Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Does scapception still work?!? #13

Open
jacob-mvnro opened this issue Apr 15, 2019 · 13 comments
Open

Does scapception still work?!? #13

jacob-mvnro opened this issue Apr 15, 2019 · 13 comments

Comments

@jacob-mvnro
Copy link

Do it still work?
@an0ndev
Copy link

an0ndev commented Jul 10, 2019

I'd assume so, since this just uses mitmproxy and a separate CA installed on the client, so as long as Snapchat still uses the device's CA stores, it should still work. I'm testing now.

@ColeShelly
Copy link

I'd assume so, since this just uses mitmproxy and a separate CA installed on the client, so as long as Snapchat still uses the device's CA stores, it should still work. I'm testing now.

Did you get it to work?

@an0ndev
Copy link

an0ndev commented Jul 18, 2019

I'd assume so, since this just uses mitmproxy and a separate CA installed on the client, so as long as Snapchat still uses the device's CA stores, it should still work. I'm testing now.

Did you get it to work?

Unfortunately, I couldn't. Looks like there's a conflict between the version of click (easy command-line interfaces) that mitmproxy needs and the version that snapception uses (older). Also, I took a look through the code, and it looks like it decrypts pictures using a single key, which is part of the old Snapchat security system, so the main idea probably wouldn't work anyways.

If you're still trying to view Snapchat traffic, I recommend installing and using mitmproxy by itself (it comes with a web interface). You'll need to install the mitmproxy certificate on your device once you've connected to the proxy, and then probably bypass Snapchat's certificate pinning (probably easiest on Android since they have an easy debugger) as well. Good luck!

@dw5
Copy link

dw5 commented Jun 1, 2020

Well I found alternate way to get Key and IV, however neither openssl (gets error reading input file), or if you were to follow https://gibsonsec.org/snapchat/fulldisclosure/#encrypting-stories neither python thanks to lack of mcrypt, there isn't much documentation or ways to decrypt it. There suddenly isn't a way to decrypt it. And this project doesn't decrypt story snaps (sometimes stories are encrypted, sometimes they aren't. Often are for public, like celebrities or friend who didn't add you). Then again often snapchat is used to leak nudes or whatever else, there are some legit use cases, and some which aren't. But i'd prefer limited availability rather than letting everyone abuse it

But as of time of writing, snaps from user a to b, both videos and images are unencrypted, and chat content (like pictures, voice clips, etc) are not encrypted as well.
also fun fact: if you add stickers or some text (non transparent), it will be as separate overlay as image. Non transparent text/stickers will cause to be pixelated, and animated stickers and etc will just be in video.

@snapchump
Copy link

I couldn’t get this working either. Is there a way to intercept just text/chat messages? I played around with mitmproxy but couldn’t get it to even connect reliably, and snapception wont install under any platform I’ve tried.

@nabil-ha
Copy link

Thanks guys for the refrences, Can i use the ssl certificate to sniff the network for logins to snapchat servers?

@snapmademedoit
Copy link

Well I found alternate way to get Key and IV, however neither openssl (gets error reading input file), or if you were to follow https://gibsonsec.org/snapchat/fulldisclosure/#encrypting-stories neither python thanks to lack of mcrypt, there isn't much documentation or ways to decrypt it. There suddenly isn't a way to decrypt it. And this project doesn't decrypt story snaps (sometimes stories are encrypted, sometimes they aren't. Often are for public, like celebrities or friend who didn't add you). Then again often snapchat is used to leak nudes or whatever else, there are some legit use cases, and some which aren't. But i'd prefer limited availability rather than letting everyone abuse it

But as of time of writing, snaps from user a to b, both videos and images are unencrypted, and chat content (like pictures, voice clips, etc) are not encrypted as well.
also fun fact: if you add stickers or some text (non transparent), it will be as separate overlay as image. Non transparent text/stickers will cause to be pixelated, and animated stickers and etc will just be in video.

I have spent the past few days trying to preform a MitM with snap using frida and a proxy. No luck, snapchat seems to have heavy obfuscation.

I'm just trying to discover endpoints if anyone has any information on how to do that it would be much appreciated.

@CaptainBoggle
Copy link

Well I found alternate way to get Key and IV, however neither openssl (gets error reading input file), or if you were to follow https://gibsonsec.org/snapchat/fulldisclosure/#encrypting-stories neither python thanks to lack of mcrypt, there isn't much documentation or ways to decrypt it. There suddenly isn't a way to decrypt it. And this project doesn't decrypt story snaps (sometimes stories are encrypted, sometimes they aren't. Often are for public, like celebrities or friend who didn't add you). Then again often snapchat is used to leak nudes or whatever else, there are some legit use cases, and some which aren't. But i'd prefer limited availability rather than letting everyone abuse it
But as of time of writing, snaps from user a to b, both videos and images are unencrypted, and chat content (like pictures, voice clips, etc) are not encrypted as well.
also fun fact: if you add stickers or some text (non transparent), it will be as separate overlay as image. Non transparent text/stickers will cause to be pixelated, and animated stickers and etc will just be in video.

I have spent the past few days trying to preform a MitM with snap using frida and a proxy. No luck, snapchat seems to have heavy obfuscation.

I'm just trying to discover endpoints if anyone has any information on how to do that it would be much appreciated.

Any luck?

@devinbaeten
Copy link

Well I found alternate way to get Key and IV, however neither openssl (gets error reading input file), or if you were to follow https://gibsonsec.org/snapchat/fulldisclosure/#encrypting-stories neither python thanks to lack of mcrypt, there isn't much documentation or ways to decrypt it. There suddenly isn't a way to decrypt it. And this project doesn't decrypt story snaps (sometimes stories are encrypted, sometimes they aren't. Often are for public, like celebrities or friend who didn't add you). Then again often snapchat is used to leak nudes or whatever else, there are some legit use cases, and some which aren't. But i'd prefer limited availability rather than letting everyone abuse it
But as of time of writing, snaps from user a to b, both videos and images are unencrypted, and chat content (like pictures, voice clips, etc) are not encrypted as well.
also fun fact: if you add stickers or some text (non transparent), it will be as separate overlay as image. Non transparent text/stickers will cause to be pixelated, and animated stickers and etc will just be in video.

I have spent the past few days trying to preform a MitM with snap using frida and a proxy. No luck, snapchat seems to have heavy obfuscation.
I'm just trying to discover endpoints if anyone has any information on how to do that it would be much appreciated.

Any luck?

I found all of the endpoints using Charles Proxy and SSL Killswitch on my iPhone. The AES-128 encryption key must've changed though. Can't decrypt snaps using the script.

@CaptainBoggle
Copy link

We probably need to dump the executable and dig through it with IDA, although they might have obfuscated it a bit better than that

@devinbaeten
Copy link

We probably need to dump the executable and dig through it with IDA, although they might have obfuscated it a bit better than that

I'm currently using some runtime exploits to hopefully find something.

@CaptainBoggle
Copy link

That sounds super interesting, would you be able to elaborate?

@devinbaeten
Copy link

That sounds super interesting, would you be able to elaborate?

Sure thing!

Here’s my setup for analyzing and performing MITM actions to the Snapchat App:

  • On my iPhone, I have the device jailbroken and use these tweaks to help me out: “SSL Kill Switch 2” (Disables Traditional SSL Certificate Pinning in iOS app network requests), “Frida” (Allows me to inject scripts into an active app’s runtime), and Open SSH (Lets me connect to the iOS file system via SFTP on my Mac).

  • On my Mac, I use Charles Proxy to monitor all network traffic from my iPhone with Snapchat installed. I also use the computer side of the application, Frida. Again, Frida lets me inject code into the iOS app runtime and do things like look for class names, dump keychain values, user-defaults, etc. I Also use this command line tool called “Objection”, which lets me do everything Frida can, with simpler, often pre-configured commands. Finally, I use Cyberduck as the SFTP client, as well as Sublime Text for viewing/editing files in the Snapchat directory.

Here’s some links to some apps and resources I used here:

What I’m hoping to do next is find out how to override the certificate pinning and jailbreak detection on the latest versions and then repackage this into an IPA that can be installed on a Jailed device, without getting it banned.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@dw5 @ColeShelly @CaptainBoggle @an0ndev @nabil-ha @jacob-mvnro @snapchump @devinbaeten @snapmademedoit