Brook and mitmproxy for mobile app deep packet capture

https://www.txthinking.com/talks/
Updated at: 2023-05-21

Why not capture packets by configuring the system proxy

Because many apps can choose to bypass the system proxy. For details, you can view this article.

A few years ago we made the mitmproxy helper application, sale $9.9.

Now Brook supports very powerful scripts, which can easily achieve the same functions as the above App through scripts. You save $9.9.

Brook independently captures and modifies packets

In fact, Brook can also capture and modify packets independently without relying on any other software. You can view this article.

Why you should choose a professional tool like mitmproxy for packet capture

Read here

Step 1: Install mitmproxy on your computer and run it

mitmproxy -m socks5 --rawtcp --listen-port 8080

This will create a socks5 with port 8080

Because mitmproxy only supports HTTP/1.1 and HTTP/2 packet capture; it does not support UDP and certainly does not support HTTP/3.

So we have to use scripts to block the UDP of domainaddress, and let the UDP of ipaddress directly connect or block UDP, or skip some addresses that cannot be caught. In actual combat, we need to analyze it according to the specific situation.

Step 2: Install Brook on your mobile

Config and Connect Brook

• Add the socks5 server created by mitmproxy
• Fake DNS: On
• Block: Off
• Bypass: Off
• Programmable: On

• Script:

  text := import("text")
  
  f := func(){
  if in_dnsquery {
      // block secure dns
      if in_dnsquery.domain == "dns.google" {
          return {block: true}
      }
      // block ipv6, if your server or local does not support ipv6
      if in_dnsquery.type == "AAAA" {
          return {block: true}
      }
  }
  if in_address {
      m := in_address
      if m.ipaddress {
          // block secure dns
          if m.ipaddress == "8.8.8.8:853" || m.ipaddress == "8.8.8.8:443" || m.ipaddress == "8.8.4.4:853" || m.ipaddress == "8.8.4.4:443" || m.ipaddress == "[2001:4860:4860::8888]:853" || m.ipaddress == "[2001:4860:4860::8888]:443" || m.ipaddress == "[2001:4860:4860::8844]:853" || m.ipaddress == "[2001:4860:4860::8844]:443" {
              return { "block": true }
          }
          // block or bypass udp
          if m.network == "udp" {
              return { bypass: true } // or { block : true }
          }
      }
      if m.domainaddress {
          // block secure dns
          if text.has_prefix(m.domainaddress, "dns.google:") {
              return { "block": true }
          }
          // block udp
          if m.network == "udp" {
              return { block: true }
          }
      }
  }
  }
  out := f()
  

This script blocks secure DNS, blocks IPv6 AAAA, blocks UDP of domainaddress, and allows direct connection of UDP of ipaddress. The script is here.

Step 3

Visit http://mitm.it with your mobile phone to install the CA certificate of mitmproxy

Step 4

Then open the app you want to capture packets

Video

TODO

---

Comments