Alex_burg

Alex_burg

Local
Статус
Offline
Joined
9/13/21
Messages
33
Reaction score
1
This article is for informational and educational purposes only.

Hi all! I haven’t written an article for a long time, I decided to write something simple to warm up. The topic is not new, but I could not find information about it on the forum. I decided to share, in case I can help someone. I've been using this method for a year now and I'm happy with it.

Let's clarify that applications like VKontakte cannot be sniffed, but something simple can and will work out (well, it’s as simple as that, I made software using requests from two banks and everything worked out).

Attention! The free plan from this site has a limited amount of survivability of the running emulator. Therefore, it is recommended to perform all requests that you need to export the received data from the traffic analyzer (you will understand later) and parse them when importing them back into the browser.

1. Go to the website appetize.io and register (I use temporary emails, too lazy to register on the basis)

UTwyw3Q.png
UTwyw3Q.png

2. After successful registration, click Open Dashboard to open the list of our downloaded applications

39wMXGy.png
39wMXGy.png

3. If this is your first time here, then you will not have any applications and you will need to click on the Upload button and download the necessary apk (or what is used for ios)

cA2pRSD.png
cA2pRSD.png

4. In the Upload section, click Select File and select our apk (I already have applications, I skipped this step). Sometimes you need to wait after the loading bar ends, but if loading takes a while, try again.

eUA82tU.png
eUA82tU.png

5. After successfully downloading our application, return to the list of applications and click on the desired View.

FOdUEIW.png
FOdUEIW.png

6. Now the most important thing, before pressing the button in the center of the mobile phone, turn on this Network Intercept parameter.

Jzx3kj5.png
Jzx3kj5.png

7. And after that, click on Tap to play.

oHEB1vd.png
oHEB1vd.png

8. Wait for our application to finish loading and click View in Chrome DevTools. The Network window will open in the browser (the same window as during normal site analysis)

1dQ5v9k.png
1dQ5v9k.png

9. Now let me show you with an example what will happen if you perform some action in our application. As an example, I took the Tinkoff Bank application and authorization in it.

2cTagv4.png
2cTagv4.png

10. After entering the mobile phone, a request was sent asking for an SMS code. Let's check what has appeared in our Network.

Yg3UBkx.png
Yg3UBkx.png

11. As we can see, here is our request, with our phone number. Decide for yourself what to do with this information.

Questions from the topic:

1. How to export to chrome debugger (this must be done before the end of the emulation time)


hGRO3gN.png
hGRO3gN.png

2. How to protect against certificate substitution
Answer: As I wrote in the article, VKontakte and other protected applications do not allow you to sniff anything, this is a limitation of the site. Suitable for simple applications, but as you can see, banks also pass, although they detect substitution.


This article was created for those who don’t want to worry, but want to do it beautifully. Some query apps are easier than their websites, so this is a great alternative to sniffing something to make your own program. But know that sometimes there are so many requests that you have to think for yourself which ones are important and which ones can be discarded.

From my experience, I can say that this is a great tool if you know what actions you need to perform in the application. But no one is stopping you from re-entering it again to sniff out what you didn’t have time to do (or buy a bonus). I made many different simple software with this site, but I also made software using requests from 2 banks. So this is a very useful tool.
 
Top