We’re back checking in with our engineering team, discussing some of the work they do in their spare time to hone their skills and help make the digital world a safer place. Visiting us again is Hazem Elsayad, Lead Offensive Security Engineer for the Cyrex team. He’s got some more fantastic case studies and write-ups of his work including his steps in unveiling the arcane art of intercepting HTTPS traffic in Desktop Apps & Games.  

Let’s dive into his breakdown!  

Introduction

Just a quick note, this journey is fraught with challenges like SSL pinning - a hurdle I'll tackle in the future. For now, let's master the basics. For a quick recap: 

In my last thread, we explored bugs in game hacking. Some of you inquired further - how do I intercept traffic beyond just finding bugs? Here’s the detailed workflow, addressing your curiosity!  

1. Laying the Foundation with Proxies:

Start by choosing a proxy - Burp Suite, Charles Proxy, or an MITM proxy. Each has its merits. For HTTPS, here’s how to trust your proxy’s root certificate on your device:

• In Burp Suite, go to 'Proxy' > 'Options' tab. Click 'Import / export CA certificate', then export it in the format suitable for your OS.
• Install this certificate. On Windows, it goes into the 'Trusted Root Certification Authorities' store via the Microsoft Management Console (mmc). On macOS, add it to the System keychain in the 'Keychain Access' app and set it to 'Always Trust'.
• This allows your device to trust the encrypted traffic passing through the proxy, avoiding security alerts.

 

2. Monitoring with Wireshark:

• Fire up Wireshark and begin capturing packets on the network interface the app uses. But the flood of data can be overwhelming.
• Filter the domain names. use a filter like " dns " -dns(.)qry(.)name- to narrow down the packets to be able to see the domains that your game or app are making requests to

 

3. Rerouting via Hosts File:

  This step is about rerouting app traffic through your proxy. The hosts file is like your PC’s address book for the internet.

• You’ll find this file at “C:\Windows\System32\drivers\etc\hosts” on Windows or “/etc/hosts” on Linux and macOS.
• Add lines mapping the domain names your app contacts to localhost (your local machine) in this format: localhost example(.)com

  Now, the traffic is set to go through your proxy.

4. Configuring Proxy Listeners:

In Burp Suite, add a new listener on localhost and the port you choose. Ensure it matches the redirected traffic from your hosts file.

• Any traffic to the mapped domains in your hosts file now hits your proxy listener.
• Enable invisible proxying from the Request Handling tab.

5. Burp's Hostname Resolution:

• Here, we translate human-friendly domain names to IP addresses. Under 'Project options' > 'Hostname Resolution', input the domains and their IPs based on what you discovered in Wireshark or through ‘dig’ or ‘nslookup’ commands: as in dig example(dot)com +short
• In case there is no A record, you need to get IP address of that NS record: as in dig example(dot)com(dot)cdn(dot)cloudflare(dot)net +short

And now you're good to go! Stay tuned for SSL pinning complexities and how to navigate them. Until then, sharpen these skills and hack ethically!  

HTTPS Interception Expertise Made Manifest

We’re always amazed and proud of the expertise delivered by our security engineers and we’d expect nothing less of the incredible talent we have in our team! If you’d like to see more of Hazem’s work, check out his blog, Hacktus, or follow him on LinkedIn where he often shares his security insights.

If you’d like to get involved with Cyrex and utilize an entire team with the talent, expertise, and skill shown by Hazem, get in touch with us today for the industry leading results in penetration testing and load testing!