Now that you have your shiny new Evasion7 jailbreak running it’s time to set up the environment for application testing!
Getting in
Since mobile substrate is not working yet we will focus on getting our idevice up and running as a functioning *nix environment and install some tools that don’t require substrate.
First we need to get into our iDevices shell prompt. We will browse Cydia(that gets installed by default with the jailbreak) and then will install the openSSH package.
Once we get openSSH installed you can SSH into your device by finding its IP address in the Settings > Wireless Networks > Advanced “>” menu.
Now SSH into port 22 on that IP using the username “root” and the password “alpine“.
Once we have shell we can use APT to install most of the other packages we need. Also change the default root password to something else so people can’t mess with your phone! Arming your iDevice with *nix tools To have a functioning *nix environment we need to install a ton of utilities that aren’t usually installed as part of the default jailbreak or Bash shell. This includes utilities like strings, grep, awk, find, etc…
Some of the utility packages do not verbatim tell what’s inside of them; things like big boss tools and Erika utilities.
These two in specific install strings and other binutils type tools. Several of them patched or modded to work on the iOS architecture (arm).
Packages (some of these will be pre-installed with the JB):
adv-cmds
apr
apr-lib
apr-util
apt
apt7
apt7-key
apt7-lib
apt7-ssl
base
bash
basic-cmds
berkeleydb
bigbosshackertools
bootstrap-cmds
bzip2
class-dump
com.ericasadun.utilities
com.evad3rs.evasi0n7
com.innoying.sbutils
coreutils
coreutils-bin
curl
cy+cpu.arm
cy+kernel.darwin
cy+lib.corefoundation
cy+model.ipad
cy+os.ios
cydia
cydia-lproj
darwintools
debianutils
developer-cmds
diffutils
diskdev-cmds
dpkg
expat
file
file-cmds
findutils
firmware
firmware-sbin
gawk
gdb
gettext
git
gnupg
grep
gzip
inetutils
iokittools
ldid
less
libffi
libxml2
libxml2-lib
lsof
lzma
make
nano
ncurses
neon
network-cmds
odcctools
openssh
openssl
org.thebigboss.repo.icons
p7zip
pam
pam-modules
patch
pcre
profile.d
python
readline
rsync
sed
shell-cmds
sqlite3
sqlite3-lib
subversion
system-cmds
tar
tcpdump
top
uikittools
unrar
unzip
uuid
vim
wget
whois
xar
xml2
zip
apr
apr-lib
apr-util
apt
apt7
apt7-key
apt7-lib
apt7-ssl
base
bash
basic-cmds
berkeleydb
bigbosshackertools
bootstrap-cmds
bzip2
class-dump
com.ericasadun.utilities
com.evad3rs.evasi0n7
com.innoying.sbutils
coreutils
coreutils-bin
curl
cy+cpu.arm
cy+kernel.darwin
cy+lib.corefoundation
cy+model.ipad
cy+os.ios
cydia
cydia-lproj
darwintools
debianutils
developer-cmds
diffutils
diskdev-cmds
dpkg
expat
file
file-cmds
findutils
firmware
firmware-sbin
gawk
gdb
gettext
git
gnupg
grep
gzip
inetutils
iokittools
ldid
less
libffi
libxml2
libxml2-lib
lsof
lzma
make
nano
ncurses
neon
network-cmds
odcctools
openssh
openssl
org.thebigboss.repo.icons
p7zip
pam
pam-modules
patch
pcre
profile.d
python
readline
rsync
sed
shell-cmds
sqlite3
sqlite3-lib
subversion
system-cmds
tar
tcpdump
top
uikittools
unrar
unzip
uuid
vim
wget
whois
xar
xml2
zip
Take this list and dump it to a file (packages.txt) and run:
apt-get install $(<packages.txt)
Extras
In addition to utilities that help make our iDevice a functioning *nix environment there are several tools that aid in connecting, controlling, reverse engineering, and monitoring iOS applications. Below is a list of those tools, a description, and their locations (some cut from my OWASP page):
Tool
|
Link
|
Description
|
USBMuxd
|
http://cgit.sukimashita.com/usbmuxd.git/
|
Tunnel ports over USB (enable SSH without network using localhost:2222)
|
libimobiledevice
|
http://www.libimobiledevice.org/
|
Library. Custom implementation of iTunes type connections, file-system access, system access.
|
Filemon
|
Monitor realtime iOS file system
| |
FileDP
|
Audits data protection of files
| |
BinaryCookieReader
|
Read cookies.binarycookies files
| |
lsof ARM Binary
|
list of all open files and the processes that opened them
| |
lsock ARM Binary
|
monitor socket connections
| |
removePIE
|
Disables ASLR of an application
| |
Clutch
|
https://github.com/KJCracks/Clutch-dl/releases
|
Application Cracker compiled (remove encryption)
|
Rasticrac
|
https://twitter.com/iRastignac
|
Application Cracker (BASH GDB Wrapper)
|
Next Steps
This is just the basics.
Once you get all of these utilities and tools installed you’re pretty much waiting on substrate to be working for iOS 7. After that’s done you can install your favorite all encompassing or homegrown tool that uses substrate to do hooking such as Cycript, Inlyzer, SSLKillSwitch, Snoopit, IntroSpy, iAuditor, etc.
Then you just have to MitM the web traffic. There are plenty of guides on that around the net.
If you have other tools you use in your app assessment setup I’d love to hear about them. Feel free to leave suggestions in the comments.
0 Comments:
Post a Comment