

[bryan nafegar]

Finally!!! LOL Thank you I got the message. So any advice on what to do from here? I connect to my server and don't really get anything in the log. Thank you again 

On Wednesday, January 14, 2015 at 9:46:26 AM UTC-6, bryan nafegar wrote:

[Chad Brubaker]

Yay! :).

The standard way I've done testing to just exercise the app you want to test, if Nogotofail detects any issues it'll log them and if you're using the client you'll get a nice little notification when one is detected. Nogotofail is designed so that you can use the app normally and it will test with some low probability that'll get test coverage over time but will keep the app usable.

Nogotofail will log basic information about all the connections, this is mainly so you can see what the device is doing even if we don't detect any vulnerabilities.

There is some trickiness in determining if an attack failed so for the most part we don't try and say when an attack failed, however if you see something like:

2015-01-15 04:38:49,451 [INFO] [... invalidhostname](...) SSL connection established

Followed by

2015-01-15 04:38:49,504 [INFO] [... invalidhostname](...) Connection closed

The invalid hostname SSL attack probably failed, or it closed before any data was sent, you can try running the mitm with the -d flag at which point you'll see any SSL exceptions the client may have sent(though some SSL stacks might just close the connection instead of sending an SSL exception though).

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/723345d6-022f-4611-a8ab-96da98ce7963%40googlegroups.com.

[bryan nafegar]

Ok so picking up from yesterday , I put this as a command:

sudo python -m nogotofail.mitm --serverssl server.crt -d --mode socks -t traffic.log -e event.log 

In the Android Client app that comes with nogotofail:

10.0.11.197 8443 

I see:

Blame: Connection from XX.X.XX.XXX:42870

Blame: New Client from XX.X.XX.XXX

and thats it, I don't see anything in the traffic.log file or event.log  I'm not sure whats going on now...

On Wednesday, January 14, 2015 at 9:46:26 AM UTC-6, bryan nafegar wrote:

[bryan nafegar]

I'm still not getting anything in the log. Ihave tried to have two network interfaces in Linux, I have tried usb tethering from my tablet, nothing....any help would be appreciated

[Chad Brubaker]

Is your client routing through the machine running notogofail? Nothing showing up in the logs probably means traffic is getting routed to the tool.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/4787fec1-ad34-4faa-b942-ce18dbb70a7e%40googlegroups.com.

[bryan nafegar]

I'm not sure about the routing. When I connect I get: [INFO] Blame: New client from 10.0.11.243. This is the ipaddress of my tablet. I can connect to the internet still but with no logging or anything. I can even test my android app that connect to 10.0.11.197:443 with SSL.  How would I route the traffic through my machine running MITM( 10.0.11.197) 

[yzni...@gmail.com]

Bryan - I had a similar issue - my android client would connect to the nogotofail.mitm proxy and I could access the Internet from my device - but no entries were being generated in the output log.

When I started using "tproxy" mode for nogotofail.mitm it worked.
 

[Chad Brubaker]

Yeah, make sure you're using either tproxy or redirect mode and that your device is connected to the Internet through the machine running nogotofail(you can do this with a WiFi card for a laptop, on a custom router like a pineapple, or ethernet if your device supports it)

On Tue, Jan 27, 2015 at 2:44 PM, matthe...@gmail.com <yzni...@gmail.com> wrote:

Bryan - I had a similar issue - my android client would connect to the nogotofail.mitm proxy and I could access the Internet from my device - but no entries were being generated in the output log.

When I started using "tproxy" mode for nogotofail.mitm it worked.
 

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/22bd7865-da96-4572-b8c8-ebbb967b49af%40googlegroups.com.

[bryan nafegar]

OK I do run it with tproxy..can you give me step by step what you did..

I created the server.crt described in the walkthrough.

Did you do anything with proxychains? Do you have two network interfaces and routing traffic through one? Do you use the Android client that comes with Nogotofail?

I'm at my wits end over this..been tryin everything I can think of for over a week..

[yzni...@gmail.com]

Bryan - I am using a physical machine as my nogotofail.mitm proxy (Raspberry Pi model B+). It has 2 network interfaces, wifi (wlan0) and ethernet (eth0). The wifi interface is acting as a access point, and eth0 connects to the Internet.

- I used the following iptable rules to route traffic from eth0 to wlan0:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

(I'm not an iptables ninja - I experimented with different rules and these seemed to work for me)

- I start the nogotofail.mitm service on my Raspberry Pi using the following command:
sudo python -m nogotofail.mitm --serverssl server.crt -d --mode tproxy -l output.log -e event.log -c ngtf.conf

(My ngtf.conf is just a copy of the example.conf file on github)
(I don't use proxychains - your android apps will generate there own traffic. In the examples proxychains was used to generate test traffic to verify the linux nogotofailclient)

- I compiled the nogotofail android client (I used Android studio, but I believe it's an Eclipse project).

- I then side-loaded the compiled nogotofail android client (apk) on my tablet. In the nogotofail android client I specify the IP address for wlan0 and port 8443 for the proxy. After clicking "Reconnect" on the android client, you should see "<wlan0 ip-address>:8443 connected" if it finds it.

- I then ran my android apps I want to test, and (fingers-crossed) you should see some traffic generated in the output and event logs.

[bryan nafegar]

Thanks for all of your help. Do you know of any possible way to do this without Rasberry Pi? I have a laptop, running windows and Linux via VirtualBox. I also have a desktop that runs windows..

[Chad Brubaker]

When I'm just testing things I prefer to use a laptop with a USB wireless access point(my laptop's Wifi doesn't support AP mode) and an ethernet connection to the Internet and then have my devices connect to the AP.

--

You received this message because you are subscribed to the Google Groups "nogotofail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nogotofail+...@googlegroups.com.
To post to this group, send email to nogot...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/nogotofail/afcc8fc1-4f20-4c1f-82cd-7289a46d8a1c%40googlegroups.com.

[yzni...@gmail.com]

Bryan - I believe it is possible to setup a Linux virtual machine to act as a nogotofail transparent proxy. Although I have heard that VMs don't always work reliably when interfacing with wi-fi adapters.

The mitmproxy project has a good guide on how to setup a Linux (Ubuntu 12.04) transparent proxy using Virtualbox. This should an almost identical setup to what u need:
http://mitmproxy.org/doc/tutorials/transparent-dhcp.html

If your laptop wireless adapter doesn't support access point (AP) mode, you'll need to purchase a seperate USB wi-fi adapter. Raspberry Pi provides a list of adapters that should work as APs.
http://elinux.org/RPi_USB_Wi-Fi_Adapters
(unfortunately I'm not sure how to check if your adapter current adapter supports AP mode)

I used hostapd to configure my wi-fi adapter as an AP in Linux. Here is an online tutorial on how you can do this for Ubuntu.
http://blog.mirjamali.com/en/IT/Linux/hostapd