During a security assessment you may need to monitor the traffic from a Java application and also to modify it. What can you do? What if the application uses SSL/TLS and even SSL pinning? We found a very useful tool which helped us in this type of situations.

JavaSnoop

JavaSnoop is a tool developed by Aspect Security with the purpose of helping people to intercept Java function calls (e.g. toString) from Java applications. It allows you to attach to a process and intercept any Java function call, view and modify the parameter values, print the stacktrace or save all function calls to a file.

JavaSnoop allows browsing all Java classes and all functions used by the target application. What you have to do is to choose the right function from the right class to hook in order to intercept the function call and parameters. For example, you may consider functions that send, receive, hash or encrypt data in order to intercept and modify sensitive data.

Installation

Download JavaSnoop: https://javasnoop.googlecode.com/files/JavaSnoop-1.1-RC2.zip

Download and install JDK 1.6: http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase6-419409.html#jdk-6u45-oth-JPR (you may have problems if you run JavaSnoop with newer Java versions)

It is possible to use this tool on Windows, Linux and Mac but in this article we will present only the Windows installation.

The official “startup.bat” file that comes with JavaSnoop has some problems that prevent the application from starting successfully (it tries to use the “JAVA_HOME” environment variable and some Registry information incorrectly). That is why we modified the “startup.bat” file in order to fix these problems. You can download our modified file from this link: startup.zip

To start JavaSnoop, follow the next steps:

start “cmd” as Administrator, in order to be able to inject in any process go to JavaSnoop directory (e.g. “cd C:\Users\Ionut\Downloads\JavaSnoop-1.1-RC2\JavaSnoop”) run “startup.bat” script

If you have problems starting the application, you may want to read the “README.txt” file which contains more useful details.

Intercept traffic from a SSH client written in Java

In order to demonstrate the functionality of JavaSnoop and how it can help you to pentest an application written in Java, we chose “MindTerm SSH Client 3.1.2“, a SSH client.

After you started JavaSnoop, start the “victim” application – MindTerm. From JavaSnoop GUI press “An existing process”, select “MindTerm” process and press “Attach”:

This will start the JavaSnoop interface:

Press “Add new hook” and “Browse” in order to choose a class:

Select a class in order to view class functions:

And press “Add New Hook” to place the hook.

Now click the function and select “Print parameters” and “… to console” in order to view function parameters in the console.

In MindTerm application, we can hook “sendTypeChar(int)” function from “SSH2TerminalAdapterImpl” class. This will allow us to intercept and modify all characters send via the SSH terminal:

As you can see, our character parameter is send as an integer (“l” = 108 and “s” = 115 – ASCII), but we can see the data in plain text and this is what we were looking for. This way you can intercept SSL/TLS data, even if the application protocol is HTTP, serialized data or a custom protocol.

If you want to modify the data, just select “Tamper with parameters” checkbox:

Conclusion

Using this tool you will be able to view or modify not only encrypted traffic, but also to intercept any Java function you want, for example the function that verifies the SSL certificate or the function that serializes all data.