ByPass SSL Pinning with IP Forwarding | iptables

After struggling with common tools to bypass SSL pinning, because the app that I’m testing won’t show some HTTPS traffic that I try to trap.

I'm using Frida as usual, it works well for another app except that I’m tested.

So, my team, “the purple team” was decided to configure a transparent proxy by using an IP Forwarding feature in our kali. I was amazed by the result it works smoothly because it does not inject any script into the app.

If you wanna try, this is what we doing to bypass SSL Pinning in the mobile application.

1. Creating Android emulator in genymotion, I used Google Pixel (8.0 API 26) as my Android virtual device
2. Open virtual box, there is android Google Pixel listed in the machine list. and choose the Settings tab to configure adapter1 and adapter2 to Host-Only Adapter. please make sure the names are different (vboxnet0 for adapter 1 and vboxnet1 for Adapter2)

Google Pixel in Oracle VirtualBox Manager

Adapter 1 Configuration (default)

Adapter 2 Configuration (change from NAT to Host Only)

If you cannot find Adapter 2 in your android virtual box machine, just go in virtual box File -> Host Network Manager. and on network windows, choose to Create to make a new adapter, and don't forget to enable DHCP.

Network adapter configuration in android virtual box

3. Start your android emulator in Genymotion

4. Export burp certificate and install it in the android system as a Trusted certificate. (there are so many tutorials for this on the Internet).

5. The next step is to configure what port we will use for intercepting connections from the android device to our burp proxy. I usually use the 8081 port for a mobile connection. so, in burp proxy open Proxy tab -> Options -> Proxy Listeners -> add

Port Binding to 8081 and All Interfaces

Check the Support Invisible proxying checkbox

6. now, move to your kali, and see the IP addresses of all interfaces with ifconfig -a command, make sure there are 2 adapter names with vboxnet.

The wlan0 is an adapter for connecting to Internet, vboxnet0 and vboxnet1 are adapters from android emulator devices.

7. Let's configure our android network

Change the Wifi configuration to a static IP address I used 192.168.57.2 the default gateway and the DNS are automatically being set. (See the IP Address in vboxnet1)

choose the SAVE button, and as usual reboot your android virtual machine before going to the next step.

8. now the interesting part. we will configure the IP forwarding rule in the Kali Linux machine.

open your terminal in kali Linux and set the IP Forwarding to 1 (true) with this command (need root privileges):

echo 1 > /proc/sys/net/ipv4/ip_forward

set the IP Forwarding to True

9. exit from the root user, and set up IP tables for 80 and 443 port connection by executing this command

sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

sudo iptables -t nat -A PREROUTING -p tcp -i vboxnet1 — dport 80 -j REDIRECT — to-port 8081

sudo iptables -t nat -A PREROUTING -p tcp -i vboxnet1 — dport 443 -j REDIRECT — to-port 8081

You can change wlan0 to eth0 (device that used for Internet connection)

Now you can check your HTTPS traffic from your android is intercepted to your burp proxy.

all http/https are intercepted

Ok, hope this trick can be an alternative way to bypass the SSL Pinning problem.

Update: now, it is more easier to use Reflutter to bypass sslpinning for flutter based mobile application.