How to intercept traffic from Java applications

Intercept Java traffic with Javasnoop During a security assessment you may need to monitor the traffic from a Java application and also to modify it. What can you do? What if the application uses SSL/TLS and even SSL pinning? We found a very useful tool which helped us in this type of situations.

JavaSnoop

JavaSnoop is a tool developed by Aspect Security with the purpose of helping people to intercept Java function calls (e.g. toString) from Java applications. It allows you to attach to a process and intercept any Java function call, view and modify the parameter values, print the stacktrace or save all function calls to a file.

JavaSnoop allows browsing all Java classes and all functions used by the target application. What you have to do is to choose the right function from the right class to hook in order to intercept the function call and parameters. For example, you may consider functions that send, receive, hash or encrypt data in order to intercept and modify sensitive data.

Installation

Download JavaSnoop: https://javasnoop.googlecode.com/files/JavaSnoop-1.1-RC2.zip

Download and install JDK 1.6: http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html#jdk-6u45-oth-JPR (you may have problems if you run JavaSnoop with newer Java versions)

It is possible to use this tool on Windows, Linux and Mac but in this article we will present only the Windows installation.

The official “startup.bat” file that comes with JavaSnoop has some problems that prevent the application from starting successfully (it tries to use the “JAVA_HOME” environment variable and some Registry information incorrectly). That is why we modified the “startup.bat” file in order to fix these problems. You can download our modified file from this link: startup.zip

To start JavaSnoop, follow the next steps:

  1. start “cmd” as Administrator, in order to be able to inject in any process
  2. go to JavaSnoop directory (e.g. “cd C:\Users\Ionut\Downloads\JavaSnoop-1.1-RC2\JavaSnoop”)
  3.  run “startup.bat” script

If you have problems starting the application, you may want to read the “README.txt” file which contains more useful details.

 Intercept traffic from a SSH client written in Java

In order to demonstrate the functionality of JavaSnoop and how it can help you to pentest an application written in Java, we chose “MindTerm SSH Client 3.1.2“, a SSH client.

After you started JavaSnoop, start the “victim” application – MindTerm. From JavaSnoop GUI press “An existing process”, select “MindTerm” process and press “Attach”:

Attach Javasnoop to a Java process

This will start the JavaSnoop interface:

JavaSnoop main interface

Press “Add new hook” and “Browse” in order to choose a class:

Browse for classes

Select a class in order to view class functions:

Add function hook

And press “Add New Hook” to place the hook.

Now click the function and select “Print parameters” and “… to console” in order to view function parameters in the console.

In MindTerm application, we can hook “sendTypeChar(int)” function from “SSH2TerminalAdapterImpl” class. This will allow us to intercept and modify all characters send via the SSH terminal:

Print ls - incercepted Java function

As you can see, our character parameter is send as an integer (“l” = 108 and “s” = 115 – ASCII), but we can see the data in plain text and this is what we were looking for. This way you can intercept SSL/TLS data, even if the application protocol is HTTP, serialized data or a custom protocol.

If you want to modify the data, just select “Tamper with parameters” checkbox:

Tamper ls la Java method

Conclusion

Using this tool you will be able to view or modify not only encrypted traffic, but also to intercept any Java function you want, for example the function that verifies the SSL certificate or the function that serializes all data.

3 thoughts on “How to intercept traffic from Java applications

  1. Donald August 8, 2015 / 12:51 am

    The link to the startup.zip file gives a 406 error.

    Like

    • Naveen February 9, 2017 / 11:13 am

      you need to update startup.bat and startup.ps1 files and work with startup.ps1
      it works fine

      Like

  2. Naveen February 9, 2017 / 11:15 am

    Article author can you please elaborate the Custom script part how to exploit

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s