πŸ“˜ πŸ“• BTFM and RTFM iOS


Created: 18.09.2020

This is a combination of BTFM and RTFM (Blue Team Field Manual and Red Team Field Manual) for iOS devices and applications. I used to keep two separate field manuals at first, but since there are just too many intersections, I’ve decided to combine them to make it easier to use. For Android RTFM and BTFM see here

Cheatsheet

This cheasheet is to ease the flow of either penetration testing analysis or forensics investigation. Fill in the form below to speed up command line tools usage.

Information ANSWER
iDevice UDID
Package name
App’s folder with bin (UUID)
App’s folder with data (UUID)

Get iDevice UDID

# option 1
ioreg -p IOUSB -l | grep "USB Serial" 

# option 2
idevice_id -l # get UDID with ideviceinstaller

# option 3
system_profiler SPUSBDataType | sed -n -e '/iPad/,/Serial/p;/iPhone/,/Serial/p;/iPod/,/Serial/p' | grep "Serial Number:" # 

# option 4
instruments -s devices

Get package name

# option 1
frida-ps -U | grep [partial_name]
ipainstaller -l | grep [partial_name]

Get folder with bin and with data (UUID)

# option 1
ipainstaller -i [package_name]

# option 2
objetion -g [package_name] explore
> env

Device Info

Get UDID in different ways (using MacOS):

# option 1
ioreg -p IOUSB -l | grep "USB Serial" 

# option 2
idevice_id -l # get UDID with ideviceinstaller

# option 3
system_profiler SPUSBDataType | sed -n -e '/iPad/,/Serial/p;/iPhone/,/Serial/p;/iPod/,/Serial/p' | grep "Serial Number:" # 

# option 4
instruments -s devices

# option 5
ideviceinfo | grep Unique

Get BootROM version (old or new). iPod touch: if the second character of the Model is B - old BootROM with 0x24000 Segment Overflow, if C - new BootROM. iPhone 3GS: The third digit if serial number is the year, the 4th and 5th - week. 40-45 week of 2009 - can be either old or new one. After - new.

Get General iDevice Info:

brew install libimobiledevice # install the tool
ideviceinfo

GUI - Xcode.

Useful tool that supports python scripts - https://libimobiledevice.org/#examples.

#todo: learn to use this feature.

DFU mode

DFU mode device descriptors with BootROM version:

  • Enter DFU mode

  • Windows:

    • Device Manager –> USB Controller –> Apple Mobile Device USB Driver –> Properties –> Details tab –> Device Instance Path –> the end of the drop-down menu.
  • Mac:

    • System Profiler –> Hardware Category –> USB –> Apple Mobile Device –> the end of the serial string
  • Linux:

    • Install usbutils on Linux

      sudo lsusb -v
      
    • Find iSerial and at the end is the version

Connecting

ssh root@<#phone_ip>, password: alpine

Works only for jailbroken devices.

Connectiong to ssh via USB:

brew install libimobiledevice
iproxy 2222 22
ssh -p 2222 root@localhost

For reverse shell (in case jb doesn’t allow incoming connections):

brew install libimobiledevice
iproxy 2222 22
ssh -R <remote_port>:localhost:22 <username>@<host_computer_ip>

File Transfer

scp <file_to_transfer> root@<device_ip>:~ # on iDevice
scp root@[device_ip] /path/to/file # from iDevice via WiFi

iproxy 2222 22
scp -P 2222 <file_to_transfer> root@[device_ip]:[/path/to/file/on/iDevice] # to iDevide via USB
scp -P 2222 root@[device_ip]:[/path/to/file/on/iDevice] . # from iDevice via USB

# connect with objection over USB
objection -g [app_name] explore
# connect with objection over network
objection -g [app_name] -N -h [192.168.1.XX] explore

# then in objection promt:
file download [/path/to/file/on/iDevice]
file upload [/path/to/file/on/PC]

Keychain dump

# Dump keychain with Objection
objection --gadget="[Application name]" explore
# or over the network
objection --gadget="[Application name]" -N -h 192.168.1.XX explore

# then in objection promt
ios keychain dump
ios keychain dump --json <myfile.json> # including access modifiers. The result will be written to the host in myfile.json

# Dump keychain with Keychain Dumper
./updateEntitlements.sh # to add entitlements explicitly to work on later devices
chmod +x ./keychain_dumper
./keychain_dumper
chmod +r /private/var/Keychains/keychain-2.db # to validate that keychain-2.db is world-readable

About Keychain Dumper.

Note: iOS 11 devices using Electra (or other jailbreaks) may still require a trick to bypass the native sandbox. Compile the binary with the included entitlements.xml, sign it with the developer account certificate/priv_key and copy the binary to /bin or /sbin (which already allows execution). See here for more detailed instructions.

Another important note:

Some keychain entries are available regardless of whether the iOS is locked or not, while other entries will only be accessible if the iOS device is unlocked (i.e. a user has entered their pin)…. By default keychain_dumper only dumps “Generic” and “Internet” passwords…

Download here.

Logs

socat  - UNIX-CONNECT:/var/run/lockdown/syslog.sock # check syslog
cd /var/mobile/Applications # check here for appspecific logs
sdsiosloginfo.exe -d -u [UDID] > .\console.txt # drop device logs on Windows

GUI - Xcode.

Artifacts

Taken from here.

Application Info

frida-ps -Uia | grep -i Telegram # get application name

ipainstaller -l 
ipainstaller -i [app_name]

Decrypting Application

With frida-ios-dump (⚠️ frida-server must be installed and running on iDevice):

# option 1
# brew install libimobiledevice
iproxy 2222 22
pyenv activate python39
./dump.py -l # list all apps with names and Bundle ids
./dump.py [Display_name] or [Bundle_identifier]

# option 2
./clutch -i
./clutch -d [Bundle_identifier] # decrypt everything and create IPA
./clutch -b [Bundle_identifier] # decrypt binary only

For frida-ios-dump change Password variable in dump.py to the one set on iDevice:

...
DUMP_JS = os.path.join(script_dir, 'dump.js')

User = 'root'
Password = 'YourPassFromiDevice'
Host = 'localhost'
Port = 2222
KeyFileName = None
...

Alternatively, use GUI tool CrackerXI. Results stored:

cd /var/mobile/Documents/CrackerXI/

Debugging

# prerequisite
unzip [app_name].ipa
ios-deploy --bundle 'Payload/[app_name].app' -W -d -v
ios-deploy --bundle 'Payload/Name.app' -W -d -v -m

# prerequisite
idevicedebug run [Bundle_Name]

# install cycript and gawk on iDevice first
cycript -p $(ps aux | grep -i [partial_app_name] | awk -F " " '{print $2}' | head -n 1) 

GUI - Xcode

IPA

Get IPA

# via OTA (not installed on iDevice)
npm install -g itms-services # install the tool
itms-services -u "itms-services://?action=download-manifest&url=https://s3-ap-southeast-1.amazonaws.com/test-uat/manifest.plist" -o - > out.ipa

# get ipa from device
ipainstaller -l # get package name
ipainstaller -i [app_name] # get paths to bin and data
# or
objection
env

# download Application folder
scp root@[device_ip]:/path/to/file .

# create ipa from app
mkdir Payload
# move .app to Payload folder
mv [package_name].app Payload
# archive the folder using some archive application
# change the file extension from .zip to .ipa

See other ways to download file from device in File Transfer section.

Install IPA

# with ideviceinstaller
brew install libimobiledevice # install the tool
ideviceinstaller - [ipa_file]

# with ipainstaller
ipainstaller App_name.ipa

# with ios-deploy
brew install ios-deploy # install the tool
unzip [app_name].ipa
ios-deploy --bundle 'Payload/[app_name].ipa' -W -d -v
ios-deploy --bundle 'Payload/Name.app' -W -d -v -m # debug the application 

# itms-services
itms-services://?action=download-manifest&url=https://s3-ap-southeast-1.amazonaws.com/test-uat/manifest.plist

itms-services -u "itms-services://?action=download-manifest&url=https://s3-ap-southeast-1.amazonaws.com/test-uat/manifest.plist" -o - > out.ipa

Alternatively GUI - iFunBox or Xcode.

Info.plist

plutil -convert xml1 Info.plist # if bplist

# App permissions Purpose Strings
grep -i UsageDescription Info.plist

# Custom URL schemes
grep -i CFBundleURLTypes Info.plist

# Exported/imported custom document types: 
grep -i UTExportedTypeDeclarations | UTImportedTypeDeclarations Info.plist

# App Transport Security (ATS) configuration
grep -i NSAppTransportSecurity Info.plist

Network

ideviceinfo # get UDID
rvictl -s <UDID>
sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark
# select rvi0 interface

GUI Alternative with Application Layer (HTTP(S) to be precise) only - Burp Suite. Also, with Burp Suit you can also modify the traffic. Configure and install cert.

Binary Analysis

cd /var/mobile/Containers/Bundle/Application/[application_folder_GUID]/[appname].app/[appname]
# or
cd /var/containers/Bundle/Application/[application_folder_GUID]/[appname].app/[appname]
otool -hv [appname]
./dsdump --objc --color --verbose=5 --definedΒ  /var/containers/Bundle/Application/[application_folder_GUID]/[appname].app/[appname] > /tmp/OBJC.txt

Runtime analysis

Frida

# on iDevice
./frida-server -L 192.168.1.72 

# on PC 
frida-trace -U YourApp -m "*[NSURL* *HTTP*]" # trace all functions starting with NSURL and with HTTP in their names

Objection

Inject objection to test applications on non-jailbroken devices:

objection patchipa --source my-app.ipa --codesign-signature 0C2E8200Dxxxx
ios-deploy --bundle Payload/my-app.app -W -d

Commands when using objection:

# Show the different storage locations belonging to the app
$ env

# Disable popular ssl pinning methods
$ ios sslpinning disable

# Dump the Keychain. Alternative - Keychain Dumper
$ ios keychain dump

# Dump the Keychain, including access modifiers. The result will be written to the host in myfile.json
$ ios keychain dump --json <myfile.json>

# Show the content of a plist file
$ ios plist cat <myfile.plist>

Cycript

Introspy

Installation guide for Tracer and Analyzer. Introduction here. Couldn’t run on iOS 13.4.1.

# install
pip install git+https://github.com/iSECPartners/Introspy-Analyzer.git
python -m introspy <args>

# iOS
python -m introspy -p ios -o output -f 192.168.1.12

Useful greps

grep -rPΒ  '(https?):\/\/(www\.)?[a-z0-9.:].*?(?=\s)' . # get links
grep -r -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" . # get emails
grep -r -E -o "4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" .Β Β # get visa card numbers
grep -r -E -o "5[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" . # get mc card numbers

Binary Exploits

r2 -Ad [binary_to_check]
# check whether the protection was enabled during compilation
iI~canary,nx,pic

# alternatively with otools on iDevice
otool 

References

https://monosource.gitbooks.io/radare2-explorations/content/tut4/tut4_-_exploit.html

https://bananamafia.dev/post/rop-arm-1/