carnal0wnage [Shared Reader]

Saturday, December 28, 2013

Creating a iOS7 Application Pentesting Environment




Now that you have your shiny new Evasion7 jailbreak running it's time to set up the environment for application testing!

Getting in

(cross-posted with permission from CG from my work blog)


Since mobile substrate is not working yet we will focus on getting our idevice up and running as a functioning *nix environment and install some tools that don't require substrate.


First we need to get into our iDevices shell prompt. We will browse Cydia (that gets installed by default with the jailbreak) and then will install the openSSH package





Once we get openSSH installed you can SSH into your device by finding its IP address in the Settings > Wireless Networks > Advanced ">" menu. 



Now SSH into port 22  on that IP using the username "root" and the password "alpine".

Once we have shell we can use APT to install most of the other packages we need. Also change the default root password to something else so people can't mess with your phone!

Arming your iDevice with *nix tools


To have a functioning *nix environment we need to install a ton of utilities that aren't usually installed as part of the default jailbreak or Bash shell. This includes utilities like strings, grep, awk, find, etc...

Some of the utility packages do not verbatim tell what's inside of them; things like big boss tools and Erika utilities.

These two in specific install strings and other binutils type tools. Several of them patched or modded to work on the iOS architecture (arm).

Packages (some of these will be pre-installed with the JB):


adv-cmds
apr
apr-lib
apr-util
apt
apt7
apt7-key
apt7-lib
apt7-ssl
base
bash
basic-cmds
berkeleydb
bigbosshackertools
bootstrap-cmds
bzip2
class-dump
com.ericasadun.utilities
com.evad3rs.evasi0n7
com.innoying.sbutils
coreutils
coreutils-bin
curl
cy+cpu.arm
cy+kernel.darwin
cy+lib.corefoundation
cy+model.ipad
cy+os.ios
cydia
cydia-lproj
darwintools
debianutils
developer-cmds
diffutils
diskdev-cmds
dpkg
expat
file
file-cmds
findutils
firmware
firmware-sbin
gawk
gdb
gettext
git
gnupg
grep
gzip
inetutils
iokittools
ldid
less
libffi
libxml2
libxml2-lib
lsof
lzma
make
nano
ncurses
neon
network-cmds
odcctools
openssh
openssl
org.thebigboss.repo.icons
p7zip
pam
pam-modules
patch
pcre
profile.d
python
readline
rsync
sed
shell-cmds
sqlite3
sqlite3-lib
subversion
system-cmds
tar

tcpdump
top
uikittools
unrar
unzip
uuid
vim
wget
whois
xar
xml2
zip



Take this list and dump it to a file (packages.txt) and run:

apt-get  install $(<packages.txt)



Extras


In addition to utilities that help make our iDevice a functioning *nix environment there are several tools that aid in connecting, controlling, reverse engineering, and monitoring iOS applications. Below is a list of those tools, a description, and their locations (some cut from my OWASP page):


Tool
Link
Description
USBMuxd
http://cgit.sukimashita.com/usbmuxd.git/
Tunnel ports over USB (enable SSH without network using localhost:2222)
libimobiledevice
http://www.libimobiledevice.org/
Library. Custom implementation of iTunes type connections, file-system access, system access.
Filemon
Monitor realtime iOS file system
FileDP
Audits data protection of files
BinaryCookieReader
Read cookies.binarycookies files
lsof ARM Binary
list of all open files and the processes that opened them
lsock ARM Binary
monitor socket connections
removePIE
Disables ASLR of an application
Clutch
https://github.com/KJCracks/Clutch-dl/releases
Application Cracker compiled (remove encryption)
Rasticrac
https://twitter.com/iRastignac
Application Cracker (BASH GDB Wrapper)

Next steps


This is just the basics.

Once you get all of these utilities and tools installed you're pretty much waiting on substrate to be working for iOS 7. After that's done you can install your favorite all encompassing or homegrown tool that uses substrate to do hooking such as Cycript, Inlyzer, SSLKillSwitch, Snoopit, IntroSpy, iAuditor, etc.

Then you just have to MitM the web traffic. There are plenty of guides on that around the net. 

If you have other tools you use in your app assessment setup we'd love to hear about it. Feel free to leave suggestions in the comments. 


Thursday, December 26, 2013

Where has CG been?

I've been here....work has kept me super busy...pretty sure there is a post in 2012 that says about the same. :-/

I attempted to recruit some smart people to make some posts and they did so thanks to all the guest bloggers this year.

so what's been up?

well I've taken on two hobbies that don't directly tie into this blog. One, Christmas lights, like the obnoxious programmables RGB color ones. Facebook friends have been kept abreast of the situation.  Two, stock trading...which i found out a fair number of hackers are into...which is cool. The stock stuff came about from reading the Rich Dad Poor Dad book and trying to figure out a way not to have to work until i die. See that post for a tiny bit more explanation.

I've been told by a few people that readers would probably find the xmas light stuff interesting as it does involve cat-5 cables and packets over Ethernet frames. So I'll start knowledge dumping in Jan on that topic.

anyway. Tech stuff....whats up?

Shitty passwords are whats up this year (totally new issue right??!!!). I didn't go back and count but a large majority of the tests I performed or assisted with this year where there was some sort of single factor login portal (SSLVPN, Citrix, OWA, etc) fell over to one of the following:


Its 2013 almost 2014 as I write this, its sad that we are still dealing with this like this a new or unsolvable problem.  Just reaffirms to me that we are failing as an industry if today we can break into some organization that spends any dollars on security with Password1. Its really no mystery why bad guys are beating the piss out of people.

Earlier this year a guy that does work on things in China gave a talk and said that the Chinese culture thing about security like this: (to paraphrase):

"if an organization doesnt protect against stealing it, they must not care about it"  

Protecting your important **stuff** with Password1, or a web application where any web vulnerability scanner finds SQL... yeah its no surprise when someone steals your *whatever*.

Grumpiness aside, we did do some neat shit this year.  A pseudo highlight reel can be found in the string of talks that Chris Nickerson, Eric Smith,  and Mubix and I gave at Derbycon this year.




Lares continues to break into hard to break into places using Red Teaming.


I also gave a talk at a credit union conference a few months ago where i tried to sum up how organizations are getting owned. TLDR; its all stuff we know about, but it takes work to fix, so not that many organizations do it.



I've been kind of a deadbeat on talking in 2013 but i have a few ideas on some talks for 2014, ideally blog posts either here or the Lares blog will help me work those ideas into posts and eventually into a slide deck(s).


Monday, December 23, 2013

Best non-technical book I read this year

So first of a few end of year posts...

Best non-technical book i read this year was Rich Dad Poor Dad


I'd like to thank Joe McCray for recommending it to me. I wish i had read the book in my teens and/or my twenties. There are TONS of reviews on the book i'd encourage everyone remotely interested to read a mix of the 5 star and 1 star ones to get a feel.  I'll even drop the most important thing i got from the book here:

Assets make you money, liabilities cost you money. To build wealth you need to accumulate assets.

Pretty simple right?!  Unfortunately most of us (myself included) have been brought up to look at things like houses, cars, expensive things as assets because we can sell them if we need to for $$. However after being a former BMW owner and a current house owner i can attest that the mentioned items did not *make* me any money. In fact the house is a constant source of cash outflow. This is exactly what the book talks about.

Now to be fair, and if you read the reviews this will come across, there is A LOT of magic hand waving on how one starts buying assets instead of liabilities and growing wealth. The author uses real estate and mentions you can start a business or build wealth via stocks/trading as other ways to build wealth (assets). None of those in my opinion are quick, easy, or cheap to get started in and none of those come without a hefty education requirement in order not to lose your starting capital. Nevertheless, the value in the book comes from identifying the problem of how poor people view and interact with money and how rich people view and interact with money as well as giving a general road map on a new way to think about building wealth.

thoughts?

CG