58 lines
2.3 KiB
Markdown
58 lines
2.3 KiB
Markdown
|
# CA.sh
|
||
|
|
||
|
## Generate CA + wildcard cert for any hostname
|
||
|
|
||
|
`CA.sh` takes a domain name as input and outputs a directory named "CA", containing:
|
||
|
|
||
|
- a certificate authority (private key + cert + serial number file + a copy of the cert appropriately named for inclusion in the Android trust store);
|
||
|
- a CA-signed cert for the provided hostname;
|
||
|
- if the hostname is a domain, then a wildcard cert is generated, matching `domain.tld` and `*.domain.tld`;
|
||
|
- the hostname can also be an IP address.
|
||
|
|
||
|
Both the CA and the cert are valid for 30 days.
|
||
|
|
||
|
## Usage
|
||
|
|
||
|
```
|
||
|
./CA.sh example.org
|
||
|
```
|
||
|
|
||
|
## Optional dependencies
|
||
|
|
||
|
- `ipcalc-ng`, for detecting if the supplied hostname is an IP address.
|
||
|
- `idn`, for converting [IDNs](https://en.wikipedia.org/wiki/Internationalized_domain_name) to punycode.
|
||
|
|
||
|
## Adding the CA to the Android trust store
|
||
|
|
||
|
The reason I wrote this script was to intercept an Android app's TLS-encrypted traffic. In order to do this, the CA cert must be added to the Android trust store. Here's how:
|
||
|
|
||
|
In Android versions prior to 4, see http://wiki.cacert.org/FAQ/ImportRootCertAndroidPreICS
|
||
|
|
||
|
In Android versions 4, 5 and 6, you can simply copy the file to your phone and add it from the Android UI.
|
||
|
|
||
|
In Android 7+, in order for the CA to be trusted by all apps, you need to have a rooted phone. Allow USB debugging, grant root access for ADB, connect the phone to a computer and run the following commands:
|
||
|
|
||
|
```
|
||
|
# restart ADB as root
|
||
|
adb root
|
||
|
# remount the /system partition as read+write
|
||
|
adb remount
|
||
|
# copy the CA file to the root store
|
||
|
adb push CA/android/*.0 /system/etc/security/cacerts/
|
||
|
```
|
||
|
|
||
|
Then you can spoof a domain's IP address by adding it to the Android system's hosts file:
|
||
|
|
||
|
```
|
||
|
adb shell 'echo "192.168.0.2 example.org" >> /system/etc/hosts'
|
||
|
```
|
||
|
|
||
|
To allow TLS interception on a non-rooted phone, you need to slightly modify the app you are snooping on, as described in:
|
||
|
|
||
|
- https://medium.com/androgoat/intercept-https-traffic-from-android-app-androgoat-part-2-60f7777b237d
|
||
|
- https://stackoverflow.com/a/22040887
|
||
|
|
||
|
If the app uses certificate pinning, you may need a program like [Apktool](https://ibotpeaches.github.io/Apktool/), [Frida](https://frida.re/docs/android/) or [baksmali](https://github.com/JesusFreke/smali).
|
||
|
|
||
|
Thanks to Soarez for his [OpenSSL CA guide](https://gist.github.com/Soarez/9688998)!
|