This is a combination of BTFM and RTFM (Blue Team Field Manual and Red Team Field Manual) for iOS devices and applications. I used to keep two separate field manuals at first, but since there are just too many intersections, I’ve decided to combine them to make it easier to use. For Android RTFM and BTFM see here
Cheatsheet
This cheasheet is to ease the flow of either penetration testing analysis or forensics investigation. Fill in the form below to speed up command line tools usage.
| Information | ANSWER |
|---|---|
| iDevice UDID | |
| Package name | |
| App’s folder with bin (UUID) | |
| App’s folder with data (UUID) |
Get iDevice UDID
# option 1
ioreg -p IOUSB -l | grep "USB Serial"
# option 2
idevice_id -l # get UDID with ideviceinstaller
# option 3
system_profiler SPUSBDataType | sed -n -e '/iPad/,/Serial/p;/iPhone/,/Serial/p;/iPod/,/Serial/p' | grep "Serial Number:" #
# option 4
instruments -s devices
Get package name
# option 1
frida-ps -U | grep [partial_name]
ipainstaller -l | grep [partial_name]
Get folder with bin and with data (UUID)
# option 1
ipainstaller -i [package_name]
# option 2
objetion -g [package_name] explore
> env
Device Info
Get UDID in different ways (using MacOS):
# option 1
ioreg -p IOUSB -l | grep "USB Serial"
# option 2
idevice_id -l # get UDID with ideviceinstaller
# option 3
system_profiler SPUSBDataType | sed -n -e '/iPad/,/Serial/p;/iPhone/,/Serial/p;/iPod/,/Serial/p' | grep "Serial Number:" #
# option 4
instruments -s devices
# option 5
ideviceinfo | grep Unique
Get BootROM version (old or new). iPod touch: if the second character of the Model is B - old BootROM with 0x24000 Segment Overflow, if C - new BootROM. iPhone 3GS: The third digit if serial number is the year, the 4th and 5th - week. 40-45 week of 2009 - can be either old or new one. After - new.
Get General iDevice Info:
brew install libimobiledevice # install the tool
ideviceinfo
GUI - Xcode.
Useful tool that supports python scripts - https://libimobiledevice.org/#examples.
#todo: learn to use this feature.
DFU mode
DFU mode device descriptors with BootROM version:
-
Enter DFU mode
-
Windows:
- Device Manager –> USB Controller –> Apple Mobile Device USB Driver –> Properties –> Details tab –> Device Instance Path –> the end of the drop-down menu.
-
Mac:
- System Profiler –> Hardware Category –> USB –> Apple Mobile Device –> the end of the serial string
-
Linux:
-
Install usbutils on Linux
sudo lsusb -v -
Find
iSerialand at the end is the version
-
Connecting
ssh root@<#phone_ip>, password: alpine
Works only for jailbroken devices.
Connectiong to ssh via USB:
brew install libimobiledevice
iproxy 2222 22
ssh -p 2222 root@localhost
For reverse shell (in case jb doesn’t allow incoming connections):
brew install libimobiledevice
iproxy 2222 22
ssh -R <remote_port>:localhost:22 <username>@<host_computer_ip>
File Transfer
scp <file_to_transfer> root@<device_ip>:~ # on iDevice
scp root@[device_ip] /path/to/file # from iDevice via WiFi
iproxy 2222 22
scp -P 2222 <file_to_transfer> root@[device_ip]:[/path/to/file/on/iDevice] # to iDevide via USB
scp -P 2222 root@[device_ip]:[/path/to/file/on/iDevice] . # from iDevice via USB
# connect with objection over USB
objection -g [app_name] explore
# connect with objection over network
objection -g [app_name] -N -h [192.168.1.XX] explore
# then in objection promt:
file download [/path/to/file/on/iDevice]
file upload [/path/to/file/on/PC]
Keychain dump
# Dump keychain with Objection
objection --gadget="[Application name]" explore
# or over the network
objection --gadget="[Application name]" -N -h 192.168.1.XX explore
# then in objection promt
ios keychain dump
ios keychain dump --json <myfile.json> # including access modifiers. The result will be written to the host in myfile.json
# Dump keychain with Keychain Dumper
./updateEntitlements.sh # to add entitlements explicitly to work on later devices
chmod +x ./keychain_dumper
./keychain_dumper
chmod +r /private/var/Keychains/keychain-2.db # to validate that keychain-2.db is world-readable
About Keychain Dumper.
Note: iOS 11 devices using Electra (or other jailbreaks) may still require a trick to bypass the native sandbox. Compile the binary with the included entitlements.xml, sign it with the developer account certificate/priv_key and copy the binary to /bin or /sbin (which already allows execution). See here for more detailed instructions.
Another important note:
Some keychain entries are available regardless of whether the iOS is locked or not, while other entries will only be accessible if the iOS device is unlocked (i.e. a user has entered their pin)…. By default keychain_dumper only dumps “Generic” and “Internet” passwords…
Download here.
Logs
socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock # check syslog
cd /var/mobile/Applications # check here for appspecific logs
sdsiosloginfo.exe -d -u [UDID] > .\console.txt # drop device logs on Windows
GUI - Xcode.
Artifacts
Taken from here.
Application Info
frida-ps -Uia | grep -i Telegram # get application name
ipainstaller -l
ipainstaller -i [app_name]
Decrypting Application
With frida-ios-dump (β οΈ frida-server must be installed and running on iDevice):
# option 1
# brew install libimobiledevice
iproxy 2222 22
pyenv activate python39
./dump.py -l # list all apps with names and Bundle ids
./dump.py [Display_name] or [Bundle_identifier]
# option 2
./clutch -i
./clutch -d [Bundle_identifier] # decrypt everything and create IPA
./clutch -b [Bundle_identifier] # decrypt binary only
For frida-ios-dump change Password variable in dump.py to the one set on iDevice:
...
DUMP_JS = os.path.join(script_dir, 'dump.js')
User = 'root'
Password = 'YourPassFromiDevice'
Host = 'localhost'
Port = 2222
KeyFileName = None
...
Alternatively, use GUI tool CrackerXI. Results stored:
cd /var/mobile/Documents/CrackerXI/
Debugging
# prerequisite
unzip [app_name].ipa
ios-deploy --bundle 'Payload/[app_name].app' -W -d -v
ios-deploy --bundle 'Payload/Name.app' -W -d -v -m
# prerequisite
idevicedebug run [Bundle_Name]
# install cycript and gawk on iDevice first
cycript -p $(ps aux | grep -i [partial_app_name] | awk -F " " '{print $2}' | head -n 1)
GUI - Xcode
IPA
Get IPA
# via OTA (not installed on iDevice)
npm install -g itms-services # install the tool
itms-services -u "itms-services://?action=download-manifest&url=https://s3-ap-southeast-1.amazonaws.com/test-uat/manifest.plist" -o - > out.ipa
# get ipa from device
ipainstaller -l # get package name
ipainstaller -i [app_name] # get paths to bin and data
# or
objection
env
# download Application folder
scp root@[device_ip]:/path/to/file .
# create ipa from app
mkdir Payload
# move .app to Payload folder
mv [package_name].app Payload
# archive the folder using some archive application
# change the file extension from .zip to .ipa
See other ways to download file from device in File Transfer section.
Install IPA
# with ideviceinstaller
brew install libimobiledevice # install the tool
ideviceinstaller - [ipa_file]
# with ipainstaller
ipainstaller App_name.ipa
# with ios-deploy
brew install ios-deploy # install the tool
unzip [app_name].ipa
ios-deploy --bundle 'Payload/[app_name].ipa' -W -d -v
ios-deploy --bundle 'Payload/Name.app' -W -d -v -m # debug the application
# itms-services
itms-services://?action=download-manifest&url=https://s3-ap-southeast-1.amazonaws.com/test-uat/manifest.plist
itms-services -u "itms-services://?action=download-manifest&url=https://s3-ap-southeast-1.amazonaws.com/test-uat/manifest.plist" -o - > out.ipa
Alternatively GUI - iFunBox or Xcode.
Info.plist
plutil -convert xml1 Info.plist # if bplist
# App permissions Purpose Strings
grep -i UsageDescription Info.plist
# Custom URL schemes
grep -i CFBundleURLTypes Info.plist
# Exported/imported custom document types:
grep -i UTExportedTypeDeclarations | UTImportedTypeDeclarations Info.plist
# App Transport Security (ATS) configuration
grep -i NSAppTransportSecurity Info.plist
Network
ideviceinfo # get UDID
rvictl -s <UDID>
sudo /Applications/Wireshark.app/Contents/MacOS/Wireshark
# select rvi0 interface
GUI Alternative with Application Layer (HTTP(S) to be precise) only - Burp Suite. Also, with Burp Suit you can also modify the traffic. Configure and install cert.
Binary Analysis
cd /var/mobile/Containers/Bundle/Application/[application_folder_GUID]/[appname].app/[appname]
# or
cd /var/containers/Bundle/Application/[application_folder_GUID]/[appname].app/[appname]
otool -hv [appname]
./dsdump --objc --color --verbose=5 --definedΒ /var/containers/Bundle/Application/[application_folder_GUID]/[appname].app/[appname] > /tmp/OBJC.txt
Runtime analysis
Frida
# on iDevice
./frida-server -L 192.168.1.72
# on PC
frida-trace -U YourApp -m "*[NSURL* *HTTP*]" # trace all functions starting with NSURL and with HTTP in their names
Objection
Inject objection to test applications on non-jailbroken devices:
objection patchipa --source my-app.ipa --codesign-signature 0C2E8200Dxxxx
ios-deploy --bundle Payload/my-app.app -W -d
Commands when using objection:
# Show the different storage locations belonging to the app
$ env
# Disable popular ssl pinning methods
$ ios sslpinning disable
# Dump the Keychain. Alternative - Keychain Dumper
$ ios keychain dump
# Dump the Keychain, including access modifiers. The result will be written to the host in myfile.json
$ ios keychain dump --json <myfile.json>
# Show the content of a plist file
$ ios plist cat <myfile.plist>
Cycript
Introspy
Installation guide for Tracer and Analyzer. Introduction here. Couldn’t run on iOS 13.4.1.
# install
pip install git+https://github.com/iSECPartners/Introspy-Analyzer.git
python -m introspy <args>
# iOS
python -m introspy -p ios -o output -f 192.168.1.12
Useful greps
grep -rPΒ '(https?):\/\/(www\.)?[a-z0-9.:].*?(?=\s)' . # get links
grep -r -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" . # get emails
grep -r -E -o "4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" .Β Β # get visa card numbers
grep -r -E -o "5[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" . # get mc card numbers
Binary Exploits
r2 -Ad [binary_to_check]
# check whether the protection was enabled during compilation
iI~canary,nx,pic
# alternatively with otools on iDevice
otool
References
https://monosource.gitbooks.io/radare2-explorations/content/tut4/tut4_-_exploit.html