Initial commit
This commit is contained in:
commit
6bad08a70b
|
@ -0,0 +1,41 @@
|
||||||
|
# QEMU, Android and mitmproxy template
|
||||||
|
|
||||||
|
A simple script that runs an Android-x86 QEMU VM within a network namespace and configures mitmproxy to inspect http(s) traffic. Usernamespaces are used, no root required.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
* QEMU
|
||||||
|
* mitmproxy
|
||||||
|
* slirp4netns
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Create a new Android-x86 image and complete the installer:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ qemu-img create -f qcow2 "android.img" 4G
|
||||||
|
$ qemu-system-x86_64 -enable-kvm -vga std \
|
||||||
|
-m 2048 -smp 2 -cpu host \
|
||||||
|
-net nic,model=e1000 -net user \
|
||||||
|
-cdrom "android-x68.iso" \
|
||||||
|
-hda "android.img" \ # image name is currently hardcoded
|
||||||
|
-boot d \
|
||||||
|
-monitor stdio
|
||||||
|
```
|
||||||
|
|
||||||
|
Start the VM and the network namespace:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ ./exec.sh
|
||||||
|
$ nsenter --preserve-credentials -U -m -n -t $(cat ns-pid) # enter the network ns
|
||||||
|
$ adb connect 192.168.1.128 # ip also currently hardcoded
|
||||||
|
```
|
||||||
|
|
||||||
|
In the Android WIFI settings configure a static config. IP should be `192.168.1.128` and gateway `192.168.1.1`.
|
||||||
|
|
||||||
|
The mitmproxy webinterface can be reached at `http://localhost:8081` on the host.
|
||||||
|
|
||||||
|
## Intercepting https
|
||||||
|
|
||||||
|
In many cases Frida can be used to bypass cert verification in apps. I wrote a bit about this [here](https://snippets.martinwagner.co/2021-08-21/mitmproxy-qemu)
|
||||||
|
but searching for "Frida TLS bypass" should also yield good results.
|
|
@ -0,0 +1,13 @@
|
||||||
|
#!/bin/bash
|
||||||
|
echo "Staring container"
|
||||||
|
unshare --fork --user --map-root-user --net --mount ./lib/entrypoint.sh &
|
||||||
|
sleep 1
|
||||||
|
|
||||||
|
echo "Starting slirp4netns"
|
||||||
|
slirp4netns --configure --disable-host-loopback --mtu=65520 $(cat ns-pid) --api-socket "slirp4netns.sock" tap-slirp &
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
|
||||||
|
echo "Configure port forwarding"
|
||||||
|
json='{"execute": "add_hostfwd", "arguments": {"proto": "tcp", "host_addr": "127.0.0.1", "host_port": 8081, "guest_port": 8081}}'
|
||||||
|
echo -n $json | nc -U slirp4netns.sock
|
|
@ -0,0 +1,38 @@
|
||||||
|
#!/bin/bash
|
||||||
|
HOST_TAP_IP="192.168.1.1"
|
||||||
|
VM_IP="192.168.1.128"
|
||||||
|
VM_DISK="android.img"
|
||||||
|
|
||||||
|
sysctl -w net.ipv4.ip_forward=1
|
||||||
|
echo $$ > ns-pid
|
||||||
|
mount -t tmpfs tmpfs /run
|
||||||
|
|
||||||
|
echo "Creating VM tap device"
|
||||||
|
ip tuntap add dev tap-vm mode tap
|
||||||
|
ip addr add dev tap-vm "$HOST_TAP_IP/24"
|
||||||
|
ip addr add dev lo "127.0.0.1/8"
|
||||||
|
ip link set dev tap-vm up
|
||||||
|
|
||||||
|
echo "Configuring NAT"
|
||||||
|
sleep 2
|
||||||
|
|
||||||
|
iptables -t nat -A POSTROUTING -o tap-slirp -j MASQUERADE
|
||||||
|
iptables -t nat -A PREROUTING -s "$VM_IP" -p tcp --dport 80 -j DNAT --to-destination "$HOST_TAP_IP:8080"
|
||||||
|
iptables -t nat -A PREROUTING -s "$VM_IP" -p tcp --dport 443 -j DNAT --to-destination "$HOST_TAP_IP:8080"
|
||||||
|
|
||||||
|
iptables -t nat -L
|
||||||
|
ip addr
|
||||||
|
ip route
|
||||||
|
|
||||||
|
echo "Staring proxy"
|
||||||
|
mitmweb --mode transparent --showhost --web-host 0.0.0.0 --no-web-open-browser &
|
||||||
|
|
||||||
|
echo "Starting VM"
|
||||||
|
# https://github.com/rexim/qemu-android-x86-runner
|
||||||
|
qemu-system-x86_64 -enable-kvm -vga std \
|
||||||
|
-m 2048 -smp 2 -cpu host \
|
||||||
|
-net nic,macaddr="DE:AD:BE:EF:A0:BA",model=virtio \
|
||||||
|
-nic tap,ifname=tap-vm,script=no,downscript=no \
|
||||||
|
-hda "$VM_DISK" \
|
||||||
|
-monitor stdio
|
||||||
|
|
Loading…
Reference in New Issue