From 54f315d57a6e4891ca13353e079f9f2beb6a1aea Mon Sep 17 00:00:00 2001
From: stulle123 <stulle>
Date: Wed, 6 Sep 2023 21:19:24 +0200
Subject: [PATCH] Add E2E MITM PoC instructions

---
 RECON.md | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/RECON.md b/RECON.md
index 4f78b00..a9584ca 100644
--- a/RECON.md
+++ b/RECON.md
@@ -459,4 +459,23 @@ Version: 3
 
 E2E is opt-in only. Most people probably don’t use Secret Chat since `In a secret chatrooom, features including free calling, polls, events and chatroom album are currently not available`.
 
-Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper ` class.
\ No newline at end of file
+Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper ` class.
+
+MITM PoC:
+
+- Sender's RSA public key pair in `TalkKeyStore.preferences.xml`
+- Receiver's public keys in `KakaoTalk.db`
+- PoC how-to:
+  - Delete all public keys from `KakaoTalk.db` database
+  - Start mitmproxy and Frida script
+  - Create new Secret Chat room
+	  - `GETLPK` packet gets intercepted -> Maybe we don't need that?
+	  - `SCREATE` packet gets intercepted (shouldn't include a shared secret, otherwise we remove it)
+	  - Bad signature check of MITM public key doesn't seem to have any implications
+    - Sender sends a `SETSK` packet (mitmproxy grabs shared secret)
+    - Dump `SWRITE` packets
+
+Questions:
+- How to attack an already existing E2E chat room?
+- How to fix maldformed `SCREATE` packets?
+- Check public key fingerprints if they have changed
\ No newline at end of file