Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 04:33:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4115: change request with no subject merged in GitBook

Browse source
This commit is contained in:
CPol 2023-10-09 19:38:55 +00:00 committed by gitbook-bot
parent 06502cc441
commit 4e747159b1
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
8 changed files with 134 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
SUMMARY.md
View file

@ -313,13 +313,13 @@
* [Webview Attacks](mobile-pentesting/android-app-pentesting/webview-attacks.md)
* [iOS Pentesting Checklist](mobile-pentesting/ios-pentesting-checklist.md)
* [iOS Pentesting](mobile-pentesting/ios-pentesting/README.md)
* [Basic iOS Testing Operations](mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md)
* [Burp Suite Configuration for iOS](mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md)
* [Extracting Entitlements From Compiled Application](mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md)
* [Frida Configuration in iOS](mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md)
* [iOS App Extensions](mobile-pentesting/ios-pentesting/ios-app-extensions.md)
* [iOS Basics](mobile-pentesting/ios-pentesting/ios-basics.md)
* [iOS Basic Testing Operations](mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md)
* [iOS Burp Suite Configuration](mobile-pentesting/ios-pentesting/burp-configuration-for-ios.md)
* [iOS Custom URI Handlers / Deeplinks / Custom Schemes](mobile-pentesting/ios-pentesting/ios-custom-uri-handlers-deeplinks-custom-schemes.md)
* [iOS Extracting Entitlements From Compiled Application](mobile-pentesting/ios-pentesting/extracting-entitlements-from-compiled-application.md)
* [iOS Frida Configuration](mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md)
* [iOS Hooking With Objection](mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md)
* [iOS Protocol Handlers](mobile-pentesting/ios-pentesting/ios-protocol-handlers.md)
* [iOS Serialisation and Encoding](mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md)

10
macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/README.md
View file

@ -165,6 +165,16 @@ LC 01: LC_SEGMENT_64 Mem: 0x100000000-0x100028000 __TEXT
You can find further information about the [**information stored in these section in this blog post**](https://knight.sc/reverse%20engineering/2019/07/17/swift-metadata.html).
Moreover, **Swift binaries might have symbols** (for example libraries need to store symbols so its functions can be called). The **symbols usually have the info about the function name** and attr in a ugly way, so they are very useful and there are "**demanglers"** that can get the original name:
```bash
# Ghidra plugin
https://github.com/ghidraninja/ghidra_scripts/blob/master/swift_demangler.py
# Swift cli
swift demangle
```
### Packed binaries
* Check for high entropy

4
macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/arm64-basic-assembly.md
View file

@ -39,6 +39,10 @@ The ARM64 calling convention specifies that the **first eight parameters** to a
When reading a function in assembly, look for the **function prologue and epilogue**. The **prologue** usually involves **saving the frame pointer (`x29`)**, **setting** up a **new frame pointer**, and a**llocating stack space**. The **epilogue** usually involves **restoring the saved frame pointer** and **returning** from the function.
### Calling Convention in Swift
Swift have its own **calling convention** that can be found in [**https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64**](https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#arm64)
### **Common Instructions**
ARM64 instructions generally have the **format `opcode dst, src1, src2`**, where **`opcode`** is the **operation** to be performed (such as `add`, `sub`, `mov`, etc.), **`dst`** is the **destination** register where the result will be stored, and **`src1`** and **`src2`** are the **source** registers. Immediate values can also be used in place of source registers.

4
macos-hardening/macos-security-and-privilege-escalation/macos-apps-inspecting-debugging-and-fuzzing/introduction-to-x64.md
View file

@ -38,6 +38,10 @@ The x64 calling convention varies between operating systems. For instance:
If the function has more than six inputs, the **rest will be passed on the stack**. **RSP**, the stack pointer, has to be **16 bytes aligned**, which means that the address it points to must be divisible by 16 before any call happens. This means that normally we would need to ensure that RSP is properly aligned in our shellcode before we make a function call. However, in practice, system calls work many times even if this requirement is not met.
### Calling Convention in Swift
Swift have its own **calling convention** that can be found in [**https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#x86-64**](https://github.com/apple/swift/blob/main/docs/ABI/CallConvSummary.rst#x86-64)
### **Common Instructions**
x64 instructions have a rich set, maintaining compatibility with earlier x86 instructions and introducing new ones.

4
mobile-pentesting/android-app-pentesting/frida-tutorial/README.md
View file

@ -12,7 +12,7 @@
</details>
<img src="../../../.gitbook/assets/i3.png" alt="" data-size="original">
<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
@ -208,7 +208,7 @@ Java.choose("com.example.a11x256.frida_test.my_activity" , {
});
```
<img src="../../../.gitbook/assets/i3.png" alt="" data-size="original">
<figure><img src="../../../.gitbook/assets/i3.png" alt=""><figcaption></figcaption></figure>
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!

13
mobile-pentesting/ios-pentesting/README.md
View file

@ -230,6 +230,19 @@ DocumentDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8E
LibraryDirectory /var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693/Library
```
You could also search for the app name inside **`/private/var/containers`**:
```bash
find /private/var/containers -name "Progname*"
```
Or using **`ps`** and **`lsof`**:
```bash
ps -ef | grep -i <app-name>
lsof -p <pid> | grep -i "/containers" | head -n 1
```
As you can see, apps have two main locations:
* The **Bundle** **directory** (`/var/containers/Bundle/Application/3ADAF47D-A734-49FA-B274-FBCA66589E67/`).

10
mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md
View file

@ -1,4 +1,4 @@
# Basic iOS Testing Operations
# iOS Basic Testing Operations
<details>
@ -347,6 +347,14 @@ flexdump list #List apps
flexdump dump Twitter.app #Create .ipa file from app
```
#### bagbak
Yet another frida based App decryptor. Requires jailbroken iOS device and [frida.re](https://www.frida.re/)
```bash
bagbak --raw Chrome
```
#### r2flutch
[**r2flutch**](https://github.com/as0ler/r2flutch) is a tool that uses **radare** and **frida** to **decrypt** and **dump ios apps>**

91
mobile-pentesting/ios-pentesting/frida-configuration-in-ios.md
View file

@ -1,4 +1,4 @@
# Frida Configuration in iOS
# iOS Frida Configuration
<details>
@ -14,16 +14,101 @@
## Installing Frida
Go to **Cydia** app and add Fridas repository by going to **Manage -> Sources -> Edit -> Add** and enter [**https://build.frida.re** ](https://build.frida.re). It will add a new source in the source list. Go to the **frida** **source**, now you should **install** the **Frida** package.
Go to **Cydia/Sileo** app in your Jailbroken device and add Fridas repository by going to **Manage -> Sources -> Edit -> Add** and enter [**https://build.frida.re** ](https://build.frida.re). It will add a new source in the source list. Go to the F**rida** **source**, now you should **install** the **Frida** package.
![](https://miro.medium.com/max/614/0\*qSD26kBtgt\_UIZk1.png)
After installed, you can use in your PC the command `frida-ls-devices` and check that the device appears (your PC needs to be able to access it). Execute also `frida-ps -Uia` to check the running processes of the phone.
If you are using **Corellium** you will need to download the Frida release from [https://github.com/frida/frida/releases](https://github.com/frida/frida/releases) (`frida-gadget-[yourversion]-ios-universal.dylib.gz`) and unpack and copy to the dylib location Frida asks for, e.g.: `/Users/[youruser]/.cache/frida/gadget-ios.dylib`
After installed, you can use in your PC the command **`frida-ls-devices`** and check that the device appears (your PC needs to be able to access it).\
Execute also **`frida-ps -Uia`** to check the running processes of the phone.
## Frida without Jailbroken device & without patching the app
Check this blog post about how to use Frida in non-jailbroken devices without patching the app: [https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07](https://mrbypass.medium.com/unlocking-potential-exploring-frida-objection-on-non-jailbroken-devices-without-application-ed0367a84f07)
## Frida Client Installation
Install **frida tools**:
```bash
pip install frida-tools
pip install frida
```
With the Frida server installed and the device running and connected, **check** if the client is **working**:
```bash
frida-ls-devices # List devices
frida-ps -Uia # Get running processes
```
## Frida Trace
```bash
# Trace all methods of all classes
frida-trace -U <program> -m "*[* *]"
# Trace all methods with the word "authentication" from classes that start with "NE"
frida-trace -U <program> -m "*[NE* *authentication*]"
```
### Get all classes and methods
* Get **all** available **classes** (filter by string)
{% code title="/tmp/script.js" %}
```javascript
// frida -U <program> -l /tmp/script.js
var filterClass = "filterstring";
if (ObjC.available) {
for (var className in ObjC.classes) {
if (ObjC.classes.hasOwnProperty(className)) {
if (!filterClass || className.includes(filterClass)) {
console.log(className);
}
}
}
} else {
console.log("Objective-C runtime is not available.");
}
```
{% endcode %}
* Get **all** **methods** of a **class** (filter by string)
{% code title="/tmp/script.js" %}
```javascript
// frida -U <program> -l /tmp/script.js
var specificClass = "YourClassName";
var filterMethod = "filtermethod";
if (ObjC.available) {
if (ObjC.classes.hasOwnProperty(specificClass)) {
var methods = ObjC.classes[specificClass].$ownMethods;
for (var i = 0; i < methods.length; i++) {
if (!filterMethod || methods[i].includes(filterClass)) {
console.log(specificClass + ': ' + methods[i]);
}
}
} else {
console.log("Class not found.");
}
} else {
console.log("Objective-C runtime is not available.");
}
```
{% endcode %}
## Frida Android Tutorials
{% content-ref url="../android-app-pentesting/frida-tutorial/" %}
[frida-tutorial](../android-app-pentesting/frida-tutorial/)
{% endcontent-ref %}
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>