如何在没有用户证书或修改应用程序的情况下将 Burp 与 Android 模拟器一起使用？

Question

In order to perform some Android Penetration Testing, I'd like to setup Burp to intercept traffic from the Android Emulator. Unfortunately, with later versions of Android, this requires modifying the manifest in order to include interception by a proxy with a user supplied certificate. Surely, there is a better / easier way?

Answer 1

Yes, there is a better way. You can create a certificate authority for Burp to utilize, and then add this certificate authority to the system partition so that its like any other CA and will automatically be trusted.

NOTE: I have found you can't just use the default CA from Burp and have this work. You need to follow these full instructions to create a new CA.

Step #1: Setup a CA for Burp & Import It:

1. Download the latest version of OpenSSL and extract the zip file .

2. Either add the location of the extracted files to the path, and open up a command window or open up a command window in the same directory where you see "openssl.exe".

3. Execute the following commands to create a certificate authority, and sign a root certificate, following all the prompts:

   openssl genrsa -des3 -out burpCA.key 4096

   openssl req -x509 -new -nodes -key burpCA.key -sha256 -days 2048 -out burpCA.crt

   openssl pkcs12 -export -in burpCA.crt -inkey burpCA.key -name burp -out burpCA.p12

4. Open a project in Burp you're going to utilize and import burpCA.p12 and navigate to the "Proxy tab", and the "Options" section.

5. Click the button "Import / export CA certificate" and choose "Certificate and private key from PKCS#12 keystore" from under the "Import" section, and then click "Next".

6. Navigate to the burpCA.p12 file you created before and enter the password.

Step 2: Add the Certificate to the Android Emulator

This can either be done globally for ALL Android Virtual Devices (AVD) going forward, or can be done on a single AVD. I prefer to do it for everything going forward, but I will cover both.

Option 1: Adding the Certificate Globally NOTE: This method does NOT require root access to the emulator, and therefore can be used with Google API versions.

1. Download Arsenal Image Mounter and extract it. We're going to utilize this to edit the base system drive image.

2. Run Arsenal Image Mounter and open the system.img file for the SDK version(s) you want to edit. When Aresenal prompts you, choose the option "Write original disk device". The system.img files are found under the following directory:

   %userprofile%\AppData\Local\Android\Sdk\system-images

eg For Nougat it would be found at the following location:

%userprofile%\AppData\Local\Android\Sdk\system-images\android-25\default\x86_64\system.img

1. Arsenal will mount the given system.img file and will assign it a drive letter. Navigate to that drive and navigate to the following file path:

   /etc/security/cacerts/

2. Pick any Certificate Authority within that folder that you don't mind losing / becoming invalid and open it in notepad. This is done rather than adding a new file because in later versions of Android there are special SELinux tags on the existing files that are needed for the file to be able to be read that can't easily be created on Windows. If we edit a file, they are preserved / saved. If we add a new file, we have to add these tags when Android is running, which is a pain with the system image being mounted read-only by default.

If available, I'd choose 1676090a.0, which is associated with China Internet Network Information center.

1. Open burpCA.crt from wherever you created it in the CA steps, copy its contents, and paste it into the file you opened in the prior step and save it.
2. Unmount the system.img file from within Arsenal and create a new AVD utilizing the version of Android you just modified the system.img file for.

Option 2: Adding the Certificate to a Single Android Virtual Device NOTE: This can be done INSTEAD of the global option. You don't need to do this if you do the global option.

1. Create an Android Virtual Device within Android Studio and give it a simple name such as PT1.

2. Open up a command window and navigate to the following directory:

   %userprofile%/AppData/Local/Android/Sdk/emulator/

3. Run the following command, substituting your AVD name for PT1:

   emulator -avd PT1 -writable-system

4. When its booted up, in another command window run the following commands to run adb as root, and remount the drives:

   adb root adb remount

5. Copy your Burp certificate onto the system drive utilizing the following command. You will need to either do this from where you created your certificates, or have the file path properly reference that file:

   adb push burpCA.crt /etc/security/cacerts/000000.0

Step 3: Configure the AVD to Proxy

1. Configure Burp to listen on all interfaces by clicking on the Listener and choosing "Edit" under the "Options" page of the "Proxy" tab and choosing "Bind to Address: All interfaces"

2. Get your IP address by opening a command window and running the command:

   ipconfig

3. Start your in Android Studio's Device Manager (Under "More Actions" from Android Studio).

4. Hit the "..." from the bar that is to the right of the running emulator and choose "Settings" -> "Proxy" and enter your IP address and the port you have Burp listening on (Default is 8080).

NOTE: localhost does NOT work here. You need an actual interface IP address.

You're now all set to proxy. You should be able to go to SSL sites without an issue.