From 6bad08a70bf85bb32e5ae29417cd98990af4fe99 Mon Sep 17 00:00:00 2001 From: mawalu Date: Sat, 21 Aug 2021 20:24:24 +0200 Subject: [PATCH] Initial commit --- README.md | 41 +++++++++++++++++++++++++++++++++++++++++ exec.sh | 13 +++++++++++++ lib/entrypoint.sh | 38 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 92 insertions(+) create mode 100644 README.md create mode 100755 exec.sh create mode 100755 lib/entrypoint.sh diff --git a/README.md b/README.md new file mode 100644 index 0000000..0d08ff7 --- /dev/null +++ b/README.md @@ -0,0 +1,41 @@ +# QEMU, Android and mitmproxy template + +A simple script that runs an Android-x86 QEMU VM within a network namespace and configures mitmproxy to inspect http(s) traffic. Usernamespaces are used, no root required. + +## Requirements + + * QEMU + * mitmproxy + * slirp4netns + +## Usage + +Create a new Android-x86 image and complete the installer: + +```bash +$ qemu-img create -f qcow2 "android.img" 4G +$ qemu-system-x86_64 -enable-kvm -vga std \ + -m 2048 -smp 2 -cpu host \ + -net nic,model=e1000 -net user \ + -cdrom "android-x68.iso" \ + -hda "android.img" \ # image name is currently hardcoded + -boot d \ + -monitor stdio +``` + +Start the VM and the network namespace: + +```bash +$ ./exec.sh +$ nsenter --preserve-credentials -U -m -n -t $(cat ns-pid) # enter the network ns +$ adb connect 192.168.1.128 # ip also currently hardcoded +``` + +In the Android WIFI settings configure a static config. IP should be `192.168.1.128` and gateway `192.168.1.1`. + +The mitmproxy webinterface can be reached at `http://localhost:8081` on the host. + +## Intercepting https + +In many cases Frida can be used to bypass cert verification in apps. I wrote a bit about this [here](https://snippets.martinwagner.co/2021-08-21/mitmproxy-qemu) +but searching for "Frida TLS bypass" should also yield good results. diff --git a/exec.sh b/exec.sh new file mode 100755 index 0000000..b2cabc2 --- /dev/null +++ b/exec.sh @@ -0,0 +1,13 @@ +#!/bin/bash +echo "Staring container" +unshare --fork --user --map-root-user --net --mount ./lib/entrypoint.sh & +sleep 1 + +echo "Starting slirp4netns" +slirp4netns --configure --disable-host-loopback --mtu=65520 $(cat ns-pid) --api-socket "slirp4netns.sock" tap-slirp & + +sleep 5 + +echo "Configure port forwarding" +json='{"execute": "add_hostfwd", "arguments": {"proto": "tcp", "host_addr": "127.0.0.1", "host_port": 8081, "guest_port": 8081}}' +echo -n $json | nc -U slirp4netns.sock diff --git a/lib/entrypoint.sh b/lib/entrypoint.sh new file mode 100755 index 0000000..c9b087b --- /dev/null +++ b/lib/entrypoint.sh @@ -0,0 +1,38 @@ +#!/bin/bash +HOST_TAP_IP="192.168.1.1" +VM_IP="192.168.1.128" +VM_DISK="android.img" + +sysctl -w net.ipv4.ip_forward=1 +echo $$ > ns-pid +mount -t tmpfs tmpfs /run + +echo "Creating VM tap device" +ip tuntap add dev tap-vm mode tap +ip addr add dev tap-vm "$HOST_TAP_IP/24" +ip addr add dev lo "127.0.0.1/8" +ip link set dev tap-vm up + +echo "Configuring NAT" +sleep 2 + +iptables -t nat -A POSTROUTING -o tap-slirp -j MASQUERADE +iptables -t nat -A PREROUTING -s "$VM_IP" -p tcp --dport 80 -j DNAT --to-destination "$HOST_TAP_IP:8080" +iptables -t nat -A PREROUTING -s "$VM_IP" -p tcp --dport 443 -j DNAT --to-destination "$HOST_TAP_IP:8080" + +iptables -t nat -L +ip addr +ip route + +echo "Staring proxy" +mitmweb --mode transparent --showhost --web-host 0.0.0.0 --no-web-open-browser & + +echo "Starting VM" +# https://github.com/rexim/qemu-android-x86-runner +qemu-system-x86_64 -enable-kvm -vga std \ + -m 2048 -smp 2 -cpu host \ + -net nic,macaddr="DE:AD:BE:EF:A0:BA",model=virtio \ + -nic tap,ifname=tap-vm,script=no,downscript=no \ + -hda "$VM_DISK" \ + -monitor stdio +