How to intercept traffic from Java applications

Intercept Java traffic with Javasnoop During a security assessment you may need to monitor the traffic from a Java application and also to modify it. What can you do? What if the application uses SSL/TLS and even SSL pinning? We found a very useful tool which helped us in this type of situations.


JavaSnoop is a tool developed by Aspect Security with the purpose of helping people to intercept Java function calls (e.g. toString) from Java applications. It allows you to attach to a process and intercept any Java function call, view and modify the parameter values, print the stacktrace or save all function calls to a file.

JavaSnoop allows browsing all Java classes and all functions used by the target application. What you have to do is to choose the right function from the right class to hook in order to intercept the function call and parameters. For example, you may consider functions that send, receive, hash or encrypt data in order to intercept and modify sensitive data.


Download JavaSnoop:

Download and install JDK 1.6: (you may have problems if you run JavaSnoop with newer Java versions)

It is possible to use this tool on Windows, Linux and Mac but in this article we will present only the Windows installation.

The official “startup.bat” file that comes with JavaSnoop has some problems that prevent the application from starting successfully (it tries to use the “JAVA_HOME” environment variable and some Registry information incorrectly). That is why we modified the “startup.bat” file in order to fix these problems. You can download our modified file from this link:

To start JavaSnoop, follow the next steps:

  1. start “cmd” as Administrator, in order to be able to inject in any process
  2. go to JavaSnoop directory (e.g. “cd C:\Users\Ionut\Downloads\JavaSnoop-1.1-RC2\JavaSnoop”)
  3.  run “startup.bat” script

If you have problems starting the application, you may want to read the “README.txt” file which contains more useful details.

 Intercept traffic from a SSH client written in Java

In order to demonstrate the functionality of JavaSnoop and how it can help you to pentest an application written in Java, we chose “MindTerm SSH Client 3.1.2“, a SSH client.

After you started JavaSnoop, start the “victim” application – MindTerm. From JavaSnoop GUI press “An existing process”, select “MindTerm” process and press “Attach”:

Attach Javasnoop to a Java process

This will start the JavaSnoop interface:

JavaSnoop main interface

Press “Add new hook” and “Browse” in order to choose a class:

Browse for classes

Select a class in order to view class functions:

Add function hook

And press “Add New Hook” to place the hook.

Now click the function and select “Print parameters” and “… to console” in order to view function parameters in the console.

In MindTerm application, we can hook “sendTypeChar(int)” function from “SSH2TerminalAdapterImpl” class. This will allow us to intercept and modify all characters send via the SSH terminal:

Print ls - incercepted Java function

As you can see, our character parameter is send as an integer (“l” = 108 and “s” = 115 – ASCII), but we can see the data in plain text and this is what we were looking for. This way you can intercept SSL/TLS data, even if the application protocol is HTTP, serialized data or a custom protocol.

If you want to modify the data, just select “Tamper with parameters” checkbox:

Tamper ls la Java method


Using this tool you will be able to view or modify not only encrypted traffic, but also to intercept any Java function you want, for example the function that verifies the SSL certificate or the function that serializes all data.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s