LAB - Insecure Network Transmission

In this lab environment, you will have GUI access to a Debian machine. The InsecureBankv2 application is available on the Android Emulator.

Objective: Intercept the app traffic with Burp Suite to capture sensitive credentials transmitted in plaintext.

The valid credentials for InsecureBankv2 are as follows:

  • Username: jack

  • Password: Jack@123$

Note: You can start the emulator using the script located on the Desktop. Additionally, check the /root/Tools directory for available tools.

Tools

The best tools for this lab are:

  • Burp Suite

Frist excute the emulator with ./emulator, then the app and it request us credentials -->

This application relies on a back-end server to function properly

To start the back-end server, run the following command:

## Wake up a server with python tool
cd /root/Tools/AndroLabServer
python2.7 app.py

Then, into the app go to the "Preferences" settings -->

Enter the IP address of the host machine where the back-end server is running, then click Submit

Note: (use the ifconfig command to find the IP address). Use the device’s on-screen keyboard to enter your input.

Now, try to log in and if all configurations are good, we can see the user and password in text plain, try (test:test)

BurpSuite Configuration

So... now, we can try to intercept all trafict with burp -->

Here, we need remplace the localhost ip (127.0.0.1) to us IP -->

Now, we need to add a proxy on the Android device. Open Settings and click on Network & internet.

Now, turn on the Intercept in Burp and navegate/login -->

PreviousLAB - XSS in AndroidNextLAB - Insecure Biometric Failover

Last updated