Sunday, June 9, 2013

Sniffing Mobile apps

Hi friends, Here is my new article how to sniff HTTP / HTTPS traffic of iOS and Android apps.
There may be different needs, for example if you wanna test your app or whatever. I'm not responsible for your actions at the end.

So what you need:
 - iOS or Android Device
 - App you want to sniff installed on device
 - PC / Mac connected to same WiFi network with mobile device.
 - Magic tool "BURP" get a free copy here


BURP is a Jar file, you can run it on PC or Mac, just don't forget to have Java installed.

So to sniff trafic you need to go to properties of WiFi connection on your mobile device and in additional settings enable HTTP proxy. The host will be local ip of your computer, and port 8080.

Than run BURP , keep all settings by default if you are not sure.The only thing you need to do is to turn off Interception. Proxy Tab -> Intercept Tab, Intercept OFF.

Than open History Tab and there you will see all HTTP requests your mobile or some app does.
If the app is trying to make HTTPS request it will fail, because now you are not porxifying HTTPS property. To get all magic you need to do the following things:

Open Proxy Options tab and check that options of Certificate is "Per Host" and Generate CA signed per host request are set.

After that open any browser, for example safari on your local computer, set proxy settings to localhost:8080 including HTTP and HTTPS proxy, On Mca is done in your network settings. If you use Firefox it's configured in local settings of Firefox.

So when you are done try to open any HTTPS url and you will get SSL error warning. I avoid using Chrome because they have additional SSL verifications, really im not sure how it works there.

So when you get SSL warning you should open warning details and set CA certificate as trusted on you local machine. After that it will perfectly and in logs of BURP you will see all SSL requests you do through your browser.

To make you mobile accept this SSL you need to:
 - Export CA ROOT certificate which now you have in your Keychain to the file (crt i guess)
 - Import it to your mobile.

In case of Android is very easy, just copy it to the root of sd card, insert it to device, go to settings of security and import Certificate from SD card. After that certificate will become trusted and you can sniff SSL traffic. Just don't forget that if you use Chrome Mobile it will also raise errors about wrong SSL, but all other apps will accept it. And all requests will appear in history of BURP.


With iOS is more tricky.
1. Download iPhone Configuration Utility form Apple website
2. Open it and create new profile , keep blank everything except profile name / id and in Certificates Tab add CRT you want to add as trusted on your device.

Than connect your iPhone / iPod etc to your Mac and install created profile to the device. Later you can go to device settings and in profiles section you'll see installed CA root certificate. That's all

Now you can easily see what your phone is sending / receiving.

Unfortunately you can't download Apps from appStore with proxy enabled, so just don't forget to disable proxy settings on wifi Tab when you finish your tests.



Friday, June 7, 2013

Mi iusacell - same problems

Yesterday iusacell updated their mi iusacell. Still same issues, doesn't properly shows Internet consume , no way to subscribe for extra services or if you subscribe it disappears later on. 

No way to activate Internet package. 


The only one feature I really liked is phone number change. They let you change number on your new line for free , than you can change it only after 180 days next time. The problem is if you had some services such Internet package or calls package purchased - it will be canceled 

Saldo transfer is hidden but available with some trick. You need to switch to old interface and than you can make a transfer of balance 

Their update brought few security breaches also

Iusacell / unefon users are affected.

Wednesday, June 5, 2013

3G For free in Mexico .- 3G internet Gratis Mexico

Didn't publish this for a long time. Thought to use myself, but right now is no way to hide it. Many guys know about it, but i'll make it public

Free 3G in Mexico - is it possible?

Actually yes and is really easy. You can spent some time and some $ to make it working on you. I used to get free access to Iusacell 3G with high-speed 3.5G router.

Let's see how it works. When you connect your modem to a computer you need to setup APN, check it on the web. There's no tricks about APN at all and i don't think that you can cheat. APN "hostname" is just kind of alias, is not a real domain name from the web. For example Iusacell has APN : web.iusacellgsm.mx  and domain iusacellgsm.mx expired time ago :)

So when you make a connection you enter to their NAT, you get internal IP 10.X.X.X and their buggy DNS. I really dislike their DNS servers. So you may change them to Google DNS 8.8.8.8 and 8.8.4.4.

After that all your traffic goes to the Gateway. Using trace tool you can get its' IP and the gateway is where the billing happens.  if you have postpaid tarification - do not play, they WILL charge you.

As how as network configuration is a complicated thing and their IT gurus want to make things fast - they always have problems with DNS. DNS is open on 53 port. When you have no money on your account they want you to recharge more and more that's why they redirect you to their NAG portal where they ask cash :)

That portal must have URL such http://10.x.x.x but they want a nice URL, wo it looks web.iusa... that's why they have to keep DNS port open. Also they need SSL there (no idea why)

So 53 port is always open in:
 - Iusacell / Unefon
 - Movistar
 - Maybe telcel
 - Infinitum Movil WiFi
 - IUSACELL4U wifi
 - some other public wi-fi networks

What to do: to make a tonel! 
a) SQUID http Proxy (easy to install, but not all apps will work through)
b) VPN (You will have to setup VPN server somewhere ant to make it listen on port 53)

Other VPN solutions will nto work, there's no way to set custom port in PPTP. So if you want to connect on iPhone - jailbreak is the only one solution to have OpenVpn working.

When you have a tonel traffic goes through open port 53 directly to your server bypassing everything except billing. They do bill DNS traffic (even they bill access to their intranet pages) so if you have money - they will disappear. If not - you can enjoy surfing.

Don't forget that they cut inactive lines. I advice you to pay at least 50 peso per 2 month to have line active. 

Any thoughts?



Vulnerable Mexican cellphone carriers

Time ago i wrote an article in spanish how to login to BAM Portal of Iusacell (Mexican Carrier) identifying yourself as anybody and activating service for any number. Also it allows you to get invoice and some personal information of the user

Accident: Three weeks ago someone reported my line as stolen. How it could be? is so strange and than i understood. Each carrier over here has a toll free phone line. If you dial it from any landline the system will ask your phone number, so you can press buttons and you'll get full access to automated menu. There's no authentication at all. You can check plan, balance, report stolen line, activate services on behalf of other person. That sound terrible for me. There's no privacy at all.

Research: After personal research i saw that toll free lines are nothing to see with other vulnerables they have. First of all they do not care at all about customer privacy. Each carrier has at least 2 or 3 web services where you can easily get line owner information (including his billing address), his balance, calls history, payments history and even his location in real time.

Conclusion: Almost no way to control your expenses, anyone can get your sensitive information and no care about that.

Affected carriers: All GSM / CDMA Mexico.

Tuesday, June 4, 2013

Activar paquetes BAM en Iusacell a cualquier numero

Hola Mundo. Como sabes Iusacell cuenta con paquetes BAM para cualquier linea. Puedes pagar 1 peso por un Mega o comprar un paquete de navegacion a su o alinea de otra persona!

1. Debes conectar atravez de la red de Iusacell (portal BAM no esta disponible de otras redes)
2. Verifica que usas DNS de iusacell
3. Checa que tu APN es : modem.iusacellgsm.mx usuario: iusacellgsm contraseƱa : iusacellgsm, tipo de auth: pap.

4. Genera Link para abrir portal BAM :

Donde XXX es base64 del numero. abre la pagina http://base64-encoder-online.waraxe.us/ escriba en el campo numero de telefono iusacell o unefon de 10 digitos y haz clic a Encode Data. Cambia XXX a valor que aparece en la pagina y abre enlace en navegador.

https://web.iusacell.com.mx/BAM/jsp/registroPagos/inicioPrepago.jsp?mdn=XXX&c=202&dst=www.google.com

==============================
En portal puedes activar el paquete. Iusacell tiene paquetes de 6 y 12 meses libres (10 GB). 6 meses cuesta 3600 pesos. Mas interesante que en la pantalla Mis Facturas puedes generar una factura electronica para paquete pagado. Puedes pagar el paquete con Saldo Comprado o con tarjeta de credito.