Hackish Way to Capture Traffic of ‘XMPP’(i.e. non-HTTP protocols ) of Mobile Applications.

My way to capture the traffic “non-HTTP protocols” of mobile application into burp suite. In this blog will see how we can capture the XMPP Protocol traffic.

The XMPP is a short form for Extensible Messaging Presence Protocol. It’s protocol for streaming XML elements over a network in order to exchange messages and presence information in close to real time. This protocol is mostly used by instant messaging applications like WhatsApp.

We will divide the blog in four parts assuming the Mobile application using XMPP protocol on host “xmppexampleserver.com” on port “5222”.

XMPP server :- xmppexampleserver.com
XMPP port:- 5222Traffic flowBypass the SSL pinning of mobile application using frida tools.Route all DNS traffic of the mobile application to DNS listener.Run DNSChef to fake the all DNS request of domain to local machineRun the mitm_relay.py to relay the XMPP request and route it to burp suite.

As most of mobile the application implements the SSL pinning. We need to first bypass the SSL pinning of mobile application to capture the undecrypted XMPP traffic.

Note:- You can use any method to bypass the SSL pinning

I personally prefer Universal Android SSL Pinning Bypass with Frida

$frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f YOUR_BINARY

Assuming that application SSL pinning is bypassed now lets route unencrypted traffic of mobile application to DNS listener

Go to Settings, click on Network & Internet then WiFi then WIFI Advanced Option and Select Static IP setting.Static IP

2. Set the Static IP and configure a custom DNS server with Kali Machine IP address (192.168.31.178)

DNS routingMobile-IP:- 192.168.31.173
Kali IP:- 192.168.31.178 (Which is set as DNS server)

Now to fake the DNS traffic of domain “xmppexampleserver.com” to Local Server We will use DNSChef with below command

Where all request for domain xmppexampledomain.com will be faked to Kali Machine IP “192.168.31.178”

sudo dnschef -i 192.168.31.178 --fakedomains xmppexampleserver.com --fakeip 192.168.31.178“dndchef” command

Now we have all DNS request redirected from “xmppexampleserver.com” to our kali machine we will need to relay the XMPP messages on port 5222 to burp suite for that we will use mitm_relay which intercept non-HTTP protocols through Burp i.e proxy tools

Run below command

sudo python mitm_relay.py -l 0.0.0.0 -r 5222:xmppexampleserver.com:5222 -p 192.168.31.101:9090“mitm_relay” command

Where

Details of “mitm_relay” command

Now go to mobile application create some traffic and you will get XMPP requests on burp suite as similar to below

XMPP Traffic

Above steps are not limited to capture the XMPP traffic we can use it capture the all non-HTTP protocols traffic of mobile application.

fridaDNSChefmitmrelayxmpp-protocol

InfoSec Enthusiast, Bug Hunter, Dota 2 Addict.

Research and learning never ends we keep moving forward, opening new doors, and doing new things, because we’re curious and curiosity keeps leading us down new paths.