mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
14 KiB
14 KiB
{% hint style="success" %}
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Per questa sezione verrà utilizzato lo strumento Objection.
Inizia ottenendo una sessione di objection eseguendo qualcosa come:
objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore
Puoi eseguire anche frida-ps -Uia per controllare i processi in esecuzione del telefono.
Enumerazione di base dell'app
Percorsi locali dell'app
env: Trova i percorsi in cui l'applicazione è memorizzata all'interno del dispositivo
env
Nome Percorso
----------------- -----------------------------------------------------------------------------------------------
BundlePath /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
CachesDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
DocumentDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
LibraryDirectory /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library
Elenco dei bundle, framework e librerie
ios bundles list_bundles: Elenca i bundle dell'applicazione
ios bundles list_bundles
Eseguibile Bundle Versione Percorso
------------ -------------------- --------- -------------------------------------------
iGoat-Swift OWASP.iGoat-Swift 1.0 ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
AGXMetalA9 com.apple.AGXMetalA9 172.18.4 ...tem/Library/Extensions/AGXMetalA9.bundle
ios bundles list_frameworks: Elenca i framework esterni utilizzati dall'applicazione
ios bundles list_frameworks
Eseguibile Bundle Versione Percorso
------------------------------ -------------------------------------------- ---------- -------------------------------------------
ReactCommon org.cocoapods.ReactCommon 0.61.5 ...tle.app/Frameworks/ReactCommon.framework
...vateFrameworks/CoreDuetContext.framework
FBReactNativeSpec org.cocoapods.FBReactNativeSpec 0.61.5 ...p/Frameworks/FBReactNativeSpec.framework
...ystem/Library/Frameworks/IOKit.framework
RCTAnimation org.cocoapods.RCTAnimation 0.61.5 ...le.app/Frameworks/RCTAnimation.framework
jsinspector org.cocoapods.jsinspector 0.61.5 ...tle.app/Frameworks/jsinspector.framework
DoubleConversion org.cocoapods.DoubleConversion 1.1.6 ...pp/Frameworks/DoubleConversion.framework
react_native_config org.cocoapods.react-native-config 0.12.0 ...Frameworks/react_native_config.framework
react_native_netinfo org.cocoapods.react-native-netinfo 4.4.0 ...rameworks/react_native_netinfo.framework
PureLayout org.cocoapods.PureLayout 3.1.5 ...ttle.app/Frameworks/PureLayout.framework
GoogleUtilities org.cocoapods.GoogleUtilities 6.6.0 ...app/Frameworks/GoogleUtilities.framework
RCTNetwork org.cocoapods.RCTNetwork 0.61.5 ...ttle.app/Frameworks/RCTNetwork.framework
RCTActionSheet org.cocoapods.RCTActionSheet 0.61.5 ....app/Frameworks/RCTActionSheet.framework
react_native_image_editor org.cocoapods.react-native-image-editor 2.1.0 ...orks/react_native_image_editor.framework
CoreModules org.cocoapods.CoreModules 0.61.5 ...tle.app/Frameworks/CoreModules.framework
RCTVibration org.cocoapods.RCTVibration 0.61.5 ...le.app/Frameworks/RCTVibration.framework
RNGestureHandler org.cocoapods.RNGestureHandler 1.6.1 ...pp/Frameworks/RNGestureHandler.framework
RNCClipboard org.cocoapods.RNCClipboard 1.5.1 ...le.app/Frameworks/RNCClipboard.framework
react_native_image_picker org.cocoapods.react-native-image-picker 2.3.4 ...orks/react_native_image_picker.framework
[..]
memory list modules: Elenca i moduli caricati in memoria
memory list modules
Nome Base Dimensione Percorso
----------------------------------- ----------- ------------------- ------------------------------------------------------------------------------
iGoat-Swift 0x104ffc000 2326528 (2.2 MiB) /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
SubstrateBootstrap.dylib 0x105354000 16384 (16.0 KiB) /usr/lib/substrate/SubstrateBootstrap.dylib
SystemConfiguration 0x1aa842000 495616 (484.0 KiB) /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
libc++.1.dylib 0x1bdcfd000 368640 (360.0 KiB) /usr/lib/libc++.1.dylib
libz.1.dylib 0x1efd3c000 73728 (72.0 KiB) /usr/lib/libz.1.dylib
libsqlite3.dylib 0x1c267f000 1585152 (1.5 MiB) /usr/lib/libsqlite3.dylib
Foundation 0x1ab550000 2732032 (2.6 MiB) /System/Library/Frameworks/Foundation.framework/Foundation
libobjc.A.dylib 0x1bdc64000 233472 (228.0 KiB) /usr/lib/libobjc.A.dylib
[...]
memory list exports <module_name>: Esporta di un modulo caricato
memory list exports iGoat-Swift
Tipo Nome Indirizzo
-------- -------------------------------------------------------------------------------------------------------------------------------------- -----------
variabile _mh_execute_header 0x104ffc000
funzione _mdictof 0x10516cb88
funzione _ZN9couchbase6differ10BaseDifferD2Ev 0x10516486c
funzione _ZN9couchbase6differ10BaseDifferD1Ev 0x1051648f4
funzione _ZN9couchbase6differ10BaseDifferD0Ev 0x1051648f8
funzione _ZN9couchbase6differ10BaseDiffer5setupEmm 0x10516490c
funzione _ZN9couchbase6differ10BaseDiffer11allocStripeEmm 0x105164a20
funzione _ZN9couchbase6differ10BaseDiffer7computeEmmj 0x105164ad8
funzione _ZN9couchbase6differ10BaseDiffer7changesEv 0x105164de4
funzione _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE 0x105164fa8
funzione _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE 0x1051651d8
funzione _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE 0x105165280
variabile _ZTSN9couchbase6differ10BaseDifferE 0x1051d94f0
variabile _ZTVN9couchbase6differ10BaseDifferE 0x10523c0a0
variabile _ZTIN9couchbase6differ10BaseDifferE 0x10523c0f8
[..]
Elenco delle classi di un'app
ios hooking list classes: Elenca le classi dell'app
ios hooking list classes
AAAbsintheContext
AAAbsintheSigner
AAAbsintheSignerContextCache
AAAcceptedTermsController
AAAccount
AAAccountManagementUIResponse
AAAccountManager
AAAddEmailUIRequest
AAAppleIDSettingsRequest
AAAppleTVRequest
AAAttestationSigner
[...]
ios hooking search classes <search_term>: Cerca una classe che contiene una stringa. Puoi cercare un termine unico che è correlato al nome del pacchetto principale dell'app per trovare le classi principali dell'app come nell'esempio:
ios hooking search classes iGoat
iGoat_Swift.CoreDataHelper
iGoat_Swift.RCreditInfo
iGoat_Swift.SideContainmentSegue
iGoat_Swift.CenterContainmentSegue
iGoat_Swift.KeyStorageServerSideVC
iGoat_Swift.HintVC
iGoat_Swift.BinaryCookiesExerciseVC
iGoat_Swift.ExerciseDemoVC
iGoat_Swift.PlistStorageExerciseViewController
iGoat_Swift.CouchBaseExerciseVC
iGoat_Swift.MemoryManagementVC
[...]
Elenco dei metodi di classe
ios hooking list class_methods: Elenca i metodi di una classe specifica
ios hooking list class_methods iGoat_Swift.RCreditInfo
- cvv
- setCvv:
- setName:
- .cxx_destruct
- name
- cardNumber
- init
- initWithValue:
- setCardNumber:
ios hooking search methods <search_term>: Cerca un metodo che contiene una stringa
ios hooking search methods cvv
[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
[iGoat_Swift.RCreditInfo - cvv]
[iGoat_Swift.RCreditInfo - setCvv:]
[iGoat_Swift.RealmExerciseVC - creditCVVTextField]
[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]
Hooking di base
Ora che hai enumerato le classi e i moduli utilizzati dall'applicazione, potresti aver trovato alcuni nomi di classi e metodi interessanti.
Hook di tutti i metodi di una classe
ios hooking watch class <class_name>: Hook di tutti i metodi di una classe, dump di tutti i parametri iniziali e dei ritorni
ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController
Hook di un singolo metodo
ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: Hook di un metodo specifico di una classe dumpando i parametri, i backtrace e i ritorni del metodo ogni volta che viene chiamato
ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return
Cambiare il ritorno booleano
ios hooking set return_value "-[<class_name> <method_name>]" false: Questo farà sì che il metodo selezionato restituisca il booleano indicato
ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false
Genera un template di hooking
ios hooking generate simple <class_name>:
ios hooking generate simple iGoat_Swift.RCreditInfo
var target = ObjC.classes.iGoat_Swift.RCreditInfo;
Interceptor.attach(target['+ sharedSchema'].implementation, {
onEnter: function (args) {
console.log('Entering + sharedSchema!');
},
onLeave: function (retval) {
console.log('Leaving + sharedSchema');
},
});
Interceptor.attach(target['+ className'].implementation, {
onEnter: function (args) {
console.log('Entering + className!');
},
onLeave: function (retval) {
console.log('Leaving + className');
},
});
Interceptor.attach(target['- cvv'].implementation, {
onEnter: function (args) {
console.log('Entering - cvv!');
},
onLeave: function (retval) {
console.log('Leaving - cvv');
},
});
Interceptor.attach(target['- setCvv:'].implementation, {
onEnter: function (args) {
console.log('Entering - setCvv:!');
},
onLeave: function (retval) {
console.log('Leaving - setCvv:');
},
});
{% hint style="success" %}
Impara e pratica il hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Impara e pratica il hacking GCP: HackTricks Training GCP Red Team Expert (GRTE)
Supporta HackTricks
- Controlla i piani di abbonamento!
- Unisciti al 💬 gruppo Discord o al gruppo telegram o seguici su Twitter 🐦 @hacktricks_live.
- Condividi trucchi di hacking inviando PR ai HackTricks e HackTricks Cloud repository github.