How to reverse-engineer (or replay) programs' network comms?

C

Coldblackice

[H]ard|Gawd
Joined
Aug 14, 2010
Messages
1,152
In general, how would you go about reverse-engineering (mimic/clone/replay) an app's network comms to essentially "port" its use outside its main program? (at a very base, rudimentary level, and assuming there's no API available).

What tools/methods/processes would you use?

What hurdles might likely crop up and interfere? (e.g., I'd guess SSL packets would be an impassable roadblock)


For example, say you wanted to replicate the Android Twitter app's abilities on a PC, at a very simplistic level, and without resorting to a full-time emulator. How would you go about such?
 
Twitter has an API. You shouldn't need to reverse engineer Twitter app network communications if you want to roll your own twitter desktop app.

If you were speaking in generally, you could use wireshark, to sniff packets and examine them. SSL/TLS will likely be a problem, unless the cipher suite chosen uses RSA for key exchange and you have the private key.
 
There's a lot of variables here. If the app is just sending plain text web requests, it would be pretty easy to snoop and replicate them. If the app is sending encrypted data, you are probably SOL. Instead of trying to crack the app directly, I would try googling to see if someone else has already done it for you. If the app is something as common as Twitter, there's a pretty good chance someone else has already done your legwork for you. If the data is snoopable, there's at least a chance that someone on the interwebz has already created an API for for it. I would start with googling "twitter API" and "custom twitter app" and see if anything comes up.
 
I'm going to assume that the Twitter app was an example and not what you're actually trying to do.

You'll have to start with sniffing the traffic - from there you can determine what the sessions look like. If it's SSL you could MITM the session. Would likely need to import the trusted certificate for your MITM node (http://mitmproxy.org/doc/certinstall/android.html), then assuming that the app doesn't complain (which it might) the full decrypted session would be available.
 
devman said:
If you were speaking in generally, you could use wireshark, to sniff packets and examine them. SSL/TLS will likely be a problem, unless the cipher suite chosen uses RSA for key exchange and you have the private key.
Click to expand...

Would the private key be "capturable" from the client's side (like via sniffing or rev-eng'ing)?

gangolfus said:
There's a lot of variables here. If the app is just sending plain text web requests, it would be pretty easy to snoop and replicate them. If the app is sending encrypted data, you are probably SOL. Instead of trying to crack the app directly, I would try googling to see if someone else has already done it for you. If the app is something as common as Twitter, there's a pretty good chance someone else has already done your legwork for you. If the data is snoopable, there's at least a chance that someone on the interwebz has already created an API for for it. I would start with googling "twitter API" and "custom twitter app" and see if anything comes up.
Click to expand...

Thanks, great idea. On the tool-side of things, in general, what tools would you employ to accomplish this (i.e., the sniffing route)? Anything other than Wireshark?

Track Drew said:
I'm going to assume that the Twitter app was an example and not what you're actually trying to do.

You'll have to start with sniffing the traffic - from there you can determine what the sessions look like. If it's SSL you could MITM the session. Would likely need to import the trusted certificate for your MITM node (http://mitmproxy.org/doc/certinstall/android.html), then assuming that the app doesn't complain (which it might) the full decrypted session would be available.
Click to expand...

Thanks, very helpful link. In general, what other tools might you use to go about this (besides Wireshark + mitmproxy)? I realize no tool is going to "automate" this, I'm just wondering if I'm working with a full toolbox with just Wireshark.

NobleX13 said:
You might want to try using Burp Suite; it works well for this type of thing.

http://www.ports.net/burp/
Click to expand...

Wow, that looks great! Thanks much for the suggestion.
 
You must log in or register to reply here.
Back
Top