Debuggers
gdb
radare2
Other
- IDA Pro
- [Hopper Disassembler](/docs/toolkit/general/reverse-toolkit/#hopper disassembler)
Static code analysis
IDA Pro
Hopper Disassembler
radare2
Utilities
Activity Analysis
Jailbreaking/Rooting
Something
Desciption
Host platforms: 🌈
Target platforms: 🌈
Install:
Common commands:
Keywords:
Analogues:
Possible issues:
Multitools
Passionfruit
Host platforms: 🌈
Target platforms: 🌈
Install:
brew install npm
# install node js - https://nodejs.org/en/download/
# reopen terminal
npm install -g passionfruit
passionfruit
Common commands:
passionfruit
to launch
Keywords: multitool, logs
Analogues:
Possible issues: If npm install -g passionfruit
thrown an error, like image not found
, update npm, make sure node.js is installed, clsoe the terminal (Command + Q
) and open again.
This article is a walkthrough of setting up the lab for pentesting iOS applications and forensic analysis of iDevices and Android devices (the main purpose of a tool, installation steps and possible issues along the way). I don’t explain here how to use the tools, for FUC see BTFM and RTFM for iOS and BTFM and RTFM for Android. I’ve combined tools for both forensics and penetration testing since they intersect too much.
Environment: Macbook Pro 13-Inch running macOS Catalina 10.15.6 and upgraded (RAM 10Gb, HDD 500Gb, SSD 500Gb), iPad Air 2 (A1567) running iOS 13.4.1. Some of the tools I’ve also tried on Windows or WSL (Linux Subsystem on Windows) which I’ll indicate with a tag. For Windows the environment is: Windows 10, WSL (Kali and Ubuntu 16), choco as a package manager.
Cydia Repositories
Link To Repo | Tools |
---|---|
https://cydia.akemi.ai/ | AppSync |
https://build.frida.re | Frida |
https://repo.chariz.io | |
https://apt.bingner.com/ | apt, mterminal, wget, less, rar, sqlite3, class-dump, cycript, Darwin CC Tools, Darwin Tools, gzip, grep |
http://apt.thebigboss.org/repofiles/cydia/ | |
link to repo with Metasploit |
Runtime analysis
Introspy
This tool consists of two parts: Analyzer and Tracer. Tracer is launched on iDevice or Android to hook all APIs and functions that are dangerous from security prospection. Upon analysis it creates a db that is further can be analyzed by Analyzer on PC.
Introspy iOS
Prerequisites on iDevice: dpkg (to install deb), Applist (for Introspy to get all installed applications), PreferenceLoader (to appear in Settings menu) and CydiaSubstrate.
Download link.
scp [introspy_deb] root@[device_ip]:~
ssh root@[device_ip]
dpkg -i [introspy_deb]
killall -HUP SpringBoard
🚫 Error encountered. At first, I didn’t see it in the Settings menu, even after rerunning
killall
several times. I thought it’s just not meant to be. But later after rebooting, rejailbreaking and installing SSL Kill Switch 2, I reran the commandkillall -HUP SpringBoard
and it worked. I don’t know how or why it wasn’t working at first yet. May be rejailbreaking and restarting worked.
If everything works fine, you should see Introspy - Apps and Introspy - Settings in the Settings menu of the iDevice in question.
Inropsy Android
# install
pip install git+https://github.com/iSECPartners/Introspy-Analyzer.git
Introspy Analyzer
Prerequisites on PC: python 2.6-2.7, pip
It’s the second part of the tool, which is run on PC. Installation:
# option 1. To launch from anywhere
pip install git+https://github.com/iSECPartners/Introspy-Analyzer.git
python -m introspy <args>
# option 2. Lauch from specific dir
git clone https://github.com/iSECPartners/Introspy-Analyzer.git
python Introspy-Analyzer.introspy <args>
Frida
This tool also consists of two parts: a server and a client. The server is copied on mobile device.
Installation:
pyenv activate python3 # optional
pip install frida
pip install frida-tools
Objection
Installation:
pip install frida frida-tools
pip install objection
Download and install frida-server-XX.XX.YY-[platform]-[arch].[extention]
where XX.XX
is equal to the one installed on PC with pip command and platform
is android
(get arch
from adb adb shell cat /proc/cpuinfo
or adb shell getprop ro.product.cpu.abi
.
Cycript
Mobile Substrate
Decrypting applications
Frida-ios-dump
Installation:
Clutch
Follow the instructions here. I tried building it myself both ways but neither works on iOS 13.4.1 iPad Air 2. The previous version (2.0.3) works, however, it throws some errors. Trying to run inject /usr/bin/Clutch
resulted in broken jb and I had to boot with the volume up key pressed to flush and then - rejailbreak.
Installation:
# prerequisites
xcode-select --install
# disable SDK code signing requirement
killall Xcode
cp /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist ~/
sudo /usr/libexec/PlistBuddy -c "Set :DefaultProperties:CODE_SIGNING_REQUIRED NO" /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist
sudo /usr/libexec/PlistBuddy -c "Set :DefaultProperties:AD_HOC_CODE_SIGNING_ALLOWED YES" /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist
# build. Option 1
xcodebuild clean build
# build. Option 2
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_TOOLCHAIN_FILE=../cmake/iphoneos.toolchain.cmake ..
make -j$(sysctl -n hw.logicalcpu)
# install on iDevice
scp ./build/Clutch root@[iDevice.ip]:/usr/bin/Clutch
❌ Error:
Segmentation error 11
🤔 Why? Somewhere there is a memory access violation like a buffer is to be overflow.
✅ Fix 1: try
ulimit -n 512
on iDevice before launchingclutch
✅ Fix 2: Launch
clutch
withroot
✅ Fix 3. Try older version
Network
Tcpdump
Command line tool. For traffic sniffing. Analyzes the full stack of TCP/IP protocol.
Installation steps on Android: tcpdump
adb push
chmod tcpdump -v -s 0 -w eccouncil.pc tcpdump -v -s 0 -w insecurebank.v2
Burp
GUI tool with lots of useful plugins. Acts as a proxy server and allows to sniff and also modify traffic. Operates on Applicaiton Layer of TCP/IP, hence you’ll only see HTTP(S).
Reverse Engineering
radare2 and the guys
git clone https://github.com/radare/radare2.git
cd radare2
./sys/install.sh
Exploits
Android Tamer
Useful VM for mobile pentesting and forensics with all tools needed preinstalled is Android Tamer. To get it work, after VM import, one needs to install several packages:
install metasploit, zipalign and apache2
General Analysis
drozer
For MacOS: pip install drozer
. Better use pyenv
and pyenv-virtualenv
since drozer is usung python 2.7. Then fix this file /Users/veronicazvereva/.pyenv/versions/2.7.18/envs/python2/lib/python2.7/site-packages/pydiesel/reflection/utils/class_loader.py
as discussed here.
Alternatively (didn’t work for me as expected) - download from here - https://github.com/FSecureLABS/drozer/releases/tag/2.4.3 whl version and then do pip install drozer-2.4.3-py2-none-any.whl
. Then fix the file mentioned above.
Utils
python
I work on MacOS and therefore I installed pyenv. For Windows it’s virtualenv. These help avoid confusion when using multiple versions of python 🐍.
To install M2Crypto
(if needed), follow these recommendations.
Visual Studio Code
It’s the most easy-to-use tool I’ve seen. At least, for python scripting. In order to pass command line arguments, you need a launch.json file. But there is no link unless you open the files as a folder.