• Stars
    star
    110
  • Rank 316,770 (Top 7 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 3 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Simple utlity for sniffing decrypted HTTP/HTTPS traffic on an macOS/iOS device (either jailbroken or not)

Description

Simple pure python utility for sniffing HTTP/HTTPS decrypted traffic recorded by one of Apple's not-so-well documented APIs.

Installation

python3 -m pip install -U harlogger

Profile method for macOS host

This method applies to Apple's CFNetwork profile. This profile is meant for debugging processes using the CFNetwork framework. This method doesn't include the request/response body.

Howto

Profile method for non-jailbroken devices

This method applies to Apple's CFNetwork profile. This profile is meant for debugging processes using the CFNetwork framework. This method doesn't include the request/response body.

Howto

Output should look like:

➜  harlogger git:(master) ✗ python3 -m harlogger profile
➡️️   POST https://www.bing.com/fd/ls/lsp.aspx HTTP/1.1
Accept: */*
Content-Type: text/xml
Origin: https://www.bing.com
Accept-Encoding: gzip, deflate, br
Cookie: SRCHHPGUSR=CW=414&CH=622&SW=414&SH=736&DPR=3&UTC=180&DM=1&SRCHLANG=en&HV=1634801804; _HPVN=CS=eyJQbiI6eyJDbiI6MiwiU3QiOjAsIlFzIjowLCJQcm9kIjoiUCJ9LCJTYyI6eyJDbiI6MiwiU3QiOjAsIlFzIjowLCJQcm9kIjoiSCJ9LCJReiI6eyJDbiI6MiwiU3QiOjAsIlFzIjowLCJQcm9kIjoiVCJ9LCJBcCI6dHJ1ZSwiTXV0ZSI6dHJ1ZSwiTGFkIjoiMjAyMS0xMC0yMVQwMDowMDowMFoiLCJJb3RkIjowLCJEZnQiOm51bGwsIk12cyI6MCwiRmx0IjowLCJJbXAiOjEwfQ==; SUID=M; _EDGE_S=SID=1BF42681120765EF1EA73656137A640E; _SS=SID=1BF42681120765EF1EA73656137A640E; MUID=1B0D347B85756FDD055524B284086E36; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=5B989717430E450D9314C927C97602C9&dmnchg=1; SRCHUSR=DOB=20211007; _EDGE_V=1; MUIDB=1B0D347B85756FDD055524B284086E36
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Mobile/15E148 Safari/604.1
Referer: https://www.bing.com/
Content-Length: 458
Accept-Language: en-us

⬅️   HTTP/2.0 204 (request POST https://www.bing.com/fd/ls/lsp.aspx HTTP/1.1)
x-msedge-ref: Ref A: E5B5AE34FBA148E6BDFFBF421B940462 Ref B: VIEEDGE1816 Ref C: 2021-10-21T07:36:44Z
Date: Thu, 21 Oct 2021 07:36:44 GMT
x-cache: CONFIG_NOCACHE
Access-Control-Allow-Origin: *

Secret preference method for jailbroken devices

iOS 14.x devices contain a hidden feature for sniffing decrypted HTTP/HTTPS traffic from all processes using the CFNetwork framework into an HAR format. To trigger this feature on a jailbroken device, you can simply place the correct configuration for com.apple.CFNetwork and trigger the com.apple.CFNetwork.har-capture-update notification. This method includes the request/response body as well.

iOS 13.x or under don't have this feature.

Howto

  • Put com.apple.CFNetowrk.plist inside /var/mobile/Library/Preferences/
  • Restart the device
  • That's it! :) You can now just start sniffing out everything using:
    python3 -m harlogger preference

Output should look like:

➜  harlogger git:(master) ✗ python3 -m harlogger mobile preference
➡️   CFNetwork(1140) POST https://www.bing.com/fd/ls/lsp.aspx
POST /fd/ls/lsp.aspx HTTP/2.0
Accept: */*
Content-Type: text/plain
Origin: https://www.bing.com
Cache-Control: max-age=0
Content-Length: 472
Accept-Language: en-us
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Mobile/15E148 Safari/604.1
Accept-Encoding: gzip, deflate, br
Referer: https://www.bing.com/

⬅️   CFNetwork(1140) 0
➡️   CFNetwork(1140) POST https://www.bing.com/fd/ls/lsp.aspx
POST /fd/ls/lsp.aspx HTTP/2.0
Accept: */*
Content-Type: text/xml
Origin: https://www.bing.com
Content-Length: 378
Accept-Language: en-us
Host: www.bing.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Mobile/15E148 Safari/604.1
Referer: https://www.bing.com/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

<ClientInstRequest><Events><E><T>Event.ClientInst</T><IG>EB94C422BC394F90A876D39A790BECBC</IG><TS>1634801882467</TS><D><![CDATA[[{"T":"CI.BoxModel","FID":"CI","Name":"v2.8","SV":"4","P":{"C":1,"N":5,"I":"5iv","S":"V","M":"V+L+M+MT+E+N+C+K+BD","T":1669960,"F":0},"V":"zrpx/////////visible/+zryw/////////hidden/@p"}]]]></D></E></Events><STS>1634801882467</STS></ClientInstRequest>

Enable HTTP instrumentation method

Starting at iOS 15.0, the device will require the target process to have any of the following requirements:

  • com.apple.private.cfnetwork.har-capture-delegation entitlement
  • get-task-allow entitlement
  • com.apple.security.get-task-allow entitlement
  • OS build to be in debug mode

In order to make the device enable HAR logging you may use pymobiledevice3 as follows:

python3 -m pymobiledevice3 developer dvt har

Now you can start sniffing using the preference method:

python3 -m harlogger preference

More Repositories

1

pymobiledevice3

Pure python3 implementation for working with iDevices (iPhone, etc...).
Python
1,430
star
2

hilda

LLDB wrapped and empowered by iPython's features
Python
131
star
3

fa

Automation tool for locating symbols & structs in binary (primary IDA focused)
Python
70
star
4

DeveloperDiskImage

Home for both DeveloperDiskImage files (iOS < 17.0) and Personalized files (iOS >= 17.0)
Python
53
star
5

rpc-project

Minimalistic server (written in C) and a python3 client to allow calling native functions on a remote host for automation purposes
Python
44
star
6

pylera1n

Python adaptation for pelara1n
Python
35
star
7

ida-scripts

Python
28
star
8

swift_reversing

My ongoing premier on reversing Swift
C
28
star
9

pycrashreport

Python3 parser for Apple's crash reports
Python
25
star
10

cfprefsmon

Python utility for discovering interesting CFPreferences values on iDevices
Python
16
star
11

simpleelf

Parse and build simple ELFs (useful for mapping memory to load into IDA and other disassemblers)
Python
12
star
12

applecatalog

Python library and CLI for listing and downloading Apple's updates for macOS (Secruity updates, CommandLineTools, OS Upgrades and etc...)
Python
11
star
13

cfnetwork_diagnotics_log_filter

Sniffing decrypted HTTP/HTTPS traffic for non-jailbroken iOS devices
11
star
14

ipsw_parser

python3 utility for parsing and extracting data from IPSW
Python
10
star
15

pytbd

Swiss army knife for Apple's .tbd file manipulation
Python
10
star
16

cklogger

Simple pure python utility for sniffing CloudKit usages on iDevices
Python
9
star
17

pyusbmuxd

Pure python3 fork of usbmuxd
Python
7
star
18

c-helpers

Helpers for c-structs sizes and offsets
Python
7
star
19

dotfiles

My collection of dotfiles
4
star
20

doronz88

2
star
21

maclog

Query macOS syslog from python3
Python
2
star
22

pychangelog2

Simple tool for creating changelogs
Python
2
star
23

debugserver-deploy

Python
2
star
24

pytun-pmd3

This is a fork of https://github.com/montag451/pytun with partial Darwin support.
C
2
star
25

xontrib-fzf-completions

fzf completions for xonsh
Xonsh
2
star
26

download-jetbrains-plugins

Automatically download selected JetBrains plugins
Python
1
star
27

dns_local

Simple python3 DNS server
Python
1
star
28

Pogo

My own version of Pogo.app
Swift
1
star
29

mirror-casks

Python3 utility for mirroring brew casks
Python
1
star
30

python-package

1
star
31

worksetup

Python
1
star
32

sslpsk-pmd3

A fork of sslpsk-pmd3
Python
1
star
33

ida_ios15_got_fix

IDAPython script for fixing .got entries on iOS15 executables
Python
1
star
34

xattrios

`xattr -l` for iOS
Objective-C
1
star
35

downloader

Download scripts
Python
1
star