Capturing HTTPs traffic

If you’ve already captured plain HTTP traffic, you may be interested on capturing HTTPs. Make sure the interceptor host is configured to act as a router and that you’ve provided the appropiate firewalls rules for both port 80 and 443.

In order to capture HTTPs traffic, Hyperfox needs to decrypt the legitimate SSL communications with the original host and then encrypt them again before serving them to the target. For each host, Hyperfox will generate a certificate and key that will be signed with the the provided root CA certificate (-c) and key (-k).

Intercepting SSL

Chances are you don’t have access to an universally trusted root CA certificate and key, so most targets will get suspicious and will interrupt the connection. In order for the target to not get suspicious, a bogus root CA must be manually installed and marked as trusted.

Hyperfox provides a ready-to-use root CA certificate that you can feed to your devices. Consult instructions on how to install certificates on the target OS and be sure to remove the certificate after your capture session is finished.

In order to start capturing SSL traffic, provide a root CA certificate and key to Hyperfox for it to enable both HTTP and HTTPs modes (if you’re on Windows remember to use the -s 443 switch).

mkdir -p ssl
wget https://raw.githubusercontent.com/malfunkt/hyperfox/master/ssl/rootCA.crt -O ssl/rootCA.crt
wget https://raw.githubusercontent.com/malfunkt/hyperfox/master/ssl/rootCA.key -O ssl/rootCA.key

hyperfox -c ssl/rootCA.crt -k ssl/rootCA.key
# ...
# 2014/12/31 11:58:10 Listening for incoming HTTP client requests on 0.0.0.0:1080.
# 2014/12/31 11:58:10 Listening for incoming HTTPs client requests on 0.0.0.0:10443.

In order for the target to redirect packages intended for the router to us we use arpfox, a tool that you can download from https://github.com/malfunkt/arpfox.

sudo arpfox -i $HYPERFOX_IFACE -t $HYPERFOX_TARGET \
$HYPERFOX_GW

Once the target starts sending traffic to the host machine, it will in turn redirect ports 80 and 443 traffic to Hyperfox and we’ll be able to capture everything.

Installing Hyperfox’s root CA certificate on iOS devices

Load the hyperfox.org website with your device and browse to this page.

Viewing hyperfox.org on an iPad

Touch the rootCA.crt link from your device, an installation dialog will be shown.

Installing rootCA 1

Click the install button at the top right corner of the dialog:

Installing rootCA 2

You’ll need owner privileges, of course:

Entering password

Be sure to remove the certificate when the capture is done:

Removing certificate

Once the Hyperfox’s root CA certificate is installed, most apps (like Safari) will trust any HTTPs site served by Hyperfox, but please note that there are some high profile apps (such as the Twitter app) that don’t actually rely on the system’s trusted certificates and have an embedded copy of the legit certificates instead. You won’t be able to sniff traffic for such apps without cracking the app on a rooted device.

Installing Hyperfox’s root CA certificate on Android devices

Download the rootCA.crt and send it to your Android device as an attachment via e-mail.

Sending cert via e-mail

Once the e-mail arrives to the device try to open the attachment, an installation dialog will be shown.

Installing cert

Give it a name and touch OK to mark the certificate as trusted, you may consult your trusted certificated by touching Trusted Credentials on the Settings app..

Installing cert

Be sure to remove the certificate when the capture is done.

Removing cert

Once the Hyperfox’s root CA certificate is installed, most apps (like Chrome) will trust any HTTPs site served by Hyperfox, but please note that there are some high profile apps (such as the Twitter app) that don’t actually rely on the system’s trusted certificates and have an embedded copy of the legit certificates instead. You won’t be able to sniff traffic for such apps without cracking the app on a rooted device.