[TOOL][HTTP/HTTPS analyzer]SandroProxy

SandroBSupp · Jun 27, 2012

Proxy, http analyzer, mitm, transparent proxy

NO NEED FOR ROOTED PHONE

Why would you use it:
- behind corporate firewall/proxy, needing to connect to squid, isa/forefront proxy with authentication
http://code.google.com/p/sandrop/wiki/HowToConnectToOtherProxy
- developer to examine http traffic, with embedded chrome devtools that can be used as ide
- security analyst examining how apps communicate with servers
- ...

Features:
- can act as pass-through proxy, traffic is not stored, ssl tunnel remains the same to server.
- capture,intercept request/response, replay, change before sending further
- can use client certificate to make connection to web server
- creates server certificates on the fly with proper host name
- transparent proxy needs superuser, su, iptables (1.4.10 or higher) to listens on port 80, 443
- request/response are stored as files so can be examined later on
- can bind only local or on all adapters
- client cache headers can be removed so content is always fetched from server (no 304 Not Modified responses)
- custom proxy plugins http://code.google.com/p/sandrop/issues/detail?id=31
- custom search criteria on show request/responses with scripting
- can connect to another proxy (Squid, ISA proxy, ForeFront TMG proxy) (basic, digest, ntlm authentication supported)
- can act as web server to filter/examine captured data
- can connect to insecure sites, switch on/off in preferences
- can use chrome devtools to examine captured data
- chorme devtools 3D panel
- websockets support

!!!!
there are ads on log tab and google analytic events on switching tabs
sorry for that
!!!!

custom proxy plugins:

manual requests:

market.android.com/details?id=org.sandroproxy

http://code.google.com/p/sandrop/

Proxy acts as SSL man-in-the-middle. It generates sites certificates on the fly.
Issuer is named UNTRUSTED.
Based on WebScarab so all credits goes there.
www.owasp.org/index.php/Category:eek:WASP_WebScarab_Project

********************
Requests/Responses are stored in getExternalCacheDir()

/mnt/sdcard/Android/data/org.sandroproxy/cache

http://developer.android.com/reference/android/content/Context.html#getExternalCacheDir()

There is no security enforced with these files. All applications can read and write files placed here.

********************

Use stock browser and change that wi-fi uses proxy on localhost:8008
code.google.com/p/sandrob/issues/detail?id=41#c27

Copy from app thread, because it can also be used as development tool.
For example to store application/server http/https comunication.

john9 · Jun 27, 2012

This is sweet, good job!

soulbkd · Jun 28, 2012

wow.. this is what I'm looking for...! thanks, downloading it.

is it tracking request from internet browser only or any request from every app and any protocol maybe? in spite of the title HTTP/HTTPS analyzer

SandroBSupp · Jun 28, 2012

Just for http/https.

It can act as
proxy -> you must specify proxy in browser settings
transparent proxy -> you must somehow change where tcp packets are going (iptables)
http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html

Now I am working on tab where redirection on phone can be done from gui for all processes that have network permissions.
It creates iptable rules as:
iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009

But still long way to make it work properly...

SandroBSupp · Jun 28, 2012

It can track any app that uses http/https.
Not quite sure about ports. Probably just 80/433 but I could change that can be value in preferences.

SandroBSupp · Jun 30, 2012

New feature: gui for process->trasparent proxy redirection

It activated additional iptables rules so the process is redirected to transparent proxy.

iptables -t nat -A OUTPUT -m owner --uid-owner <xxxxx> -p tcp --dport 80 -j DNAT --to 127.0.0.1:8009

SandroBSupp · Jul 4, 2012

new feature: browser cache on/off

There is setting that removes browser cache headers.

chareos12 · Jul 9, 2012

dumb question: would your app help to make gTalk work on corporate networks protected by Forefront ?

Many thanks

SandroBSupp · Jul 9, 2012

Sorry, not yet.
Probably you need NTLM authentication to proxy?
Chaining Sandroproxy to ntlm proxy is on the list of future features.

MemoryController · Jul 10, 2012

I can't find it on the Market/Play crap.
Device: GT-i9100 on 4.0.3 rooted. Country: Greece
Current Operator:Vodafone GR, tried also with GR COSMOTE. Any ideas?

Pons · Jul 10, 2012

MemoryController said:
I can't find it on the Market/Play crap.
Device: GT-i9100 on 4.0.3 rooted. Country: Greece
Current Operator:Vodafone GR, tried also with GR COSMOTE. Any ideas?

I'm assuming you clicked on he link in the OP? Have you tried searching the Play Store from a browser while logged into Google? It will tell you if your device is compatible or not.

SandroBSupp · Jul 11, 2012

It should work on all devices from 2.3 OS up.

SandroBSupp · Jul 16, 2012

New feature: user custom proxy plugins

You can make your own custom plugin to handle http request/response flow

http://code.google.com/p/sandrop/issues/detail?id=31#c3

SandroBSupp · Jul 24, 2012

New feature: user custom CA certificate, import CA to android store

User can set custom CA for generating site certificates.
Or use generated one.
Password can be set. if not, default ("password") will be used.
There is option to store SandroProxy certificate in android store.
If custom, not generated is used, be careful that it contains BasicConstraints with isCA flag set to true.
Otherwise will not be recognised as CA certificate.

SandroBSupp · Jul 26, 2012

New feature: user custom search critera on show request/responses

User can specify with scripting (BeanShell) which request/responses are show on the list

http://code.google.com/p/sandrop/issues/detail?id=23

Publiuss · Aug 6, 2012

It does nothing...

Hi

I'm on a rooted xperia SK17i, I set it as transparent proxy, but it does collect nothing, does not display any app...

Should I use an external proxy app to redirect traffic on a specific port (for ex. 8008) on which sandroproxy is listening?

SandroBSupp · Aug 6, 2012

Transparent proxy setup for app

How to redirect app on device to local sandroproxy:
1. first you check on which app would you like to redirect to transparent proxy. APPS tab
2. check in preferences that transparent proxy is enabled. Transparent proxy = ON
3. check version of iptables. It should not be 1.3.x because have problems with nat table.
----You can fix iptables with this app from market
----https://play.google.com/store/apps/details?id=com.mgranja.iptables
4. start proxy

You can check iptables rules when proxy is active with Info Menu action.
Or from adb shell:
iptables -L
iptables -t nat -L

Publiuss said:
Hi

I'm on a rooted xperia SK17i, I set it as transparent proxy, but it does collect nothing, does not display any app...

Should I use an external proxy app to redirect traffic on a specific port (for ex. 8008) on which sandroproxy is listening?

Losik · Aug 7, 2012

Tried this on ICS9, iptables -V = 1.4.x, transparent proxy
HTTP traffic is pushing through the App with no problems. But HTTPS traffic capturing seems like not working...
Saw some FIX ME! comments in the log, maybe that's the reason?...

Attaching iptables -L -t nat command

SandroBSupp · Aug 7, 2012

Capturing https is more tricky. It can be done but with some additional stuff.
When app make ssl request it states hostname.
If ssl server side certificate is not for the same hostname, by default connection is not trusted and dropped.

Sandroproxy has in settings that you can state name for generated certificate.
http://code.google.com/p/sandrop/issues/detail?id=40

Also you should put sandroproxy CA to android store.
http://code.google.com/p/sandrop/issues/detail?id=2

You can test if app will work if you make same request from browser and no popup that something is wrong with ssl appears.
If you redirect browser (native, opera, ...) to sandroproxy, and click continue on ssl popup, it will proceed.

To find out what kind of request app makes on ssl you should check in /proc/kmsg where iptables puts some info.
Or with this app.
https://play.google.com/store/apps/details?id=com.googlecode.networklog

FIX ME is from iptables command and will probably be gone in some new version.

Losik said:
Tried this on ICS9, iptables -V = 1.4.x, transparent proxy
HTTP traffic is pushing through the App with no problems. But HTTPS traffic capturing seems like not working...
Saw some FIX ME! comments in the log, maybe that's the reason?...
Attaching iptables -L -t nat command

Losik · Aug 7, 2012

Unfortunately...
I verified hostname by the NetworkLog app that you gave me... set it up in SandroProxy, checked HTTPS next to App, started service, exported and loaded sandroproxy CA... but app doesn't let me through, anyway. In Logs, app seems like trying to change SSL, maybe succeeds, maybe fails, I don't know:

Code:

Reading reqest from browser
Finished negotiating SSL - algorithm is SSL_RSA_WITH_RC4_128_MD5
Intercepting SSL connection!

However, browser works, and says certificate is valid for that hostname.
So... something's wrong with SSL. I guess I'll have to find other ways around (

Anyway, thanks for trying to help me, I ~~appreciate~~ donate it.

[TOOL][HTTP/HTTPS analyzer]SandroProxy

Senior Member

Senior Member

Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Senior Member

Member

Attachments

Senior Member

Member

Similar threads

Top Liked Posts