coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] 3 pages modified

Browse Source
This commit is contained in:
CPol 2021-05-19 16:11:33 +00:00 committed by gitbook-bot
parent 89c55b14cd
commit 7b6767a4f8
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
3 changed files with 282 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

282
ios-pentesting/README.md
View File

@ -12,6 +12,21 @@ In this page you can find information about the **iOS simulator**, **emulators**
## Initial Analysis
### Basic iOS Testing Operations
During the testing **several operations are going to be suggested** \(connect to the device, read/write/upload/download files, use some tools...\). Therefore, if you don't know how to perform any of these actions please, **start reading the page**:
{% page-ref page="basic-ios-testing-operations.md" %}
{% hint style="info" %}
For the following steps **the app should be installed** in the device and should have already obtained the **IPA file** of the application.
Read the [Basic iOS Testing Operations](basic-ios-testing-operations.md) page to learn how to do this.
{% endhint %}
### Basic Static Analysis
It's recommended to use the tool [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) to perform an automatic Static Analysis to the IPA file.
### Listing Installed Apps
When targeting apps that are installed on the device, you'll first have to figure out the correct bundle identifier of the application you want to analyze. You can use `frida-ps -Uai` to get all apps \(`-a`\) currently installed \(`-i`\) on the connected USB device \(`-U`\):
@ -29,6 +44,241 @@ $ frida-ps -Uai
- iGoat-Swift OWASP.iGoat-Swift
```
### Basic Enumeration of the app
For this section the tool [**Objection**](https://github.com/sensepost/objection) is going to be used.
Start by getting an objection's session executing something like `objection -d --gadget "iGoat-Swift" explore` or `objection -d --gadget "OWASP.iGoat-Swift" explore`
* `env`: Find the paths where the application is stored inside the device
```bash
env
Name Path
----------------- -----------------------------------------------------------------------------------------------
BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
CachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
DocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
```
* `ios bundled list_bundles`: List bundles of the application
```bash
ios bundles list_bundles
Executable Bundle Version Path
------------ -------------------- --------- -------------------------------------------
iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
AGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundle
```
* `ios bundle list_frameworks`: List external frameworks used by the application
```bash
ios bundles list_frameworks
Executable Bundle Version Path
------------------------------ -------------------------------------------- ---------- -------------------------------------------
ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework
...vateFrameworks/CoreDuetContext.framework
FBReactNativeSpec org.cocoapods.FBReactNativeSpec 0.61.5 ...p/Frameworks/FBReactNativeSpec.framework
...ystem/Library/Frameworks/IOKit.framework
RCTAnimation org.cocoapods.RCTAnimation 0.61.5 ...le.app/Frameworks/RCTAnimation.framework
jsinspector org.cocoapods.jsinspector 0.61.5 ...tle.app/Frameworks/jsinspector.framework
DoubleConversion org.cocoapods.DoubleConversion 1.1.6 ...pp/Frameworks/DoubleConversion.framework
react_native_config org.cocoapods.react-native-config 0.12.0 ...Frameworks/react_native_config.framework
react_native_netinfo org.cocoapods.react-native-netinfo 4.4.0 ...rameworks/react_native_netinfo.framework
PureLayout org.cocoapods.PureLayout 3.1.5 ...ttle.app/Frameworks/PureLayout.framework
GoogleUtilities org.cocoapods.GoogleUtilities 6.6.0 ...app/Frameworks/GoogleUtilities.framework
RCTNetwork org.cocoapods.RCTNetwork 0.61.5 ...ttle.app/Frameworks/RCTNetwork.framework
RCTActionSheet org.cocoapods.RCTActionSheet 0.61.5 ....app/Frameworks/RCTActionSheet.framework
react_native_image_editor org.cocoapods.react-native-image-editor 2.1.0 ...orks/react_native_image_editor.framework
CoreModules org.cocoapods.CoreModules 0.61.5 ...tle.app/Frameworks/CoreModules.framework
RCTVibration org.cocoapods.RCTVibration 0.61.5 ...le.app/Frameworks/RCTVibration.framework
RNGestureHandler org.cocoapods.RNGestureHandler 1.6.1 ...pp/Frameworks/RNGestureHandler.framework
RNCClipboard org.cocoapods.RNCClipboard 1.5.1 ...le.app/Frameworks/RNCClipboard.framework
react_native_image_picker org.cocoapods.react-native-image-picker 2.3.4 ...orks/react_native_image_picker.framework
[..]
```
* `memory list modules`: List loaded modules in memory
```bash
memory list modules
Name Base Size Path
----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------
iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylib
SystemConfiguration 0x1aa842000 495616 (484.0 KiB) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
libc++.1.dylib 0x1bdcfd000 368640 (360.0 KiB) /usr/lib/libc++.1.dylib
libz.1.dylib 0x1efd3c000 73728 (72.0 KiB) /usr/lib/libz.1.dylib
libsqlite3.dylib 0x1c267f000 1585152 (1.5 MiB) /usr/lib/libsqlite3.dylib
Foundation 0x1ab550000 2732032 (2.6 MiB) /System/Library/Frameworks/Foundation.framework/Foundation
libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib
[...]
```
* `memory list exports <module_name>`: Exports of a loaded module
```bash
memory list exports iGoat-Swift
Type Name Address
-------- -------------------------------------------------------------------------------------------------------------------------------------- -----------
variable _mh_execute_header 0x104ffc000
function _mdictof 0x10516cb88
function _ZN9couchbase6differ10BaseDifferD2Ev 0x10516486c
function _ZN9couchbase6differ10BaseDifferD1Ev 0x1051648f4
function _ZN9couchbase6differ10BaseDifferD0Ev 0x1051648f8
function _ZN9couchbase6differ10BaseDiffer5setupEmm 0x10516490c
function _ZN9couchbase6differ10BaseDiffer11allocStripeEmm 0x105164a20
function _ZN9couchbase6differ10BaseDiffer7computeEmmj 0x105164ad8
function _ZN9couchbase6differ10BaseDiffer7changesEv 0x105164de4
function _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE 0x105164fa8
function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE 0x1051651d8
function _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE 0x105165280
variable _ZTSN9couchbase6differ10BaseDifferE 0x1051d94f0
variable _ZTVN9couchbase6differ10BaseDifferE 0x10523c0a0
variable _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8
[..]
```
* `ios hooking list classes`: List classes of the app
```bash
ios hooking list classes
AAAbsintheContext
AAAbsintheSigner
AAAbsintheSignerContextCache
AAAcceptedTermsController
AAAccount
AAAccountManagementUIResponse
AAAccountManager
AAAddEmailUIRequest
AAAppleIDSettingsRequest
AAAppleTVRequest
AAAttestationSigner
[...]
```
* `ios hooking list class_methods`: List methods of a specific class
```bash
ios hooking list class_methods iGoat_Swift.RCreditInfo
- cvv
- setCvv:
- setName:
- .cxx_destruct
- name
- cardNumber
- init
- initWithValue:
- setCardNumber:
```
* `ios hooking search classes <search_term>`: Search a class that contains a string
```bash
ios hooking search classes iGoat
iGoat_Swift.CoreDataHelper
iGoat_Swift.RCreditInfo
iGoat_Swift.SideContainmentSegue
iGoat_Swift.CenterContainmentSegue
iGoat_Swift.KeyStorageServerSideVC
iGoat_Swift.HintVC
iGoat_Swift.BinaryCookiesExerciseVC
iGoat_Swift.ExerciseDemoVC
iGoat_Swift.PlistStorageExerciseViewController
iGoat_Swift.CouchBaseExerciseVC
iGoat_Swift.MemoryManagementVC
[...]
```
* `ios hooking search methods <search_term>`: Search a method that contains a string
```bash
ios hooking search methods cvv
[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
[iGoat_Swift.RCreditInfo - cvv]
[iGoat_Swift.RCreditInfo - setCvv:]
[iGoat_Swift.RealmExerciseVC - creditCVVTextField]
[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
```
### Basic Hooking
Now that you have **enumerated the classes and modules** used by the application you may have found some **interesting class and method names**.
* `ios hooking watch class <class_name>`: Hook all the methods of a class, dump all the initial parameters and returns
```bash
ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
```
* `ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace`: Hook an specific method of a class dumping the parameters, backtraces and returns of the method each time it's called
```bash
ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
```
* `ios hooking set return_value "-[<class_name> <method_name>]" false`: This will make the selected method return the indicated boolean
```bash
ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
```
* `ios hooking generate simple <class_name>`:
```bash
ios hooking generate simple iGoat_Swift.RCreditInfo
var target = ObjC.classes.iGoat_Swift.RCreditInfo;
Interceptor.attach(target['+ sharedSchema'].implementation, {
onEnter: function (args) {
console.log('Entering + sharedSchema!');
},
onLeave: function (retval) {
console.log('Leaving + sharedSchema');
},
});
Interceptor.attach(target['+ className'].implementation, {
onEnter: function (args) {
console.log('Entering + className!');
},
onLeave: function (retval) {
console.log('Leaving + className');
},
});
Interceptor.attach(target['- cvv'].implementation, {
onEnter: function (args) {
console.log('Entering - cvv!');
},
onLeave: function (retval) {
console.log('Leaving - cvv');
},
});
Interceptor.attach(target['- setCvv:'].implementation, {
onEnter: function (args) {
console.log('Entering - setCvv:!');
},
onLeave: function (retval) {
console.log('Leaving - setCvv:');
},
});
```
### IPA Structure
`.ipa` files are **zipped** **packages**, so you can change the extension to `.zip` and **decompress** them. A **complete** **packaged** app ready to be installed is commonly referred to as a **Bundle**.
@ -152,8 +402,6 @@ Regular 420 None ... Sentinel.txt
Regular 420 None ... README.txt
```
###
### Binary Reversing
Inside the `<application-name>.app` folder you will find a binary file called `<application-name>`. This is the file that will be **executed**. You can perform a basic inspection of the binary with the tool **`otool`**:
@ -265,6 +513,8 @@ The [`NSUserDefaults`](https://developer.apple.com/documentation/foundation/nsus
This data cannot be longer accessed directly via a trusted computer, but can be accessed performing a **backup**.
You can **dump** the information saved using **`NSUserDefaults`** using objection's `ios nsuserdefaults get`
To find all the plist of used by the application you can access to `/private/var/mobile/Containers/Data/Application/{APPID}` and run:
```bash
@ -286,6 +536,12 @@ The file might be formatted in **XML or binary \(bplist\)**. You can **convert i
$ plistutil -i Info.plist -o Info_xml.plist
```
* On an objection's session:
```bash
ios plist cat /private/var/mobile/Containers/Data/Application/AF1F534B-1B8F-0825-ACB21-C0301AB7E56D/Library/Preferences/com.some.package.app.plist
```
### Core Data
[`Core Data`](https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/CoreData/nsfetchedresultscontroller.html#//apple_ref/doc/uid/TP40001075-CH8-SW1) is a framework for managing the model layer of objects in your application. [Core Data can use SQLite as its persistent store](https://cocoacasts.com/what-is-the-difference-between-core-data-and-sqlite/), but the framework itself is not a database.
@ -381,7 +637,7 @@ Check for possible couchbase databases in `/private/var/mobile/Containers/Data/A
iOS store the cookies of the apps in the **`Library/Cookies/cookies.binarycookies`** inside each apps folder. However, developers sometimes decide to save them in the **keychain** as the mentioned **cookie file can be accessed in backups**.
To inspect the cookies file you can use [**this python script**](https://github.com/mdegrazia/Safari-Binary-Cookie-Parser).
To inspect the cookies file you can use [**this python script**](https://github.com/mdegrazia/Safari-Binary-Cookie-Parser) ****or use **objection's** `ios cookies get`.
You can also use objection to **convert these files to a JSON** format and inspect the data.
```bash
@ -469,7 +725,21 @@ This sets the background image to `overlayImage.png` whenever the application is
### Keychain
Tools like [**Keychain-Dumper**](https://github.com/ptoomey3/Keychain-Dumper) can be used to dump the keychain \(the dive must be jailbroken\).
You can also use `ios keychain dump` from [**Objection**](https://github.com/sensepost/objection)\*\*\*\*
You can also use `ios keychain dump` from [**Objection**](https://github.com/sensepost/objection)**.**
#### **NSURLCredential**
**NSURLCredential** is the perfect class to **store username and password in the keychain**. No need to bother with NSUserDefaults nor any keychain wrapper.
****Once the user is logged in, you can **store** his username and password to the keychain:
```swift
NSURLCredential *credential;
credential = [NSURLCredential credentialWithUser:username password:password persistence:NSURLCredentialPersistencePermanent];
[[NSURLCredentialStorage sharedCredentialStorage] setCredential:credential forProtectionSpace:self.loginProtectionSpace];
```
You can use **Objection's** `ios nsurlcredentialstorage dump` to dump these secrets.
## Custom Keyboards/Keyboard Cache
@ -578,6 +848,8 @@ It's also important to check that an **application isn't using the global pasteb
An **application can also prevent its users to copy sensitive data to the clipboard** \(which is recommended\).
You can **monitor** the **pasteboard** **while you navigate** through the application with **objection's** `ios pasteboard monitor`
## Backups
iOS includes auto-backup features that create copies of the data stored on the device. You can **make iOS backups** from your host computer by using iTunes \(till macOS Catalina\) or Finder \(from macOS Catalina onwards\), or via the iCloud backup feature. In both cases, the backup includes nearly all data stored on the iOS device except highly sensitive data such as Apple Pay information and Touch ID settings.
@ -1140,6 +1412,8 @@ In order to check this issue using Burp, after trusting Burp CA in the iPhone, y
If an application is correctly using SSL Pinning, then the application will only works if the certificate is the once expected to be. When testing an application **this might be a problem as Burp will serve it's own certificate.**
In order to bypass this protection inside a jailbroken device, you can install the application [**SSL Kill Switch**](https://github.com/nabla-c0d3/ssl-kill-switch2) ****or install [**Burp Mobile Assistant**](https://portswigger.net/burp/documentation/desktop/tools/mobile-assistant/installing)\*\*\*\*
You can also use **objection's** `ios sslpinning disable`
## Misc
* In **`/System/Library`** you can find the frameworks installed in the phone used by system applications

6
ios-pentesting/basic-ios-testing-operations.md
View File

@ -208,15 +208,13 @@ Save the IPA file locally with the following command:
If you don't have the original IPA, then you need a jailbroken device where you will **install the app** \(e.g. via App Store\). Once installed, you need to **extract the app binary from memory and rebuild the IPA file**. Because of DRM, the app binary file is encrypted when it is stored on the iOS device, so simply pulling it from the Bundle \(either through SSH or Objection\) will not be sufficient to reverse engineer it \(read next section\).
### Decryption
### Decryption \(Manual\)
Unlike an Android Application, the binary of an iOS app **can only be disassembled** and not decompiled.
When an application is submitted to the app store, Apple first verifies the app conduct and before releasing it to the app-store, **Apple encrypts the binary using** [**FairPlay**](https://developer.apple.com/streaming/fps/). So the binary download from the app store is encrypted complicating ting the reverse-engineering tasks.
However, note that there are other **third party software that can be used to obfuscate** the resulting binaries.
#### Removing App Store Encryption \(Manually\)
In order to run the encrypted binary, the device needs to decrypt it in memory. Then, it's possible to **dump the decrypted binary from the memory**.
First, check if the binary is compiled with the PIE \(Position Independent Code\) flag:
@ -281,7 +279,7 @@ However, you can use tools like [**MachOView**](https://sourceforge.net/projects
![](../.gitbook/assets/image%20%28458%29.png)
#### Removing App Store Encryption \(Automatically\)
### Decryption \(Automatically\)
You can use tools like [**frida-ios-dump**](https://github.com/AloneMonkey/frida-ios-dump) to **automatically remove the encryption and an app**.

2
ios-pentesting/ios-testing-environment.md
View File

@ -133,3 +133,5 @@ A jailbroken device allows users to **install unapproved apps** and leverage **m
**More information about how to detect jailbreaking** [**here**](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/jailbreak-detection-methods/)**.**
You can try to avoid this detections using **objection's** `ios jailbreak disable`