Simple utlity for sniffing decrypted HTTP/HTTPS traffic on an iOS device (either jailbroken or not)
Project description
- Description
- Installation
- Profile method for macOS host
- Profile method for non-jailbroken devices
- Secret preference method for jailbroken devices
- Enable HTTP instrumentation method
Description
Simple pure python utility for sniffing HTTP/HTTPS decrypted traffic recorded by one of Apple's not-so-well documented APIs.
Installation
python3 -m pip install -U harlogger
Profile method for macOS host
This method applies to Apple's CFNetwork profile. This profile is meant for debugging processes using the CFNetwork framework. This method doesn't include the request/response body.
Howto
-
Download Apple's CFNetwork profile which can be found here: https://developer.apple.com/services-account/download?path=/iOS/iOS_Logs/NetworkDiagnostic.mobileconfig
-
Install it using double-click
-
That's it! :) You can now just start sniffing out everything using:
python3 -m harlogger profile
Profile method for non-jailbroken devices
This method applies to Apple's CFNetwork profile. This profile is meant for debugging processes using the CFNetwork framework. This method doesn't include the request/response body.
Howto
-
Download Apple's CFNetwork profile which can be found here: https://developer.apple.com/services-account/download?path=/iOS/iOS_Logs/CFNetworkDiagnostics.mobileconfig
-
Install it via any way you prefer. I'm using
pymobiledevice3
:# if you don't already have it python3 -m pip install -U pymobiledevice3 # install the profile pymobiledevice3 profile install CFNetworkDiagnostics.mobileconfig
-
That's it! :) You can now just start sniffing out everything using:
python3 -m harlogger mobile profile
Output should look like:
➜ harlogger git:(master) ✗ python3 -m harlogger profile
➡️️ POST https://www.bing.com/fd/ls/lsp.aspx HTTP/1.1
Accept: */*
Content-Type: text/xml
Origin: https://www.bing.com
Accept-Encoding: gzip, deflate, br
Cookie: SRCHHPGUSR=CW=414&CH=622&SW=414&SH=736&DPR=3&UTC=180&DM=1&SRCHLANG=en&HV=1634801804; _HPVN=CS=eyJQbiI6eyJDbiI6MiwiU3QiOjAsIlFzIjowLCJQcm9kIjoiUCJ9LCJTYyI6eyJDbiI6MiwiU3QiOjAsIlFzIjowLCJQcm9kIjoiSCJ9LCJReiI6eyJDbiI6MiwiU3QiOjAsIlFzIjowLCJQcm9kIjoiVCJ9LCJBcCI6dHJ1ZSwiTXV0ZSI6dHJ1ZSwiTGFkIjoiMjAyMS0xMC0yMVQwMDowMDowMFoiLCJJb3RkIjowLCJEZnQiOm51bGwsIk12cyI6MCwiRmx0IjowLCJJbXAiOjEwfQ==; SUID=M; _EDGE_S=SID=1BF42681120765EF1EA73656137A640E; _SS=SID=1BF42681120765EF1EA73656137A640E; MUID=1B0D347B85756FDD055524B284086E36; SRCHD=AF=NOFORM; SRCHUID=V=2&GUID=5B989717430E450D9314C927C97602C9&dmnchg=1; SRCHUSR=DOB=20211007; _EDGE_V=1; MUIDB=1B0D347B85756FDD055524B284086E36
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Mobile/15E148 Safari/604.1
Referer: https://www.bing.com/
Content-Length: 458
Accept-Language: en-us
⬅️ HTTP/2.0 204 (request POST https://www.bing.com/fd/ls/lsp.aspx HTTP/1.1)
x-msedge-ref: Ref A: E5B5AE34FBA148E6BDFFBF421B940462 Ref B: VIEEDGE1816 Ref C: 2021-10-21T07:36:44Z
Date: Thu, 21 Oct 2021 07:36:44 GMT
x-cache: CONFIG_NOCACHE
Access-Control-Allow-Origin: *
Secret preference method for jailbroken devices
iOS 14.x devices contain a hidden feature for sniffing decrypted HTTP/HTTPS traffic from all processes using the
CFNetwork framework into an HAR
format. To trigger this feature on a jailbroken device, you can simply place the correct configuration
for com.apple.CFNetwork
and trigger the com.apple.CFNetwork.har-capture-update
notification.
This method includes the request/response body as well.
iOS 13.x or under don't have this feature.
Howto
- Put com.apple.CFNetowrk.plist inside
/var/mobile/Library/Preferences/
- Restart the device
- That's it! :) You can now just start sniffing out everything using:
python3 -m harlogger preference
Output should look like:
➜ harlogger git:(master) ✗ python3 -m harlogger mobile preference
➡️ CFNetwork(1140) POST https://www.bing.com/fd/ls/lsp.aspx
POST /fd/ls/lsp.aspx HTTP/2.0
Accept: */*
Content-Type: text/plain
Origin: https://www.bing.com
Cache-Control: max-age=0
Content-Length: 472
Accept-Language: en-us
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Mobile/15E148 Safari/604.1
Accept-Encoding: gzip, deflate, br
Referer: https://www.bing.com/
⬅️ CFNetwork(1140) 0
➡️ CFNetwork(1140) POST https://www.bing.com/fd/ls/lsp.aspx
POST /fd/ls/lsp.aspx HTTP/2.0
Accept: */*
Content-Type: text/xml
Origin: https://www.bing.com
Content-Length: 378
Accept-Language: en-us
Host: www.bing.com
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 14_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Mobile/15E148 Safari/604.1
Referer: https://www.bing.com/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
<ClientInstRequest><Events><E><T>Event.ClientInst</T><IG>EB94C422BC394F90A876D39A790BECBC</IG><TS>1634801882467</TS><D><![CDATA[[{"T":"CI.BoxModel","FID":"CI","Name":"v2.8","SV":"4","P":{"C":1,"N":5,"I":"5iv","S":"V","M":"V+L+M+MT+E+N+C+K+BD","T":1669960,"F":0},"V":"zrpx/////////visible/+zryw/////////hidden/@p"}]]]></D></E></Events><STS>1634801882467</STS></ClientInstRequest>
Enable HTTP instrumentation method
Starting at iOS 15.0, the device will require the target process to have any of the following requirements:
com.apple.private.cfnetwork.har-capture-delegation
entitlementget-task-allow
entitlementcom.apple.security.get-task-allow
entitlement- OS build to be in
debug
mode
In order to make the device enable HAR logging you may
use pymobiledevice3
as follows:
python3 -m pymobiledevice3 developer dvt har
Now you can start sniffing using the preference method:
python3 -m harlogger preference
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file harlogger-4.0.3.tar.gz
.
File metadata
- Download URL: harlogger-4.0.3.tar.gz
- Upload date:
- Size: 62.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.0.0 CPython/3.12.2
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 46af6e203e480a8333d78f9f366c5887e77d759e2ad8cfb5ad051325f6cbea5e |
|
MD5 | 47e10e0a796cc6d6f811b548022957a7 |
|
BLAKE2b-256 | 26bf82be10c42ba4edcf01deb8b7601ab4c982aea325013205e93876c0324e06 |
File details
Details for the file harlogger-4.0.3-py3-none-any.whl
.
File metadata
- Download URL: harlogger-4.0.3-py3-none-any.whl
- Upload date:
- Size: 48.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.0.0 CPython/3.12.2
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 6ffe3cf4b9de05cd4e4d0194ed9e1b51348cc3a7cc5066ec13ea12acac90d7db |
|
MD5 | c0a1ddbaee46d82d80eed08af6e88c63 |
|
BLAKE2b-256 | f85e57e4fdd611b8738f15e59cfd3c0b7a9d042124e5f4b5b23d34689ebb7b29 |