gnh1201/kakaotalk_analysis
1
0
Fork 0
mirror of https://github.com/stulle123/kakaotalk_analysis.git synced 2025-02-06 15:05:47 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add E2E MITM PoC instructions

Browse Source
This commit is contained in:
stulle123 2023-09-06 21:19:24 +02:00
parent db14c11d0b
commit 54f315d57a
1 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
RECON.md
View File

@ -460,3 +460,22 @@ Version: 3
E2E is opt-in only. Most people probably dont use Secret Chat since `In a secret chatrooom, features including free calling, polls, events and chatroom album are currently not available`.
Main implementation in package `com.kakao.talk.secret` and the `LocoCipherHelper ` class.
MITM PoC:
- Sender's RSA public key pair in `TalkKeyStore.preferences.xml`
- Receiver's public keys in `KakaoTalk.db`
- PoC how-to:
- Delete all public keys from `KakaoTalk.db` database
- Start mitmproxy and Frida script
- Create new Secret Chat room
- `GETLPK` packet gets intercepted -> Maybe we don't need that?
- `SCREATE` packet gets intercepted (shouldn't include a shared secret, otherwise we remove it)
- Bad signature check of MITM public key doesn't seem to have any implications
- Sender sends a `SETSK` packet (mitmproxy grabs shared secret)
- Dump `SWRITE` packets
Questions:
- How to attack an already existing E2E chat room?
- How to fix maldformed `SCREATE` packets?
- Check public key fingerprints if they have changed