# Install Burp Certificate {{#include ../../banners/hacktricks-training.md}} ## On a Virtual Machine Kwanza kabisa unahitaji kupakua cheti cha Der kutoka Burp. Unaweza kufanya hivyo katika _**Proxy**_ --> _**Options**_ --> _**Import / Export CA certificate**_ ![](<../../images/image (367).png>) **Export cheti katika muundo wa Der** na hebu **badilisha** kuwa fomu ambayo **Android** itaweza **kuelewa.** Kumbuka kwamba **ili kuunda cheti cha burp kwenye mashine ya Android katika AVD** unahitaji **kuendesha** mashine hii **ikiwa** na chaguo la **`-writable-system`**.\ Kwa mfano unaweza kuendesha kama: ```bash C:\Users\\AppData\Local\Android\Sdk\tools\emulator.exe -avd "AVD9" -http-proxy 192.168.1.12:8080 -writable-system ``` Kisha, ili **konfigura cheti cha burp fanya**: ```bash openssl x509 -inform DER -in burp_cacert.der -out burp_cacert.pem CERTHASHNAME="`openssl x509 -inform PEM -subject_hash_old -in burp_cacert.pem | head -1`.0" mv burp_cacert.pem $CERTHASHNAME #Correct name adb root && sleep 2 && adb remount #Allow to write on /syste adb push $CERTHASHNAME /sdcard/ #Upload certificate adb shell mv /sdcard/$CERTHASHNAME /system/etc/security/cacerts/ #Move to correct location adb shell chmod 644 /system/etc/security/cacerts/$CERTHASHNAME #Assign privileges adb reboot #Now, reboot the machine ``` Mara tu **mashine itakapokamilisha kuanzisha tena**, cheti cha burp kitakuwa kinatumika! ## Kutumia Magisc Ikiwa umepata **root** kwenye kifaa chako kwa kutumia Magisc (labda emulators), na huwezi kufuata **hatua** za awali za kufunga cheti cha Burp kwa sababu **faili ya mfumo ni ya kusoma tu** na huwezi kuirejesha kuwa ya kuandika, kuna njia nyingine. Imeelezwa katika [**hii video**](https://www.youtube.com/watch?v=qQicUW0svB8) unahitaji: 1. **Kufunga cheti cha CA**: Tu **vuta na uachie** cheti cha DER Burp **ukibadilisha kiendelezi** kuwa `.crt` kwenye simu ili kuhifadhiwa kwenye folda ya Downloads na nenda kwenye `Install a certificate` -> `CA certificate`
- Hakikisha cheti kimehifadhiwa vizuri kwa kwenda kwenye `Trusted credentials` -> `USER`
2. **Fanya iwe ya kuaminika kwa Mfumo**: Pakua moduli ya Magisc [MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) (faili .zip), **vuta na uachie** kwenye simu, nenda kwenye **app ya Magics** kwenye simu kwenye sehemu ya **`Modules`**, bonyeza **`Install from storage`**, chagua moduli ya `.zip` na mara itakapokamilika **anzisha tena** simu:
- Baada ya kuanzisha tena, nenda kwenye `Trusted credentials` -> `SYSTEM` na hakikisha cheti cha Postswigger kiko hapo
## Baada ya Android 14 Katika toleo jipya la Android 14, mabadiliko makubwa yameonekana katika usimamizi wa cheti cha Mamlaka ya Cheti (CA) kinachokubalika na mfumo. Awali, vyeti hivi vilihifadhiwa katika **`/system/etc/security/cacerts/`**, vinavyoweza kufikiwa na kubadilishwa na watumiaji wenye ruhusa za root, ambayo iliruhusu matumizi ya haraka katika mfumo mzima. Hata hivyo, na Android 14, mahali pa kuhifadhiwa kumehamishwa kwenda **`/apex/com.android.conscrypt/cacerts`**, saraka ndani ya njia ya **`/apex`**, ambayo ni isiyoweza kubadilishwa kwa asili. Jaribio la kurejesha **APEX cacerts path** kuwa ya kuandika linakutana na kushindwa, kwani mfumo haukuruhusu operesheni kama hizo. Hata jaribio la kuondoa au kuweka saraka hiyo na mfumo wa muda (tmpfs) halipuuzi isiyoweza kubadilishwa; programu zinaendelea kufikia data ya cheti asilia bila kujali mabadiliko katika kiwango cha mfumo wa faili. Uthabiti huu unatokana na **`/apex`** kuunganishwa na kueneza PRIVATE, kuhakikisha kwamba mabadiliko yoyote ndani ya saraka ya **`/apex`** hayaathiri michakato mingine. Kuanza kwa Android kunahusisha mchakato wa `init`, ambao, unapozindua mfumo wa uendeshaji, pia huanzisha mchakato wa Zygote. Mchakato huu unawajibika kwa kuzindua michakato ya programu na jina jipya la kuunganishwa ambalo linajumuisha kuunganishwa binafsi la **`/apex`**, hivyo kuzuia mabadiliko katika saraka hii kutoka kwa michakato mingine. Hata hivyo, kuna njia mbadala kwa wale wanaohitaji kubadilisha vyeti vya CA vinavyokubalika na mfumo ndani ya saraka ya **`/apex`**. Hii inahusisha kurejesha kwa mikono **`/apex`** ili kuondoa kueneza PRIVATE, hivyo kuifanya iwe ya kuandika. Mchakato huu unajumuisha nakala ya maudhui ya **`/apex/com.android.conscrypt`** kwenda mahali pengine, kuondoa saraka ya **`/apex/com.android.conscrypt`** ili kuondoa kizuizi cha kusoma tu, na kisha kurejesha maudhui kwenye mahali pake pa asili ndani ya **`/apex`**. Njia hii inahitaji hatua za haraka ili kuepuka kuanguka kwa mfumo. Ili kuhakikisha matumizi ya mabadiliko haya katika mfumo mzima, inapendekezwa kuanzisha tena `system_server`, ambayo kwa ufanisi inaanzisha tena programu zote na kuleta mfumo katika hali thabiti. ```bash # Create a separate temp directory, to hold the current certificates # Otherwise, when we add the mount we can't read the current certs anymore. mkdir -p -m 700 /data/local/tmp/tmp-ca-copy # Copy out the existing certificates cp /apex/com.android.conscrypt/cacerts/* /data/local/tmp/tmp-ca-copy/ # Create the in-memory mount on top of the system certs folder mount -t tmpfs tmpfs /system/etc/security/cacerts # Copy the existing certs back into the tmpfs, so we keep trusting them mv /data/local/tmp/tmp-ca-copy/* /system/etc/security/cacerts/ # Copy our new cert in, so we trust that too mv $CERTIFICATE_PATH /system/etc/security/cacerts/ # Update the perms & selinux context labels chown root:root /system/etc/security/cacerts/* chmod 644 /system/etc/security/cacerts/* chcon u:object_r:system_file:s0 /system/etc/security/cacerts/* # Deal with the APEX overrides, which need injecting into each namespace: # First we get the Zygote process(es), which launch each app ZYGOTE_PID=$(pidof zygote || true) ZYGOTE64_PID=$(pidof zygote64 || true) # N.b. some devices appear to have both! # Apps inherit the Zygote's mounts at startup, so we inject here to ensure # all newly started apps will see these certs straight away: for Z_PID in "$ZYGOTE_PID" "$ZYGOTE64_PID"; do if [ -n "$Z_PID" ]; then nsenter --mount=/proc/$Z_PID/ns/mnt -- \ /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts fi done # Then we inject the mount into all already running apps, so they # too see these CA certs immediately: # Get the PID of every process whose parent is one of the Zygotes: APP_PIDS=$( echo "$ZYGOTE_PID $ZYGOTE64_PID" | \ xargs -n1 ps -o 'PID' -P | \ grep -v PID ) # Inject into the mount namespace of each of those apps: for PID in $APP_PIDS; do nsenter --mount=/proc/$PID/ns/mnt -- \ /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts & done wait # Launched in parallel - wait for completion here echo "System certificate injected" ``` ### Bind-mounting through NSEnter 1. **Kuweka Saraka Inayoweza Kuandikwa**: Kwanza, saraka inayoweza kuandikwa inaanzishwa kwa kufunga `tmpfs` juu ya saraka ya cheti ya mfumo isiyo ya APEX iliyopo. Hii inafanywa kwa amri ifuatayo: ```bash mount -t tmpfs tmpfs /system/etc/security/cacerts ``` 2. **Kuandaa Vyeti vya CA**: Baada ya kuweka saraka inayoweza kuandikwa, vyeti vya CA ambavyo mtu anakusudia kutumia vinapaswa kunakiliwa kwenye saraka hii. Hii inaweza kujumuisha kunakili vyeti vya kawaida kutoka `/apex/com.android.conscrypt/cacerts/`. Ni muhimu kurekebisha ruhusa na lebo za SELinux za vyeti hivi ipasavyo. 3. **Kufunga Mount kwa Zygote**: Kutumia `nsenter`, mtu anaingia kwenye eneo la mount la Zygote. Zygote, ikiwa ni mchakato unaohusika na kuzindua programu za Android, inahitaji hatua hii ili kuhakikisha kwamba programu zote zinazozinduliwa kuanzia sasa zinatumia vyeti vya CA vilivyowekwa upya. Amri inayotumika ni: ```bash nsenter --mount=/proc/$ZYGOTE_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts ``` Hii inahakikisha kwamba kila programu mpya inayozinduliwa itafuata mipangilio ya CA certificates iliyosasishwa. 4. **Kuweka Mabadiliko kwa Programu Zinazoendesha**: Ili kuweka mabadiliko kwa programu ambazo tayari zinaendesha, `nsenter` inatumika tena kuingia kwenye namespace ya kila programu moja baada ya nyingine na kufanya mtego wa kufunga sawa. Amri inayohitajika ni: ```bash nsenter --mount=/proc/$APP_PID/ns/mnt -- /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts ``` 5. **Njia Mbadala - Soft Reboot**: Njia mbadala inahusisha kufanya bind mount kwenye mchakato wa `init` (PID 1) ikifuatiwa na soft reboot ya mfumo wa uendeshaji kwa kutumia amri za `stop && start`. Njia hii itasambaza mabadiliko katika majimbo yote, ikiepuka haja ya kushughulikia kila programu inayofanya kazi kwa separately. Hata hivyo, njia hii kwa ujumla haitafutwa sana kutokana na usumbufu wa kuanzisha upya. ## Marejeleo - [https://httptoolkit.com/blog/android-14-install-system-ca-certificate/](https://httptoolkit.com/blog/android-14-install-system-ca-certificate/) {{#include ../../banners/hacktricks-training.md}}