Open in app

Sign in

Write

Sign in

Hackish Way to Capture Traffic of ‘XMPP’(i.e. non-HTTP protocols ) of Mobile Applications.

Sharan Panegav
4 min readJul 27, 2021

--

Overview

My way to capture the traffic “non-HTTP protocols” of mobile application into burp suite. In this blog will see how we can capture the XMPP Protocol traffic.

The XMPP is a short form for Extensible Messaging Presence Protocol. It’s protocol for streaming XML elements over a network in order to exchange messages and presence information in close to real time. This protocol is mostly used by instant messaging applications like WhatsApp.

We will divide the blog in four parts assuming the Mobile application using XMPP protocol on host “xmppexampleserver.com” on port “5222”.

XMPP server :- xmppexampleserver.com 
XMPP port:- 5222
Traffic flow
  1. Bypass the SSL pinning of mobile application using frida tools.
  2. Route all DNS traffic of the mobile application to DNS listener.
  3. Run DNSChef to fake the all DNS request of domain to local machine
  4. Run the mitm_relay.py to relay the XMPP request and route it to burp suite.

Step 1. Bypass the SSL pinning of mobile application

As most of mobile the application implements the SSL pinning. We need to first bypass the SSL pinning of mobile application to capture the undecrypted XMPP traffic.

Note:- You can use any method to bypass the SSL pinning

I personally prefer Universal Android SSL Pinning Bypass with Frida

$frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f YOUR_BINARY

Assuming that application SSL pinning is bypassed now lets route unencrypted traffic of mobile application to DNS listener

Step 2. Route Mobile DNS Traffic

  1. Go to Settings, click on Network & Internet then WiFi then WIFI Advanced Option and Select Static IP setting.
Static IP

2. Set the Static IP and configure a custom DNS server with Kali Machine IP address (192.168.31.178)

DNS routing
Mobile-IP:- 192.168.31.173 
Kali IP:- 192.168.31.178 (Which is set as DNS server)

Step 3 Running DNSChef on Kali Machine

Now to fake the DNS traffic of domain “xmppexampleserver.com” to Local Server We will use DNSChef with below command

Where all request for domain xmppexampledomain.com will be faked to Kali Machine IP “192.168.31.178”

sudo dnschef -i 192.168.31.178 --fakedomains xmppexampleserver.com --fakeip 192.168.31.178
“dndchef” command

Step 4

Now we have all DNS request redirected from “xmppexampleserver.com” to our kali machine we will need to relay the XMPP messages on port 5222 to burp suite for that we will use mitm_relay which intercept non-HTTP protocols through Burp i.e proxy tools

Run below command

sudo python mitm_relay.py -l 0.0.0.0 -r 5222:xmppexampleserver.com:5222  -p 192.168.31.101:9090
“mitm_relay” command

Where

Details of “mitm_relay” command

Step 5

Now go to mobile application create some traffic and you will get XMPP requests on burp suite as similar to below

XMPP Traffic

Conclusion

Above steps are not limited to capture the XMPP traffic we can use it capture the all non-HTTP protocols traffic of mobile application.

References

  1. frida
  2. DNSChef
  3. mitmrelay
  4. xmpp-protocol

InfoSec Enthusiast, Bug Hunter, Dota 2 Addict.

Research and learning never ends we keep moving forward, opening new doors, and doing new things, because we’re curious and curiosity keeps leading us down new paths.

Info Sec Writeups
Bug Bounty
Hackerone
Bugcrowd
Information Security

--

--

Sharan Panegav
Sharan Panegav

Written by Sharan Panegav

153 Followers
8 Following

https://twitter.com/PanegavSharan

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams