Skip to content

Instantly share code, notes, and snippets.

@prinsharma1999

prinsharma1999/pentesting_ios_apps_on_electra.txt

Created July 25, 2022 11:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save prinsharma1999/1f8696deb5fbad115c03f448e624772c to your computer and use it in GitHub Desktop.
Save prinsharma1999/1f8696deb5fbad115c03f448e624772c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pentesting_ios_apps_on_electra.txt
#Burp SSL Certificate on IOS 11
On iOS 11 you can't just install your MITM root cert, you also need to explicitly trust it.
You can do this by:
Settings -> General -> About -> Certificate Trust Settings -> Flip the switch on your cert
----------------------------------------------------------------------------------------------------------------
#GDB on IOS 11
Source: https://shmoo419.github.io/
gdb
ps -ax | grep -i appName
attach [processNo]
----------------------------------------------------------------------------------------------------------------
#Decrypting IOS Applications
Option 1
$ wget https://github.com/BishopFox/bfinject/raw/master/bfinject.tar
$ scp bfinject.tar root@x.x.x.x:/pentest
$ tar xvf bfinject.tar
$ ps -ax
$ bash bfinject -P XXX.app -l /pentest/bfdecrypt.dylib
$ nc 192.168.100.120 31336 > /tmp/XXX-decrypted.ipa
Option 2
$ frida-ps -U -a
PID Name Identifier
--- ------------- --------------------------------------
513 Electra org.coolstar.electra
533 iFAST HK com.xxx.xxxx
$ git clone https://github.com/AloneMonkey/frida-ios-dump
$ iproxy 2222 22 &
#modify dump.py #line 33: "password = alpine"
$ python dump.py com.xxx.xxxx
Start the target app com.xxx.xxxx
Dumping XXXX to /var/folders/cz/k032xxcx2y1f_vwf1tyfc3fr0000gn/T
----------------------------------------------------------------------------------------------------------------
#SSL Pinning
$ wget https://github.com/nabla-c0d3/ssl-kill-switch2/releases/download/0.12/com.nablac0d3.sslkillswitch2_0.12.deb
$ dpkg -i com.nablac0d3.sslkillswitch2_0.12.deb
$ killall -HUP SpringBoard
or use one of the below 2 Frida codeshare
$ frida --codeshare lichao890427/ios-ssl-bypass -f YOUR_BINARY
$ frida --codeshare dki/ios10-ssl-bypass -f YOUR_BINARY
----------------------------------------------------------------------------------------------------------------
#Fixing Needle on Electra
#Install Darwin CC Tools via Cydia on iOS device
$ wget http://newosxbook.com/tools/jtool.tar
#Upload jtool.tar to iPhone /pentest folder
$ tar xvf jtool.tar
$ cd /Applications/NeedleAgent.app
$ /pentest/jtool.liberios -arch arm64 --ent ./NeedleAgent > ./NeedleAgent.ent
$ /pentest/jtool.liberios -e arch -arch arm64 NeedleAgent
$ /pentest/jtool.liberios --sign --ent NeedleAgent.ent --inplace ./NeedleAgent.arch_arm64
$ mv /Applications/NeedleAgent.app/NeedleAgent /Applications/NeedleAgent.app/NeedleAgent.backup
$ rm -R /Applications/NeedleAgent.app/NeedleAgent
$ cp /Applications/NeedleAgent.app/NeedleAgent.arch_arm64 /Applications/NeedleAgent.app/NeedleAgent
$ reboot
----------------------------------------------------------------------------------------------------------------
#Memory Dumping broken in Needle on Electra
$ git clone https://github.com/Nightbringer21/fridump
$ python fridump.py -U [appname]
$ cd dump
$ cat * | grep -i [keyword]
----------------------------------------------------------------------------------------------------------------
#React Native
#If you see main.jsbundle in the application folder, this means that is it using React Native. The source code is in Javascript
$ ps -ax | grep -i [appname]
3012 ?? 0:19.62 /var/containers/Bundle/Application/2E4444A3-C408-4BFE-92F7-193AB76D91F9/[appname].app/[appname]
$ ls /var/containers/Bundle/Application/2E4444A3-C408-4BFE-92F7-193AB76D91F9/[appname].app/
main.jsbundle
-- Taken from https://agostini.tech/2018/05/06/ios-application-security-part-6-reverse-engineering-and-tampering-re-sign-patching/ ---
#Use JStillery to beautify and deobfuscate the content of the temporary file.
#Identify where the code should be patched in the temporary file and implement the changes.
#Put the patched code on a single line and copy it in the original Payload/[APP].app/main.jsbundle file.
#Close and restart the application
----------------------------------------------------------------------------------------------------------------
#Issues using Cycript on MacOS High Sierra
##On OSX
$ wget https://cache.saurik.com/cycript/mac/cycript_0.9.594.zip
$ unzip cycript_0.9.594.zip
$ sudo install_name_tool -change /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib /System/Library/Frameworks/Ruby.framework/Versions/2.3/usr/lib/libruby.2.3.0.dylib Cycript.lib/cycript-apl
$ sudo install_name_tool -change /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib /System/Library/Frameworks/Ruby.framework/Versions/2.3/usr/lib/libruby.2.3.0.dylib Cycript.lib/libcycript.dylib
##On iOS
$ bash bfinject -P [APPname] -L cycript
##On OSX
$ ./cycript -r [x.x.x.x]:1337
cy# alert = [[UIAlertView alloc] initWithTitle:@"Cycript" message:@"UIAlertView injected into application" delegate:nil cancelButtonTitle:@"OK" otherButtonTitles:nil];
cy# [alert show];
cy# [alertView release]
----------------------------------------------------------------------------------------------------------------
#Data Protection Class on Files Containing Sensitive Data
$ frida --codeshare ay-kay/ios-dataprotection -f com.xxx.xxxx -U
$ -> getDataProtectionKeysForAllPaths()
{
"fileProtectionKey": "NSFileProtectionCompleteUntilFirstUserAuthentication",
"path": "/private/var/mobile/Containers/Data/Application/XXXXXX-2E55-459F-98AC-XXXXXXX/Documents/Token.plist"
},
----------------------------------------------------------------------------------------------------------------
#Fuzzing URL Schemes - WIP (Doesn't seem to work)
$ frida-ps -U -a
#Open Info.plist, look under CFBundleURLTypes -> CFBundleURLSchemes, replace somescheme with the actual url scheme below.
$ frida -U --codeshare dki/ios-url-scheme-fuzzing -f com.xxx.xxxx
%resume
dumpSchemes();
openURL("somescheme://test");
fuzzStrings.push("somefancyfuzzstring");
fuzz("somescheme://test/{0}");
----------------------------------------------------------------------------------------------------------------
#Listing all methods in iOS application
$ wget https://raw.githubusercontent.com/0xdea/frida-scripts/master/raptor_frida_ios_enum.js
$ frida -U -f com.xxx.xxxx -l raptor_frida_ios_enum.js --no-pause
[iPad 4::com.xxx.xxxx]-> enumAllMethods()
----------------------------------------------------------------------------------------------------------------
#Checking App Transport Security
$ unzip XXXX\ HK.ipa
Archive: XXXX.ipa
creating: Payload/
$ cd Payload/XXXX.app/
$ plutil -convert xml1 Info.plist
$ cat Info.plist
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>localhost</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>XXX.com</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>
----------------------------------------------------------------------------------------------------------------
#Dumping iOS Keychain
$ objection -g "XXXX" explore
$ ios keychain dump
Class Account Service Generic Data
------------ --------- --------- --------- ------
kSecClassKey
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment