Scribd
Upload
51 views

I o Shacking

This document provides an overview of iOS hacking techniques including advanced penetration testing and forensic analysis. It discusses iOS security architecture, application sandboxing, file system encryption, application reverse engineering, and iOS application penetration testing. The authors are Ömer Coşkun and Mark de Groot who have industry experience in ethical hacking and security.

Uploaded by

Bharath Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
51 views

I o Shacking

This document provides an overview of iOS hacking techniques including advanced penetration testing and forensic analysis. It discusses iOS security architecture, application sandboxing, file system encryption, application reverse engineering, and iOS application penetration testing. The authors are Ömer Coşkun and Mark de Groot who have industry experience in ethical hacking and security.

Uploaded by

Bharath Kumar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 60

iOS Hacking: Advanced Pentest & Forensic

Techniques
Author(s): Ömer Coşkun & Mark de Groot

The supreme art of war is to subdue the enemy without fighting. Sun Tzu
$ whoami
2
Ömer Coşkun
¡  BEng. Computer Science
Research Assistant in
Quantum Cryptography
& Advanced Topics in AI

¡ Industry Experience
Mark de Groot
KPN – CISO , Ethical
¡  Industry Experience
Hacking
KPN – CISO , Ethical Hacking
Verizon – Threat &
Vulnerability Management
IBM ISS – Threat Intelligence ¡  Interests
¡  Interests Programming, Cryptography,
Reverse Engineering,
Algorithm Design, Programming, Cryptography, Software Explotation, CTF,
Reverse Engineering, Malware Analysis, OS Rfid, SDR
Internals, Rootkits
¡  Overview
Outline
3
¡  Motivation
¡  iOS Security Architecture
¡  Application Sandbox and SandBox Profiles
¡  File System Encryption

¡  iOS Application Reverse Engineering


¡  iOS 64 bit App Static/Dynamic Analysis
¡  Hunting for RSA Keys

¡  iOS Application Penetration Testing


¡  Application Communication Interception
¡  Atomizing Pentesting

¡  Q/A

¡  Questions ?
Motivations

¡  Analyze existing security mechanism on iOS platform


4
and circumvention techniques

¡  Automate and speed up mobile penetration tests

¡  Surveillance implants shifted focus to mobile devices

¡  Mobile applications are evolving and tied to


monetary: iOS Mobile Payments, Paypal SDK etc.

¡  iOS Rootkits are not only a theory anymore

¡  Reverse Engineering on ARM Environment is Fun!


iOS Security Architecture
5
¡  Every app on iOS requires signing information
¡  Signature information within LC_CODE_SIGNATURE
¡  SHA1 signature verification (memory pages)

¡  iOS System Security


¡  Secure BootChain : components signed by Apple
¡  System software authorization: Firmware
downgrade protection
¡  Secure Enclave: Apple A7 processors memory
encryption
¡  TouchID: PassCode Replacement
¡  KeyBags: Used for system,backup, iCloud Backups
iOS Security Architecture
6

http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-818.pdf
How does iOS SandBox Work?
7

Source: http://dl.packetstormsecurity.net/papers/general/apple-
sandbox.pdf
1
How does iOS SandBox Work?

• Process makes sys call with MAC callout


8
• MAC layer checks any policy apply to this process
2

• If a policy applicable, list of policy modules invoked


3

• If sandbox.kext registered, then callback invoke


4

• Sandbox.kext verified against matching messages


5

•  sandbox.kext either approves the request, or denies it


6
How does iOS SandBox Work?

iOS Sandbox Profiles (Documented)


9
kSBXProfileNoInternet iOS Sandbox Profiles (Undocumented)

kSBXProfileNoNetwork sandbox-compilerd
kSBXProfileNoWrite mDNSResponder
kSBXProfileNoWriteExceptTemporary apsd

kSBXProfilePureComputation AppleDiags
PasteBoard
Container
MobileSafari
MobileMail

Sample SandBox Usage: MobileMaps


iOS : File System Encryption
10

File Encryption Mechanism


¡  Every file encrypted with a unique key
¡  Data Protection engine creates each time AES CBC 256-bit
key and SHA-1 hash per file
¡  File key stored within the file metadata
¡  Metadata of all files in the file system is encrypted with a
random key (iOS 1st installation)
¡  Per file key unwrapped from Class Key, then supplied to AES
engine
iOS : File System Encryption (cont’d)

File API Class


NsFileProtectionNone
Security Attributes
kSecAttrAccessibleWhenUnlocked
11
kSecAttrAccessibleAfterFirstUnlock
NsFileProtectionComplete
kSecAttrAccessibleAlways
NsFileProtectionComplete
kSecAttrAccessibleWhenUnlocked
UnlessOpen
ThisDeviceOnly
NsFileProtectionComplete
kSecAttrAccessibleAfterFirstUnlock
UntilFirstUserAuthentication
ThisDeviceOnly
kSecAttrAccessibleAlwaysThisDevi
File Protector with NSData: ceOnly

File Protector with NSFileManager:


iOS : File System Encryption (cont’d)

Escrow KeyBag Location


/private/var/db/lockdown/
12
iTunes Backup Location
~/Library/Application\ Support/MobileSync/Backup/

¡  Passcode can be brute-forced


¡  Open Source and Commercial Backup Decryptors
iOS : Macoff File Structure
13

struct segment_command_64
{ uint32_t cmd; uint32_t cmdsize;
char segname[16]; uint64_t
vmaddr; uint64_t vmsize;
uint64_t fileoff; uint64_t filesize;
vm_prot_t maxprot; vm_prot_t
initprot; uint32_t nsects; uint32_t
flags; };

https://developer.apple.com/library/mac/documentation/
DeveloperTools/Conceptual/MachORuntime/index.html
Decrypting Binaries (32-bit)

pentestBox:/private/var/mobile/Applications/2587B469-0147-4793-86CE-
B41A1C4468DC/banking.app root# otool -l BankingApp| grep crypt
14
cryptoff 16384
cryptsize 835584
cryptid 1

cryptoff 16384 -> 0x4000


cryptsize 835584 -> 0xCC000

0x4000 (vm address) + 0x4000 (crypt off) = 0x8000


0x4000 (vm address) + 0x4000 (crypt off) + 0xCC000 (crypt size) = 0xD4000
(gdb) dump memory dump.bin 0x8000 0xD4000 <-- Encrypted binary section
Decrypting Binaries (64-bit)

pentestBox:/private/var/mobile/Applications/2587B469-0147-4793-86CE-
15
B41A1C4468DC/banking.app root# otool -l BankingApp| grep crypt
cryptoff 16384
cryptsize 835584
cryptid 1

cryptoff 16384 -> 0x4000


cryptsize 835584 -> 0xCC000

0x4000 (vm address) + 0x4000 (crypt off) = 0x8000


0x4000 (vm address) + 0x4000 (crypt off) + 0xCC000 (crypt size) = 0xD4000
(lldb) memory read --outfile /tmp/dump.bin –binary 0x8000 0xD4000 <--
Encrypted binary section
Remote debugging : Running debugserver on iOS – running LLDB on Mac
Getting the Debugger running
All you need are stored under the Xcode IDE directories
Obtain the debug server binary
16

$ hdiutil attach /Applications/Xcode.app/Contents/Developer/Platforms/


iPhoneOS.platform/DeviceSupport/7.1/DeveloperDiskImage.dmg
Getting the Debugger running
Create an entity file for debugserver binary signing with following
content
17

Sign your debugserver binary

and upload it to jailbroken iOS pentest device


Getting the Debugger running
Attach target binary for remote debugging 18
Make sure correct SDK path selected and connect to device:
Debugging x64 iOS App

Stopped thread list available if debuggger connect is made correctly


19
Reversing iOS Apps
Reversing iOS should be easy in an ideal world :
Malware reversers would know what I mean :)
20
21
Reversing iOS Apps: Sainte Ida de
Louvain
IDA Pro correctly resolves the function names as well as
the cross references.

Source: https://www.hex-rays.com/products/ida/
22
Reversing iOS Apps: Dealing with
Crpyto
Check for interesting function calls as all the imports are
correctly resolved.
23
Reversing iOS Apps: Dealing with
Crypto
It seems the application evaluates the certificate here.

Check the function prototypes and the definition on Apple Dev.

https://developer.apple.com/
library/mac/documentation/
Security/Reference/
certifkeytrustservices/
index.html
24
Reversing iOS Apps: Dealing with
Crypto
Data content is being encrypted using public key
before sending it to server.

Calling Convention : C++ Calling Convention : Objective C


ObjectPointer->Function(parameters) [ObjectPointer Function:parameters]
25
Reversing iOS Apps: Hunting for
Public Key
The following function evaluates the certificate .

Check the function prototypes and the definition on Apple Dev.

https://developer.apple.com/
library/mac/documentation/
Security/Reference/
certifkeytrustservices/
index.html
26
Reversing iOS Apps: Hunting for
Public Key
Cross-references definitely help.

So do the constants and the debug strings. J


27
Reversing iOS Apps: Hunting for
Public Key
Preparation for file encryption is literally being done
here.
28
Reversing iOS Apps: Hunting for
Public Key

Short cheat sheet on LLDB for GDB


junkies.

GDB Command LLDB Command


(gdb) dump memory /tmp/mem.bin (lldb) memory read --outfile /tmp/
0x1000 0x2000 mem.bin --binary 0x1000 0x2000
(gdb) disassemble (lldb) disassemble --frame
(lldb) di -f
(gdb) x/20i 0x1eb8
(lldb) disassemble --start-address
0x1eb8 --count 20
(gdb) info shared
(lldb) image list
29
Reversing iOS Apps: Hunting for
Public Key
Preparation for file encryption is literally being done
here.
30
Reversing iOS Apps: Hunting for
Public Key
I hope it’s clear to everyone what’s happening here
and the purpose of the function. J
1
How to Reversing on iOS Env?

• Observe application by running on the jailbroken device


31
• Remove encryption and obtain the flat binary
2

• Determine what needs to taken out (e.g. intellectual


3 property, keys, etc )

• Perform a static analyze in your favorite tool (IDA, Hopper)


4

• Combine static and dynamic analysis results


5

•  Hack the binary in debugger with help from analysis


6 results
32
Reversing iOS Apps: Hunting for
Public Key
Set breakpoint to target function and then run until
private keys are pushed into memory.

Dump the memory to a writable location by LLDB debugger .

Memory dump should contain the data we were looking for.


iOS Apps Penetration Testing
33

https://www.owasp.org/index.php/
OWASP_Mobile_Security_Project#tab=Top_10_Mobile_Risks
iOS Apps Penetration Testing
34

https://www.owasp.org/index.php/
IOS_Application_Security_Testing_Cheat_Sheet
35
iOS Apps Penetration Testing:
Network Traffic Analysis

https://www.wireshark.org/
36
iOS Apps Penetration Testing:
Network Traffic Analysis

Appeals to MAC funs; unlike WireShark, it doesn’t require


additional libraries such as XQuartz to be installed.

Cacoa Packet
Analyzer:
www.tastycoco
abytes.com/
cpa/
SSL Interception: Function Hooks

Standard SSLRead function provided by iOS SDK .


37
iOS Dev Center:
https://
developer.appl
e.com/library/
mac/
documentation
/Security/
Reference/
secureTransport
Ref/
SSL Interception: Function Hooks

Standard SSLWrite function provided by iOS SDK .


38
iOS Dev Center:
https://
developer.appl
e.com/library/
mac/
documentation
/Security/
Reference/
secureTransport
Ref/
SSL Interception: Function Hooks

How does a simple implementation of a function hook


implementation on iOS envrionment looks like ?
39
MSHookFunction ((void *) SSLWrite, (void *) _
hook_SSLWrite, (void **) & call_to_REAL_SSLWrite);

MSHookFunction ((void *) SSLRead, (void *) _


hook_SSLRead, (void **) & call_to_REAL_SSLRead);
SSL Interception: Function Hooks

Create a hook that will intercept the SSL communication by


hooking application level read/write operation functions .
40
41
Hardware/Software
Interception: Captain
Hook Style Hacking

Captain Hook Style Hacking: Intercepts


every function, keeps a copy of the content for
herself, and then let the function continue as it
was supposed to …
SSL Interception: Function Hooks
42
SSL Interception: Function Hooks
What if some people implements hook functions not only to
see SSL traffic , but rather to reach hardware resources?
43
44
This is beyond the
conspiracy theories: for
real!
Iphone Rootkit CookBook

A The following code detects the audio stream.


45

Source Code:Tripware:
http://www.tripwire.com/state-of-security/vulnerability-management/
creating-iphone-rootkits-and-like-the-nsas-dropout-jeep/
Iphone Rootkit CookBook (cont’d)

A Sample hook for enabling iPhone Microphone.


46

Source Code:Tripware:
http://www.tripwire.com/state-of-security/vulnerability-management/
creating-iphone-rootkits-and-like-the-nsas-dropout-jeep/
Burp Suite: Atomize Everything
More than standard application communication interception. 47

Burp Suite: http://portswigger.net/burp/


Burp Extensions: Installation

u Suggested and Most Preferred Way : Burp Suite >Extensions >


BAppStore
48
u Some Extensions require Pro version (not because they
discriminate poor but due to API/functional limitation J )

u  Some Extensions have 3rd party dependencies or wrapper of 3rd


apllication (e.g. PhantomJS, Radamsa etc)
Class Name
How Extensions Work (cont’d)

Purpose
49
BurpExtender To write our own extension

BurpExtenderCallBacks To pass to extensions a set of


callback (register actions, mark)
ICookie To retrieve the domain for which
the cookie is in scope
IHTTPRequestResponse To retrieve and update details
about HTTP messages.
IScanIssue To retrieve details of Scanner
issues
IScanQueueItem To retrieve details of items in the
active scan queue.
IScannerInsertionPoint To define an insertion point for
use by active Scanner checks.
IntroderPayloadProcessor To obtain the name of the
payload processor
Extension Name
Burp Extensions in a NutShell

Purpose
50
.NET Beautifier Makes VIEWState info human readable

ActiveScan++ Extend passive scanning , path injection,


shellshock etc.
Blazer Generate and fuzz custom AMF messages

Bradamsa Generate intruder payload wisely J

CO2 Set of useful tools : sqlmapper, user generator,


prettier js, ascii payload processor etc.

Logger++ An extension of history feature in Burp; more


detailed and comprehensive
Session Auth Help to identify privilege escalation vulns

WebInspect Connector Newly built, share results between burp and


webinspect
51
Burp Extensions : Additional Scanner Checks

Ø Additional passive Scanner checks: Strict-Transport-


Security, X-Content-Type, X-XSS-Protection. In other
words, checks the modern browser security headers.
52
Burp Extensions : Session Auth

Ø  To Identify authentication privilege escalation


vulnerabilities.
53
Burp Extensions : CO2
Ø  Set of useful tools : sqlmapper, user generator, prettier js,
ascii payload processor etc.
54
Fully Automated XSS Verification
Ø  xssValidator extension of Burp Suite could be
leveraged to fully automate XSS verification process.
55
Fully Automated XSS Verification
Ø  Before starting the XSS verification process, we need
to install at least one wrapper to support extension .

Ø  Enable the payload extension after running wrapper.


56
Fully Automated XSS Verification
Ø Enable payload processing unit for xssVerifier.

Ø  Finally, create a grep-and-match rule for intruder.


57
Fully Automated XSS Verification
Ø Content of xss.js
58
Fully Automated XSS Verification
Ø Let the fun begin J
Questions ?
59
60

You might also like