-1

I'm trying to find out a specific request from an android application to its API server. Using Burp Suite, I get a handshake failure alert. Using fiddler it asks me to provide a custom certificate.

fiddler pop up

Now I have used apktool to de-compile the application, and I have found these files:

  • arsalan-ha.quizofkings.com.pem
  • certificate.crt
  • private_key.pfx
  • root-ca.crt
  • x1.pfx

But they don't look like certificates. They are secrets used to generate certificates most likely, if I'm correct.

I've uploaded the files here

Could I use these secrets (if they are), to generate certificates and try one by one?

Improve this question
7
  • 2
    Why do you think those certificate files are not certificates? Commented Mar 2, 2020 at 17:12
  • @schroeder passing them to Burp gives error of invalid length, also their contents are not what I have seen as an ssl certificate. Commented Mar 2, 2020 at 17:14
  • They are encoded ... Commented Mar 2, 2020 at 17:20
  • @schroeder are there any tools to help me find out the encryption algorithm? Commented Mar 2, 2020 at 17:37
  • I said "encoded" not "encrypted" Commented Mar 2, 2020 at 17:39

2 Answers 2

Reset to default
4

Sounds like a good excuse for you to read up on certificate file formats, and spend some time with openssl or another cert viewer (personally I like KeyStore Explorer) until you figure out what format those files are in, and what format Burp is expecting.

For a client cert, usually Burp wants the certificate + matching private key bundled together into a single .p12 file. I'm not going to download your files because security, but my guess is that you will need to combine certificate.crt + private_key.pfx into a single .p12 file using openssl / KeyStore Explorer. If private_key.pfx is a password-protected file, then you may need to do some more reverse-engineering of the application binary to find that password.

Improve this answer
3
  • Thanks for the details, file contents are much alike as of format. This is what "certificate.crt" has for example: i.ibb.co/7SyVm54/cer.png What tools would help me reverse-engineer more? Sorry for the trouble. Commented Mar 2, 2020 at 17:45
  • These are binary files, not text files, so Notepad won't know how to render it. As I said above, my favourite tool for working with certificate files is KeyStore Explorer. The openssl command-line util is also a good choice Commented Mar 2, 2020 at 18:54
  • I asked a question here to explain the difference between certificates and private keys: security.stackexchange.com/q/226747/61443 Commented Mar 3, 2020 at 18:36
1

I was able to extract the certificate and password with the help of running Frida server on a rooted Android >= 4.2 device and then running a script after attaching to the application.

Here's the link to the related script tutorial: http://ceres-c.it/frida-android-keystore/

Note:

There was no need to use keytool to re-generate the certificate mentioned at the end of the article. Because it was a PKCS12 certificate and enough to import in Burp's Client SSL Certificates.

After that the application's server accepted the requests.

Hope it helps others.

Improve this answer
1
  • thanks for the script, managed to get a client cert from an app i was debugging! The link doesn’t seem to work anymore, the full url now is ceres-c.it/2018/12/16/frida-android-keystore Commented Sep 12, 2022 at 16:35

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.