Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Sniffer Android Sin Root
35 views
Skip to first unread message
Eryn Diamante
Dec 30, 2023, 12:57:42 PM12/30/23
to
Before you jump to the Wireshark alternatives for Android list, you should know that most of them requires root access to capture packets. The reason being the promiscuous mode or monitor mode. You will see every packet being transmitted over the network when running a packet sniffer tool in promiscuous mode. If it is not separately encrypted, all traffic can be read and analyzed.
In general, most Windows computers require a separate WiFi adapter to enable promiscuous mode, while some macOS devices can use the built-in WiFi card in promiscuous mode. Android, on the other hand, can also use the built-in WiFi adapter for promiscuous mode. But to prevent its misuse, most manufacturers turn off this feature. And the only way to bypass this is with root access. In short, without root, you can only monitor traffic from your device. Also for obvious reasons, most of the following apps are not available on Google Play Store.
sniffer android sin root
Download https://labi-vgradmu.blogspot.com/?n=2wZ3m3
zAnti is not just a simple network sniffer, it is a complete penetration testing tool for your Android device. You can do complete network testing and a whole lot of other tests with a simple tap of a button. Some of the things you can do with zAnti include, but is not limited to, modifying HTTP requests and responses, exploiting routers, hijacking HTTP sessions, changing MAC address, and checking target device for vulnerabilities. Apart from that, zAnti can also find security gaps within your existing network and gives you detailed reports on how to fortify the defenses to protect your network from possible attacks.
Being a complete penetration testing tool that was specifically designed for professionals and businesses in mind, zAnti needs root access to work. Moreover, for most advanced features to work, it will change a few SELinux configuration settings and put your device into permissive mode. So, if you chose to go with zAnti, I would recommend that you use a dedicated device that is separate from your work or personal device.
zAnti and cSploit are full-fledged penetration testing tools with all the bell and whistles for Android but not everyone needs them. Packet Capture is a dedicated app to capture and record network packets. Using this app, you can not only capture and record packets but also decrypt SSL communication using MITM (man in the middle) attack. Since Packet Capture uses a local VPN to capture and record all your traffic, it can run without root permissions. If you are looking for a simple and straightforward packet capture app then try Packet Capture.
WiFinspect is yet another free and powerful packet capture and a network sniffer. Features of WiFinspect include but are not limited to Pcap analyzer, network sniffer, host discovery, port scanner, internal and external network vulnerability scanner, traceroute, ping, etc. Unlike Packet Capture or Debug Proxy Wireshark alternative apps for Android, you need root permissions to work with most features in WiFinspect.
These were some of the best Wireshark alternatives for Android phones. zAnti and cSploit are closest when it comes to packet capturing and man in the middle attack. However, if all you want is to boot people off your WiFi network, consider using Netcut app. It also requires root access though.
I am trying to capture HTTPS traffic from my rooted Android device (4.4.4) to analyze an undocumented protocol of an app. I've set up my Fiddler as a proxy and enabled HTTPS sniffing. I've installed the Fiddler's generated root certificate on my device. I've set up my proxy for my Wifi on my Android device.
I'm trying to find resources or library which could permit me to capture the traffic of all the network packets of a device programmatically either it be from wifi or mobile network. I believe there no need to be root to be in this promiscuous mode as shark for root would request because there is this app on the play store which can capture all network traffic (even decrypt SSL with MITM) without needing to be root. I simply cannot figure out how to do the same.
The de-facto appraoch to packet sniffing in Android without root is loop-back VPNService. Creating a VPNService app and activating it, will force all traffic in the device to go through your newly created virtual interface which is managed by a userspace application, where you will be receiving IP Packets by reading from the virtual interface.
Regarding privacy matters, I wonder if it is possible, by a party, including myself and mobile telco provider firmware (on stock distributions), to sniff all the outgoing HTTP requests of a Wi-Fi network without the need of the device to be rooted? If such is possible, can you give me an example or two of how could they do it?
If you have a compromised kernel, then it doesn't matter whether you have root or not. Packet sniffing app goes through the kernel's public interface for sniffing packets, which is why they're subject to security restrictions; a compromised kernel can simply bypass all that and read the packets directly from the kernel internal data structure or directly from the hardware. Kernel code runs under supervisor mode which gives them direct access to the hardware including being able to read any parts of memory of any program running on the system.
A web proxy doesn't require root, but the user has to set it up by hand: you can configure it automatically only if you have root. If that weren't the case it would be a bit of a security problem in Android: a normal app could eavesdrop or otherwise interfere with other apps' network communication.
Of course, even for real packet sniffing, you only need to root the device if you want to install the sniffer on the device. To see the device's network traffic, it's much easier and more convenient to install a sniffer on a desktop Linux machine acting as a (Wi-Fi) router.
In short: every TLS client has a list of root CAs that it trusts, and to successfully receive an HTTPS request, you must be able to present a certificate for the target hostname that includes a trusted root CA somewhere in its chain.
So, given the above, if we want to intercept HTTPS we need to be able to present a certificate issued by a trusted certificate authority. Since nobody reading this has a globally trusted root CA to hand, in practice that means we need to create our own CA, and ensure the TLS client (in this case, Android's HTTPS clients) already trusts that CA, before we can get started.
The OS has a 'system' certificate store, traditionally at /system/etc/security/cacerts/. This is prepopulated on the device at install time, it's impossible to add certificates to it without root access, and is used as the default list of trusted CA certificates by most apps. In practice, this store defines which CA certificate most apps on your phone will trust.
In Android 14 system CA certificates were moved to /apex/com.android.conscrypt/cacerts (though the default system path above still exists too) so that they're primarily loaded from the Conscrypt system module instead.
This is the fun case. If you have root, how do you make apps trust your CA certificate? It turns out that even with root it's not quite as easy as it could be, but it's definitely possible to inject system certificates, so that almost all apps trust your CA by default.
If you are doing this for yourself though, be careful around permissions, as the default for ADB-pushed files is very relaxed. If the CA you inject or the copied system certificates are globally writable, it'd be theoretically possible for another app on the device to change or add a CA during this process, and sneakily get visibility into all HTTPS traffic on the device for itself without you realizing or granting it root access.
That XML trusts the user CA certificates installed on the device, if saved as an XML resources like network_security_config.xml and referenced with android:networkSecurityConfig=" xml/network_security_config" in the element of your app manifest.
One last case then: what if you have a non-rooted phone, and you want to intercept HTTPS from an app that doesn't trust the user CA store, and which you can't easily edit the source code for yourself? For example, if you want to inspect HTTPS traffic from somebody else's app, or from your own existing production builds?
These sniffers can be useful when performing advanced troubleshooting of wireless connectivity or performance issues. They can also aid in security auditing, penetration testing, and ethical hacking, or so you can better visualize and understand certain network vulnerabilities. Or you might just be curious of what the real data packets look like or exactly what devices and apps are sending and receiving.
Another app that does not require a rooted device is the free Wi-Fi PCAP Capture app from Kismet. However, it does have more specific device requirements and must be used with a specific type of external Wi-Fi adapter. This likely also requires a USB on-the-go (OTG) cable to convert from Micro-USB to the full USB Type A.
If you have a rooted Android device, there are many more apps to consider. Shark for Root and SniffDroid are two free simple sniffers, both requiring the export of a PCAP file in another app for viewing the packets, like the two previously mentioned apps.
For more bells and whistles, consider the free Intercepter-NG, WiFinspect, or Dr Network sniffer apps. Intercepter-NG also provides a network scanner to detect devices on a network and a cookie scanner to hijack account logins. WiFinspect also offers a network discovery function with port scanning, access point and other network vulnerability scanners, and basic network tools like Traceroute and Ping. Dr Network also offers the usual basic network tools, such as Ping, Netcfg, Netstat, Tcpdump, Ifconfig, ARP Cache, IP Routing Table, and IP Locator.
Google API images lacks the Google Play app, but includes access to Google Play services and are not considered production builds which means root access is available. There is rarely any reason to pick a plain Android version without Google APIs.
35fe9a5643
In general, most Windows computers require a separate WiFi adapter to enable promiscuous mode, while some macOS devices can use the built-in WiFi card in promiscuous mode. Android, on the other hand, can also use the built-in WiFi adapter for promiscuous mode. But to prevent its misuse, most manufacturers turn off this feature. And the only way to bypass this is with root access. In short, without root, you can only monitor traffic from your device. Also for obvious reasons, most of the following apps are not available on Google Play Store.
sniffer android sin root
Download https://labi-vgradmu.blogspot.com/?n=2wZ3m3
zAnti is not just a simple network sniffer, it is a complete penetration testing tool for your Android device. You can do complete network testing and a whole lot of other tests with a simple tap of a button. Some of the things you can do with zAnti include, but is not limited to, modifying HTTP requests and responses, exploiting routers, hijacking HTTP sessions, changing MAC address, and checking target device for vulnerabilities. Apart from that, zAnti can also find security gaps within your existing network and gives you detailed reports on how to fortify the defenses to protect your network from possible attacks.
Being a complete penetration testing tool that was specifically designed for professionals and businesses in mind, zAnti needs root access to work. Moreover, for most advanced features to work, it will change a few SELinux configuration settings and put your device into permissive mode. So, if you chose to go with zAnti, I would recommend that you use a dedicated device that is separate from your work or personal device.
zAnti and cSploit are full-fledged penetration testing tools with all the bell and whistles for Android but not everyone needs them. Packet Capture is a dedicated app to capture and record network packets. Using this app, you can not only capture and record packets but also decrypt SSL communication using MITM (man in the middle) attack. Since Packet Capture uses a local VPN to capture and record all your traffic, it can run without root permissions. If you are looking for a simple and straightforward packet capture app then try Packet Capture.
WiFinspect is yet another free and powerful packet capture and a network sniffer. Features of WiFinspect include but are not limited to Pcap analyzer, network sniffer, host discovery, port scanner, internal and external network vulnerability scanner, traceroute, ping, etc. Unlike Packet Capture or Debug Proxy Wireshark alternative apps for Android, you need root permissions to work with most features in WiFinspect.
These were some of the best Wireshark alternatives for Android phones. zAnti and cSploit are closest when it comes to packet capturing and man in the middle attack. However, if all you want is to boot people off your WiFi network, consider using Netcut app. It also requires root access though.
I am trying to capture HTTPS traffic from my rooted Android device (4.4.4) to analyze an undocumented protocol of an app. I've set up my Fiddler as a proxy and enabled HTTPS sniffing. I've installed the Fiddler's generated root certificate on my device. I've set up my proxy for my Wifi on my Android device.
I'm trying to find resources or library which could permit me to capture the traffic of all the network packets of a device programmatically either it be from wifi or mobile network. I believe there no need to be root to be in this promiscuous mode as shark for root would request because there is this app on the play store which can capture all network traffic (even decrypt SSL with MITM) without needing to be root. I simply cannot figure out how to do the same.
The de-facto appraoch to packet sniffing in Android without root is loop-back VPNService. Creating a VPNService app and activating it, will force all traffic in the device to go through your newly created virtual interface which is managed by a userspace application, where you will be receiving IP Packets by reading from the virtual interface.
Regarding privacy matters, I wonder if it is possible, by a party, including myself and mobile telco provider firmware (on stock distributions), to sniff all the outgoing HTTP requests of a Wi-Fi network without the need of the device to be rooted? If such is possible, can you give me an example or two of how could they do it?
If you have a compromised kernel, then it doesn't matter whether you have root or not. Packet sniffing app goes through the kernel's public interface for sniffing packets, which is why they're subject to security restrictions; a compromised kernel can simply bypass all that and read the packets directly from the kernel internal data structure or directly from the hardware. Kernel code runs under supervisor mode which gives them direct access to the hardware including being able to read any parts of memory of any program running on the system.
A web proxy doesn't require root, but the user has to set it up by hand: you can configure it automatically only if you have root. If that weren't the case it would be a bit of a security problem in Android: a normal app could eavesdrop or otherwise interfere with other apps' network communication.
Of course, even for real packet sniffing, you only need to root the device if you want to install the sniffer on the device. To see the device's network traffic, it's much easier and more convenient to install a sniffer on a desktop Linux machine acting as a (Wi-Fi) router.
In short: every TLS client has a list of root CAs that it trusts, and to successfully receive an HTTPS request, you must be able to present a certificate for the target hostname that includes a trusted root CA somewhere in its chain.
So, given the above, if we want to intercept HTTPS we need to be able to present a certificate issued by a trusted certificate authority. Since nobody reading this has a globally trusted root CA to hand, in practice that means we need to create our own CA, and ensure the TLS client (in this case, Android's HTTPS clients) already trusts that CA, before we can get started.
The OS has a 'system' certificate store, traditionally at /system/etc/security/cacerts/. This is prepopulated on the device at install time, it's impossible to add certificates to it without root access, and is used as the default list of trusted CA certificates by most apps. In practice, this store defines which CA certificate most apps on your phone will trust.
In Android 14 system CA certificates were moved to /apex/com.android.conscrypt/cacerts (though the default system path above still exists too) so that they're primarily loaded from the Conscrypt system module instead.
This is the fun case. If you have root, how do you make apps trust your CA certificate? It turns out that even with root it's not quite as easy as it could be, but it's definitely possible to inject system certificates, so that almost all apps trust your CA by default.
If you are doing this for yourself though, be careful around permissions, as the default for ADB-pushed files is very relaxed. If the CA you inject or the copied system certificates are globally writable, it'd be theoretically possible for another app on the device to change or add a CA during this process, and sneakily get visibility into all HTTPS traffic on the device for itself without you realizing or granting it root access.
That XML trusts the user CA certificates installed on the device, if saved as an XML resources like network_security_config.xml and referenced with android:networkSecurityConfig=" xml/network_security_config" in the element of your app manifest.
One last case then: what if you have a non-rooted phone, and you want to intercept HTTPS from an app that doesn't trust the user CA store, and which you can't easily edit the source code for yourself? For example, if you want to inspect HTTPS traffic from somebody else's app, or from your own existing production builds?
These sniffers can be useful when performing advanced troubleshooting of wireless connectivity or performance issues. They can also aid in security auditing, penetration testing, and ethical hacking, or so you can better visualize and understand certain network vulnerabilities. Or you might just be curious of what the real data packets look like or exactly what devices and apps are sending and receiving.
Another app that does not require a rooted device is the free Wi-Fi PCAP Capture app from Kismet. However, it does have more specific device requirements and must be used with a specific type of external Wi-Fi adapter. This likely also requires a USB on-the-go (OTG) cable to convert from Micro-USB to the full USB Type A.
If you have a rooted Android device, there are many more apps to consider. Shark for Root and SniffDroid are two free simple sniffers, both requiring the export of a PCAP file in another app for viewing the packets, like the two previously mentioned apps.
For more bells and whistles, consider the free Intercepter-NG, WiFinspect, or Dr Network sniffer apps. Intercepter-NG also provides a network scanner to detect devices on a network and a cookie scanner to hijack account logins. WiFinspect also offers a network discovery function with port scanning, access point and other network vulnerability scanners, and basic network tools like Traceroute and Ping. Dr Network also offers the usual basic network tools, such as Ping, Netcfg, Netstat, Tcpdump, Ifconfig, ARP Cache, IP Routing Table, and IP Locator.
Google API images lacks the Google Play app, but includes access to Google Play services and are not considered production builds which means root access is available. There is rarely any reason to pick a plain Android version without Google APIs.
35fe9a5643
0 new messages