- IDA Pro
- [Hopper Disassembler](/docs/toolkit/general/reverse-toolkit/#hopper disassembler)
Static code analysis
Host platforms: 🌈
Target platforms: 🌈
Host platforms: 🌈
Target platforms: 🌈
brew install npm # install node js - https://nodejs.org/en/download/ # reopen terminal npm install -g passionfruit passionfruit
passionfruit to launch
Keywords: multitool, logs
Possible issues: If
npm install -g passionfruit thrown an error, like
image not found, update npm, make sure node.js is installed, clsoe the terminal (
Command + Q) and open again.
This article is a walkthrough of setting up the lab for pentesting iOS applications and forensic analysis of iDevices and Android devices (the main purpose of a tool, installation steps and possible issues along the way). I don’t explain here how to use the tools, for FUC see BTFM and RTFM for iOS and BTFM and RTFM for Android. I’ve combined tools for both forensics and penetration testing since they intersect too much.
Environment: Macbook Pro 13-Inch running macOS Catalina 10.15.6 and upgraded (RAM 10Gb, HDD 500Gb, SSD 500Gb), iPad Air 2 (A1567) running iOS 13.4.1. Some of the tools I’ve also tried on Windows or WSL (Linux Subsystem on Windows) which I’ll indicate with a tag. For Windows the environment is: Windows 10, WSL (Kali and Ubuntu 16), choco as a package manager.
|Link To Repo||Tools|
|https://apt.bingner.com/||apt, mterminal, wget, less, rar, sqlite3, class-dump, cycript, Darwin CC Tools, Darwin Tools, gzip, grep|
|link to repo with Metasploit|
This tool consists of two parts: Analyzer and Tracer. Tracer is launched on iDevice or Android to hook all APIs and functions that are dangerous from security prospection. Upon analysis it creates a db that is further can be analyzed by Analyzer on PC.
Prerequisites on iDevice: dpkg (to install deb), Applist (for Introspy to get all installed applications), PreferenceLoader (to appear in Settings menu) and CydiaSubstrate.
scp [introspy_deb] root@[device_ip]:~ ssh root@[device_ip] dpkg -i [introspy_deb] killall -HUP SpringBoard
🚫 Error encountered. At first, I didn’t see it in the Settings menu, even after rerunning
killallseveral times. I thought it’s just not meant to be. But later after rebooting, rejailbreaking and installing SSL Kill Switch 2, I reran the command
killall -HUP SpringBoardand it worked. I don’t know how or why it wasn’t working at first yet. May be rejailbreaking and restarting worked.
If everything works fine, you should see Introspy - Apps and Introspy - Settings in the Settings menu of the iDevice in question.
# install pip install git+https://github.com/iSECPartners/Introspy-Analyzer.git
Prerequisites on PC: python 2.6-2.7, pip
It’s the second part of the tool, which is run on PC. Installation:
# option 1. To launch from anywhere pip install git+https://github.com/iSECPartners/Introspy-Analyzer.git python -m introspy <args> # option 2. Lauch from specific dir git clone https://github.com/iSECPartners/Introspy-Analyzer.git python Introspy-Analyzer.introspy <args>
This tool also consists of two parts: a server and a client. The server is copied on mobile device.
pyenv activate python3 # optional pip install frida pip install frida-tools
pip install frida frida-tools pip install objection
Download and install
XX.XX is equal to the one installed on PC with pip command and
arch from adb
adb shell cat /proc/cpuinfo or
adb shell getprop ro.product.cpu.abi.
Follow the instructions here. I tried building it myself both ways but neither works on iOS 13.4.1 iPad Air 2. The previous version (2.0.3) works, however, it throws some errors. Trying to run
inject /usr/bin/Clutch resulted in broken jb and I had to boot with the volume up key pressed to flush and then - rejailbreak.
# prerequisites xcode-select --install # disable SDK code signing requirement killall Xcode cp /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist ~/ sudo /usr/libexec/PlistBuddy -c "Set :DefaultProperties:CODE_SIGNING_REQUIRED NO" /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist sudo /usr/libexec/PlistBuddy -c "Set :DefaultProperties:AD_HOC_CODE_SIGNING_ALLOWED YES" /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist # build. Option 1 xcodebuild clean build # build. Option 2 mkdir build cd build cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_TOOLCHAIN_FILE=../cmake/iphoneos.toolchain.cmake .. make -j$(sysctl -n hw.logicalcpu) # install on iDevice scp ./build/Clutch root@[iDevice.ip]:/usr/bin/Clutch
Segmentation error 11
🤔 Why? Somewhere there is a memory access violation like a buffer is to be overflow.
✅ Fix 1: try
ulimit -n 512on iDevice before launching
✅ Fix 2: Launch
✅ Fix 3. Try older version
Command line tool. For traffic sniffing. Analyzes the full stack of TCP/IP protocol.
Installation steps on Android: tcpdump
adb push chmod tcpdump -v -s 0 -w eccouncil.pc tcpdump -v -s 0 -w insecurebank.v2
GUI tool with lots of useful plugins. Acts as a proxy server and allows to sniff and also modify traffic. Operates on Applicaiton Layer of TCP/IP, hence you’ll only see HTTP(S).
radare2 and the guys
git clone https://github.com/radare/radare2.git cd radare2 ./sys/install.sh
Useful VM for mobile pentesting and forensics with all tools needed preinstalled is Android Tamer. To get it work, after VM import, one needs to install several packages:
install metasploit, zipalign and apache2
pip install drozer. Better use
pyenv-virtualenv since drozer is usung python 2.7. Then fix this file
/Users/veronicazvereva/.pyenv/versions/2.7.18/envs/python2/lib/python2.7/site-packages/pydiesel/reflection/utils/class_loader.py as discussed here.
Alternatively (didn’t work for me as expected) - download from here - https://github.com/FSecureLABS/drozer/releases/tag/2.4.3 whl version and then do
pip install drozer-2.4.3-py2-none-any.whl. Then fix the file mentioned above.
I work on MacOS and therefore I installed pyenv. For Windows it’s virtualenv. These help avoid confusion when using multiple versions of python 🐍.
M2Crypto (if needed), follow these recommendations.
Visual Studio Code
It’s the most easy-to-use tool I’ve seen. At least, for python scripting. In order to pass command line arguments, you need a launch.json file. But there is no link unless you open the files as a folder.