🧰 Mobile Toolkit


Created: 23.09.2020

Debuggers

gdb

radare2

Other

  • IDA Pro
  • [Hopper Disassembler](/docs/toolkit/general/reverse-toolkit/#hopper disassembler)

Static code analysis

IDA Pro

Hopper Disassembler

radare2

Utilities

Activity Analysis

Jailbreaking/Rooting

Something

Desciption

Host platforms: 🌈

Target platforms: 🌈

Install:

Common commands:

Keywords:

Analogues:

Possible issues:

Multitools

Passionfruit

Host platforms: 🌈

Target platforms: 🌈

Install:

brew install npm
# install node js - https://nodejs.org/en/download/
# reopen terminal
npm install -g passionfruit    
passionfruit

Common commands:

passionfruit to launch

Keywords: multitool, logs

Analogues:

Possible issues: If npm install -g passionfruit thrown an error, like image not found, update npm, make sure node.js is installed, clsoe the terminal (Command + Q) and open again.

This article is a walkthrough of setting up the lab for pentesting iOS applications and forensic analysis of iDevices and Android devices (the main purpose of a tool, installation steps and possible issues along the way). I don’t explain here how to use the tools, for FUC see BTFM and RTFM for iOS and BTFM and RTFM for Android. I’ve combined tools for both forensics and penetration testing since they intersect too much.

Environment: Macbook Pro 13-Inch running macOS Catalina 10.15.6 and upgraded (RAM 10Gb, HDD 500Gb, SSD 500Gb), iPad Air 2 (A1567) running iOS 13.4.1. Some of the tools I’ve also tried on Windows or WSL (Linux Subsystem on Windows) which I’ll indicate with a tag. For Windows the environment is: Windows 10, WSL (Kali and Ubuntu 16), choco as a package manager.

Cydia Repositories

Link To Repo Tools
https://cydia.akemi.ai/ AppSync
https://build.frida.re Frida
https://repo.chariz.io
https://apt.bingner.com/ apt, mterminal, wget, less, rar, sqlite3, class-dump, cycript, Darwin CC Tools, Darwin Tools, gzip, grep
http://apt.thebigboss.org/repofiles/cydia/
link to repo with Metasploit

Runtime analysis

Introspy

This tool consists of two parts: Analyzer and Tracer. Tracer is launched on iDevice or Android to hook all APIs and functions that are dangerous from security prospection. Upon analysis it creates a db that is further can be analyzed by Analyzer on PC.

Introspy iOS

Prerequisites on iDevice: dpkg (to install deb), Applist (for Introspy to get all installed applications), PreferenceLoader (to appear in Settings menu) and CydiaSubstrate.

Download link.

scp [introspy_deb] root@[device_ip]:~
ssh root@[device_ip]
dpkg -i [introspy_deb]
killall -HUP SpringBoard

ðŸšŦ Error encountered. At first, I didn’t see it in the Settings menu, even after rerunning killall several times. I thought it’s just not meant to be. But later after rebooting, rejailbreaking and installing SSL Kill Switch 2, I reran the command killall -HUP SpringBoard and it worked. I don’t know how or why it wasn’t working at first yet. May be rejailbreaking and restarting worked.

If everything works fine, you should see Introspy - Apps and Introspy - Settings in the Settings menu of the iDevice in question.

Inropsy Android

# install
pip install git+https://github.com/iSECPartners/Introspy-Analyzer.git

Introspy Analyzer

Prerequisites on PC: python 2.6-2.7, pip

It’s the second part of the tool, which is run on PC. Installation:

# option 1. To launch from anywhere
pip install git+https://github.com/iSECPartners/Introspy-Analyzer.git
python -m introspy <args>

# option 2. Lauch from specific dir
git clone https://github.com/iSECPartners/Introspy-Analyzer.git
python Introspy-Analyzer.introspy <args>

Frida

This tool also consists of two parts: a server and a client. The server is copied on mobile device.

Installation:

pyenv activate python3 # optional
pip install frida
pip install frida-tools

Objection

Installation:

pip install frida frida-tools
pip install objection

Download and install frida-server-XX.XX.YY-[platform]-[arch].[extention] where XX.XX is equal to the one installed on PC with pip command and platform is android (get arch from adb adb shell cat /proc/cpuinfo or adb shell getprop ro.product.cpu.abi.

Cycript

Mobile Substrate

Decrypting applications

Frida-ios-dump

Installation:

Clutch

Follow the instructions here. I tried building it myself both ways but neither works on iOS 13.4.1 iPad Air 2. The previous version (2.0.3) works, however, it throws some errors. Trying to run inject /usr/bin/Clutch resulted in broken jb and I had to boot with the volume up key pressed to flush and then - rejailbreak.

Installation:

# prerequisites
xcode-select --install

# disable SDK code signing requirement
killall Xcode
cp /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist ~/
sudo /usr/libexec/PlistBuddy -c "Set :DefaultProperties:CODE_SIGNING_REQUIRED NO" /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist
sudo /usr/libexec/PlistBuddy -c "Set :DefaultProperties:AD_HOC_CODE_SIGNING_ALLOWED YES" /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/SDKSettings.plist

# build. Option 1
xcodebuild clean build

# build. Option 2
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_TOOLCHAIN_FILE=../cmake/iphoneos.toolchain.cmake ..
make -j$(sysctl -n hw.logicalcpu)

# install on iDevice
scp ./build/Clutch root@[iDevice.ip]:/usr/bin/Clutch

❌ Error: Segmentation error 11

ðŸĪ” Why? Somewhere there is a memory access violation like a buffer is to be overflow.

✅ Fix 1: try ulimit -n 512 on iDevice before launching clutch

✅ Fix 2: Launch clutch with root

✅ Fix 3. Try older version

Network

Tcpdump

Command line tool. For traffic sniffing. Analyzes the full stack of TCP/IP protocol.

Installation steps on Android: tcpdump

adb push
chmod tcpdump -v -s 0 -w eccouncil.pc tcpdump -v -s 0 -w insecurebank.v2

Burp

GUI tool with lots of useful plugins. Acts as a proxy server and allows to sniff and also modify traffic. Operates on Applicaiton Layer of TCP/IP, hence you’ll only see HTTP(S).

Reverse Engineering

radare2 and the guys

git clone https://github.com/radare/radare2.git
cd radare2
./sys/install.sh

Exploits

Android Tamer

Useful VM for mobile pentesting and forensics with all tools needed preinstalled is Android Tamer. To get it work, after VM import, one needs to install several packages:

install metasploit, zipalign and apache2

General Analysis

drozer

For MacOS: pip install drozer. Better use pyenv and pyenv-virtualenv since drozer is usung python 2.7. Then fix this file /Users/veronicazvereva/.pyenv/versions/2.7.18/envs/python2/lib/python2.7/site-packages/pydiesel/reflection/utils/class_loader.py as discussed here.

Alternatively (didn’t work for me as expected) - download from here - https://github.com/FSecureLABS/drozer/releases/tag/2.4.3 whl version and then do pip install drozer-2.4.3-py2-none-any.whl. Then fix the file mentioned above.

Utils

python

I work on MacOS and therefore I installed pyenv. For Windows it’s virtualenv. These help avoid confusion when using multiple versions of python 🐍.

To install M2Crypto (if needed), follow these recommendations.

Visual Studio Code

It’s the most easy-to-use tool I’ve seen. At least, for python scripting. In order to pass command line arguments, you need a launch.json file. But there is no link unless you open the files as a folder.