Remote host closed connection during handshake : Burp Certificate in Android
3,568 views
Skip to first unread message
Abhijit Maity
Nov 12, 2014, 2:19:26 AM11/12/14
to null-...@googlegroups.com
Hi,
I have been trying day and night to intercept android traffic through burp. I can successfully intercept all http traffic through burp but https are not getting intercepted.
The following are the version details :
1. BurpSuite 1.6
2. Java 1.6
3. Android 4.4.2
4. ProxyDroid 2.7.0
The following steps was followed by me:
1. Android phone is rooted.
2. Connected Wifi in same network as my laptop and while connecting to wifi I went to advanced options to use proxy ip as my laptop's IP and port as 8080.
3. Installed ProxyDroid in Android device and enabled global proxy of all HTTP to my laptop's IP and port as 8080.
4. In my laptop, downloaded burp certificate from http://burp, converted it to .crt format and installed it in my phone through install certificate from sd card options in Settings > Security. The certificate has been successfully installed and shows "Network may be monitored alert continuously". It is present in trusted certificate list under User tab.
5. Now when I am opening any HTTP site through browser of phone it opens successfully and gets intercepted by burp in my laptop.
6. But when I open any HTTPS site from browser of phone it is not intercepted and no error is shown in BurpSuite alert tab.
7. When I try to browse native android app which uses HTTPS protocol, it is also not intercepted but shows "The client failed to negotiate an SSL connection to DOMAIN:443: Remote host closed connection during handshake". [ DOMAIN is the actual domain name ]
I am not able to get out of this problem no matter whatever I try. Please help me.
I have been trying day and night to intercept android traffic through burp. I can successfully intercept all http traffic through burp but https are not getting intercepted.
The following are the version details :
1. BurpSuite 1.6
2. Java 1.6
3. Android 4.4.2
4. ProxyDroid 2.7.0
The following steps was followed by me:
1. Android phone is rooted.
2. Connected Wifi in same network as my laptop and while connecting to wifi I went to advanced options to use proxy ip as my laptop's IP and port as 8080.
3. Installed ProxyDroid in Android device and enabled global proxy of all HTTP to my laptop's IP and port as 8080.
4. In my laptop, downloaded burp certificate from http://burp, converted it to .crt format and installed it in my phone through install certificate from sd card options in Settings > Security. The certificate has been successfully installed and shows "Network may be monitored alert continuously". It is present in trusted certificate list under User tab.
5. Now when I am opening any HTTP site through browser of phone it opens successfully and gets intercepted by burp in my laptop.
6. But when I open any HTTPS site from browser of phone it is not intercepted and no error is shown in BurpSuite alert tab.
7. When I try to browse native android app which uses HTTPS protocol, it is also not intercepted but shows "The client failed to negotiate an SSL connection to DOMAIN:443: Remote host closed connection during handshake". [ DOMAIN is the actual domain name ]
I am not able to get out of this problem no matter whatever I try. Please help me.
Rajesh A.
Nov 12, 2014, 2:26:07 AM11/12/14
to null-...@googlegroups.com
If no solution plz reply back
--
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Thank You.
Regards.
Rajesh A.
Akash
Nov 12, 2014, 2:38:59 AM11/12/14
to null-...@googlegroups.com
There are a bunch of things you can try.
First what is the Proxy Type set in Proxy Droid? Secondly do you have tcpdump/wireshark in your laptop to confirm that traffic left your android device and reached the laptop?
--
_______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
Warm regards,
Akash Mahajan
That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager
Akash Mahajan
That Web Application Security Guy | +91 99 805 271 82
akashm.com | @makash on twitter | linkd.in/webappsecguy
OWASP Bangalore Chapter Lead | null Community Manager
Gowtham
Nov 12, 2014, 2:58:53 AM11/12/14
to null-...@googlegroups.com
Hi,
Try to use proxy called "Fiddler" and install its cert to phone and route the fiddler traffic through burp. Hope this works.Abhijit Maity
Nov 12, 2014, 3:25:55 AM11/12/14
to null-...@googlegroups.com
@Akash
1. Proxy type is set to HTTP in ProxyDroid. I have also tried setting it to HTTPS. But with no effect.
2. I have seen in wireshark, traffic is going through my laptop. my phone and laptop tries to exchange certificate but after this step --> Encrypted Handshake message, Encrypted alert , from my laptop to device , my device again sends CLIENT HELLO message to my laptop and this continues again and again.The error I have mentioned in my original post was found in burp in case of SSL connections.
@ Gowtham
Will try and let you know
@R@J
I had similar problems with java version as I had java 1.8 previously. But I have java 1.6 now as mentioned in my original post. Also with Charles I am able to see the traffic but its all encrypted and hence of no use. I am always fond of BurpSuite and I am trying to find the reason why it is not working with Burp. Please suggest.
1. Proxy type is set to HTTP in ProxyDroid. I have also tried setting it to HTTPS. But with no effect.
2. I have seen in wireshark, traffic is going through my laptop. my phone and laptop tries to exchange certificate but after this step --> Encrypted Handshake message, Encrypted alert , from my laptop to device , my device again sends CLIENT HELLO message to my laptop and this continues again and again.The error I have mentioned in my original post was found in burp in case of SSL connections.
@ Gowtham
Will try and let you know
@R@J
I had similar problems with java version as I had java 1.8 previously. But I have java 1.6 now as mentioned in my original post. Also with Charles I am able to see the traffic but its all encrypted and hence of no use. I am always fond of BurpSuite and I am trying to find the reason why it is not working with Burp. Please suggest.
Anant Shrivastava
Nov 12, 2014, 3:28:26 AM11/12/14
to null-...@googlegroups.com
Ohk so lets analyze the situation and plan course of action.
what is the situation
1) proxy configured on wifi settings
2) proxy again configured on the proxydroid application
3) http working fine
4) https gives error.
what we can try
1) prefer keeping only one of wifi or proxydroid settings no point
doing it twice.
2) as suggested by akash if possible use tcpdump or download shark for
android and run it. you will see dump file created which can be opened
on wireshark at laptop. this will help you identifying if the traffic
is actually http/https coz burp will not understand non http / https
traffic.
3) if https traffic is not connecting at all even in browser do check
it with some known connectable site. if its chrome google might not be
the one to check as its hsts policy is hardcoded in it. so try say
https://ironwasp.org check the connectivity.
4) if you still have problem its better to check the certificate, and
hope that you have correct certificate imported. (personally i would
redo the steps)
5) instead of downloading cert on system and then transfer i apply a
quick hack. configure proxy and then open up ip:8080 (burp port) and
download CA Cert from there directly in android device. : rename cert
extension from der to pem and then use it to import in Cert section.
there make sure you import it for wifi an not vpn/app.
6) your reference check would be if browser starts working over https.
if not you might want to repeat the above checks.
Hope this helps.
Anant Shrivastava
Web : http://anantshri.info
what is the situation
1) proxy configured on wifi settings
2) proxy again configured on the proxydroid application
3) http working fine
4) https gives error.
what we can try
1) prefer keeping only one of wifi or proxydroid settings no point
doing it twice.
2) as suggested by akash if possible use tcpdump or download shark for
android and run it. you will see dump file created which can be opened
on wireshark at laptop. this will help you identifying if the traffic
is actually http/https coz burp will not understand non http / https
traffic.
3) if https traffic is not connecting at all even in browser do check
it with some known connectable site. if its chrome google might not be
the one to check as its hsts policy is hardcoded in it. so try say
https://ironwasp.org check the connectivity.
4) if you still have problem its better to check the certificate, and
hope that you have correct certificate imported. (personally i would
redo the steps)
5) instead of downloading cert on system and then transfer i apply a
quick hack. configure proxy and then open up ip:8080 (burp port) and
download CA Cert from there directly in android device. : rename cert
extension from der to pem and then use it to import in Cert section.
there make sure you import it for wifi an not vpn/app.
6) your reference check would be if browser starts working over https.
if not you might want to repeat the above checks.
Hope this helps.
Anant Shrivastava
Web : http://anantshri.info
Akash
Nov 12, 2014, 4:13:45 AM11/12/14
to null-...@googlegroups.com
The confusing part is that nothing is visible in the alerts tab.
If the traffic is reaching your laptop then ideally it should reach Burp as well. Abhijit Maity
Nov 12, 2014, 4:52:13 AM11/12/14
to null-...@googlegroups.com
@Anant
Let me tell you the steps I have done:
1. Connected my phone with WIFI providing IP and port of laptop in advanced settings.
Disabled settings from ProxyDroid.
Let me tell you the steps I have done:
1. Connected my phone with WIFI providing IP and port of laptop in advanced settings.
Disabled settings from ProxyDroid.
2. I have seen in wireshark, traffic is going through my laptop. my phone and laptop tries to exchange certificate but after this step --> Encrypted Handshake message, Encrypted alert , from my laptop to device , my device again sends CLIENT HELLO message to my laptop and this continues again and again.The error I have mentioned in my original post was found in burp in case of SSL connections.
3. https://ironwasp.com opens successfully from phone browser. This traffic was visible in wireshark but not in BURP. not even an alert from BURP about handshake failure.
4. I have imported the certificate again and this time in changed extension from.der to .pem. Certificate is shown in phone unders trusted certificates > user.
So https sites are opening successfully in browser but with no interception in BURP. Also, native apps which uses https are still not opening and showing network failure or unknown error in phone when I open the app.
@Akash
I have rechecked BURP settings. Its all fine. Wireshark is showing SSL handshake packets but BURP does not intercept them neither shows any alert.
4. I have imported the certificate again and this time in changed extension from.der to .pem. Certificate is shown in phone unders trusted certificates > user.
So https sites are opening successfully in browser but with no interception in BURP. Also, native apps which uses https are still not opening and showing network failure or unknown error in phone when I open the app.
@Akash
I have rechecked BURP settings. Its all fine. Wireshark is showing SSL handshake packets but BURP does not intercept them neither shows any alert.
Abhijit Maity
Nov 12, 2014, 5:39:57 AM11/12/14
to null-...@googlegroups.com
@Gowtham
Thanks a lot gowtham, your solution has worked. I think that is the only way we can use BurpSuite to intercept mobile traffic. Thanks a lot.
@everyone else
Thanks for sharing your solutions. Its highly appreciated.
Thanks a lot gowtham, your solution has worked. I think that is the only way we can use BurpSuite to intercept mobile traffic. Thanks a lot.
@everyone else
Thanks for sharing your solutions. Its highly appreciated.
On Tuesday, November 11, 2014 11:19:26 PM UTC-8, Abhijit Maity wrote:
:)0 new messages