Brida是Burp Suite一个插件，它可以将Burp和Frida结合起来使用，这样就可以根据你的需求修改移动端app与服务器的通信流量。文章详细介绍了Brida安装使用的教程。

Hi! Today we will take a step-by-step tour on how to use Brida. We will see how to install and configure Brida and then how to use it during a real penetration test. For this purpose, we will use a iOS app developed by my colleague Mattia for our conference at Hack In The Box 2018 Amsterdam, but we will also see how to configure the plugin in an Android environment.

 

Brida links

1. GitHub repository
2. Brida releases
3. Video of the talk at Hack In The Box 2018 Amsterdam
4. Slides of the talk at Hack In The Box 2018 Amsterdam

 

Knowledge requirements

In order to be able to use Brida, you need:

• basic knowledge of Burp Suite and web penetration testing
• basic knowledge of Frida and instrumentation/hooking/dynamic analysis

 

Setting up your computer

Brida supports all operating systems. In order to use it you have to install:

1. Burp Suite

Download Burp Suite from PortSwigger’s officiale site. Brida can be used on both Burp Suite Professional and Burp Suite Community Edition.

2. Frida

First download and install the Python 2.7 binary and PIP for your operating system.  Then you can easily install Frida with PIP:

3. Brida

1. Install Pyro4:[出自:jiwo.org]
   
   1	pip install Pyro4

2. Download the latest version of the Brida plugin from the Brida repository
3. Load the plugin from Burp: Open Burp -> Extender -> Extensions -> Add -> Choose BridaXX.jar file

And that’s all! Now it’s time to execute the Frida server on the mobile device!

 

Setting up your mobile phone

In order to be able to use Brida (and also Frida) you have to run frida-server on your mobile device with root privileges. Alternately, if you have the IPA of your iOS application or the APK of your Android application, you can patch the it adding the Frida library, in order to be able to use Frida also on non-jailbroken/non-rooted devices.

1. Setting up the mobile environment on a Jailbroken iOS device

1. Download the right version of frida server from the official repository (for example frida-server-XX.X.X-ios-arm64.xz if you have a 64-bit iOS device or frida-server-XX.X.X-ios-arm.xz otherwise)
2. Copy the frida-server binary on the device using SCP
3. Execute the frida-server binary on the device using SSH

The Frida client on your computer must be able to reach the Frida server on the mobile device. This task can be accomplished in two different ways:

• Via USB, simply connecting your iOS device to your computer (not all OSes are supported)
• Remotely. In this case you have to connect to your device using SSH, forwarding the local TCP port 27042. On Linux this task can be accomplished with the following command: “ssh -L 27042:127.0.0.1:27042 #IP_OF_IOS_DEVICE”. On Windows you can use Putty and configure the connection as follows:

Brida supports both local and remote connection to Frida, as we will see in the next sections.  The Frida server can be also installed from a Cydia repository, but we prefer to manually download the binary and upload it on the device to have more control over the process.

2. Setting up the mobile environment on a rooted Android device

1. Download the right version of Frida server from the official repository (frida-server-XX.X.X-android-arm64.xz if you have a 64-bit ARM Android device, frida-server-XX.X.X-android-arm.xz if you have a 32-bit ARM Android device, frida-server-XX.X.X-android-x86_64.xz if you have a 64-bit x86 Android device and frida-server-XX.X.X-android-x86_64.xz if you have a 32-bit x86 Android device)
2. Copy the frida-server binary on the device using ADB
   1. $ adb root
   2. $ adb push frida-server /data/local/tmp/
   3. $ adb shell “chmod 755 /data/local/tmp/frida-server”
3. Execute the frida-server binary on the device using ADB
   1. $ adb shell “/data/local/tmp/frida-server &”

In Android the best option is usually to use Frida in local mode, connecting the device to the computer with a USB cable.

3. Setting up the mobile environment on a non-Jailbroken iOS device (with Frida Gadget)

Additional requirements: the IPA of the application and a Mac computer (unfortunately to handle this situation you have to use a Mac!)

If you want to use Brida and Frida on a non-Jailbroken device you must have the IPA of the application. You need to patch the application with the Frida library (“Frida Gadget”) and then install the patched application on your device. The most comfortable way to accomplish this task is to use the great Objection tool, released by Leon Jacobs. You can find a detailed guide on how patch the application here.

After patching the application, you can install and execute it following this guide.

4. Setting up the mobile environment on a non-rooted Android device

At the moment, this mode is not recommended. You can use Objection to patch an Android binary but at the moment we haven’t tested Brida on a non-rooted Android device. We will update this guide when we have more information on this mode of operation.

 

Setting up Brida!

Now that you have configured your testing environment, it’s time to configure Brida itself. Let’g go to the “Configurations” tab of Brida.

Here, you have to input the following configuration parameters:

1. “Python binary path” is the path of the python binary. In most cases the default value is the correct one.
2. “Pyro host” and “Pyro port” are the host and port on which the Pyro server (used by Brida to bridge Burp Suite and Frida) will be started. In most case you can leave the default values and Pyro server will be started on localhost:9999.
3. “Frida JS file path” is the path of the Frida instrumentation JavaScript file, containing all Frida and Brida hooks and exports. To properly use Brida you have to insert the path of the JS file supplied with the Brida release (named “scriptBrida.js”) because this file contains Frida functions used by Brida itself. You can add your own Frida hooks and exports directly in this file.
4. Application ID: this is the ID of the application that we are going to test on our mobile device. We will explain in a moment how to obtain this information from the device.
5. “Frida Remote”/”Frida Local”: if you are using Frida USB mode of operation you have to select “Frida Local”; if you are using SSH port forwarding mode you have to choose “Frida Remote”.

Obtaining the Application ID of the target iOS application

• Jailbroken device: on a Jaiblroken device you can use the “ipainstaller” tool to get application ID of all applications NOT installed from iTunes (command “ipainstaller -l”). You can use the Clutch tool to obtain application IDs of all applications installed from iTunes (command “Clutch -i”). Alternatively, you can extract that information from the IPA of the application itself (file: Payload/XXX.app/Info.plist)
• Non-jailbroken device: if you are using the Frida Gadget mode of operation (application patched with the Frida library) the application ID is always the same: “re.frida.Gadget”

Obtaining the Application ID of the target Android application

• Rooted device: you can obtain the application ID of all installed applications using ADB with the following command: “adb shell pm list packages”. Alternatively, you can obtain the information from the Manifest file included in the application’s APK.

 

Let’s start the analysis

To execute our application with Brida we simply need to click first on “Start Server”, which starts Pyro4 server, and then “Spawn application” and our application will be spawned directly on our device!

In you are using Frida Gadget on a non-Jailbroken device the iter is slightly different, as described in the Objection Wiki. First you have to run your application in debug mode with ios-deploy (on the first run you have to run the command without the -m, in order to skip the installation of the app on the device):

Once launched, the application is executed with LLVM but is stuck on start, waiting for a debugger. Then we can click on “Start server” and “Spawn application” on Brida and the application will be resumed and will be ready to be tested with Brida!

Just one note: if you are testing the application with Frida Gadget you can’t use the “Kill application” button of Brida to kill the application. You have to quit the application directly from the shell in which the ios-deploy command has been executed by typing the “quit” command. Then, if you want to run the application again, you have to repeat the described procedure.

 

Brida’s main menu

Brida’s main menu is on the right side, visible from all the tabs of Brida. The first entries of the menu are fixed, while the last part depends on the current tab.

Let’s see in detail how to use the fixed items of the menu. We will see the variable buttons when we will cover the different tabs of Brida:

• “Start server”: starts the Pyro4 server. After Brida configuration, you have to start Pyro4 server in order to be able to use Brida.
• “Kill server”: kills the Pyro4 server python process. You should click this button after you finish your analysis.
• “Spawn application”: after starting Pyro4 server you can use this option to execute the target application on the mobile phone. The hooks defined in the JS file will be loaded and executed in the binary using Frida. From now on you can use all Frida and Brida functionalities.
• “Kill application”: kills the application on the device. Note: if you kill and restart the application you have to add again all the hooks dynamically added from the Brida GUI.
• “Reload JS”: you can use this option to reload the Frida JS file (for example after having edited it) without having to kill and re-spawn the application.
• “Clear console”: clears Brida console.

 

 

Brida’s console

All output from Brida and from all Frida and Brida hooks is printed in a unified console, visible from all the tabs of Brida. We implemented this console in order to simplify mobile application analysis: with this console the tester can avoid switching tab repeatedly in order to see the output from the different Frida and Brida hooks and tools!

 

JS Editor

JS Editor tab allows to comfortably edit Frida JS instrumentation file (containing Brida default hooks/exports and the hooks/exports you add during your penetration test) directly from Burp Suite, without having to use a separate JS editor. The editor employs the great RSyntaxTextArea library of bobbylight, to provide also JS syntax highlighting. In order to load your JS Frida file, you have to click on “Load JS file” button (you already set the path of this file in the “Configurations” tab):

Then, when you want to save your job, you have only to click on the “Save JS file” button:

If you want to reload your Frida file (for example after having added a new Frida hook) without having to kill and re-spawn your application you can click on the “Reload JS” button in the menu on the right! 暂无