hacktricks/mobile-pentesting/ios-pentesting/basic-ios-testing-operations.md
Carlos Polop a2ca955cb9 a
2024-02-09 01:36:13 +01:00

219 lines
12 KiB
Markdown

# iOS Basic Testing Operations
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
## **Summary of iOS Device Identification and Access**
### **Identifying the UDID of an iOS Device**
To identify an iOS device uniquely, a 40-digit sequence known as the UDID is used. On macOS Catalina or newer, this can be found in the **Finder app**, as iTunes is no longer present. The device, once connected via USB and selected in Finder, reveals its UDID among other information when the details under its name are clicked through.
For versions of macOS prior to Catalina, iTunes facilitates the discovery of the UDID. Detailed instructions can be found [here](http://www.iclarified.com/52179/how-to-find-your-iphones-udid).
Command-line tools offer alternative methods for retrieving the UDID:
* **Using I/O Registry Explorer tool `ioreg`:**
```bash
$ ioreg -p IOUSB -l | grep "USB Serial"
```
* **Using `ideviceinstaller` for macOS (and Linux):**
```bash
$ brew install ideviceinstaller
$ idevice_id -l
```
* **Utilizing `system_profiler`:**
```bash
$ system_profiler SPUSBDataType | sed -n -e '/iPad/,/Serial/p;/iPhone/,/Serial/p;/iPod/,/Serial/p' | grep "Serial Number:"
```
* **Employing `instruments` to list devices:**
```bash
$ instruments -s devices
```
### **Accessing the Device Shell**
**SSH access** is enabled by installing the **OpenSSH package** post-jailbreak, allowing connections via `ssh root@<device_ip_address>`. It's crucial to change the default passwords (`alpine`) for users `root` and `mobile` to secure the device.
**SSH over USB** becomes necessary in the absence of Wi-Fi, using `iproxy` to map device ports for SSH connections. This setup enables SSH access through USB by running:
```bash
$ iproxy 2222 22
$ ssh -p 2222 root@localhost
```
**On-device shell applications**, like NewTerm 2, facilitate direct device interaction, especially useful for troubleshooting. **Reverse SSH shells** can also be established for remote access from the host computer.
### **Resetting Forgotten Passwords**
To reset a forgotten password back to the default (`alpine`), editing the `/private/etc/master.passwd` file is necessary. This involves replacing the existing hash with the hash for `alpine` next to the `root` and `mobile` user entries.
## **Data Transfer Techniques**
### **Transferring App Data Files**
**Archiving and Retrieval via SSH and SCP:** It's straightforward to archive the application's Data directory using `tar` and then transfer it using `scp`. The command below archives the Data directory into a .tgz file, which is then pulled from the device:
```bash
tar czvf /tmp/data.tgz /private/var/mobile/Containers/Data/Application/8C8E7EB0-BC9B-435B-8EF8-8F5560EB0693
exit
scp -P 2222 root@localhost:/tmp/data.tgz .
```
### **Graphical User Interface Tools**
**Using iFunbox and iExplorer:** These GUI tools are useful for managing files on iOS devices. However, starting with iOS 8.4, Apple restricted these tools' access to the application sandbox unless the device is jailbroken.
### **Using Objection for File Management**
**Interactive Shell with Objection:** Launching objection provides access to the Bundle directory of an app. From here, you can navigate to the app's Documents directory and manage files, including downloading and uploading them to and from the iOS device.
```bash
objection --gadget com.apple.mobilesafari explorer
cd /var/mobile/Containers/Data/Application/72C7AAFB-1D75-4FBA-9D83-D8B4A2D44133/Documents
file download <filename>
```
## **Obtaining and Extracting Apps**
### **Acquiring the IPA File**
**Over-The-Air (OTA) Distribution Link:** Apps distributed for testing via OTA can be downloaded using the ITMS services asset downloader tool, which is installed via npm and used to save the IPA file locally.
```bash
npm install -g itms-services
itms-services -u "itms-services://?action=download-manifest&url=https://s3-ap-southeast-1.amazonaws.com/test-uat/manifest.plist" -o - > out.ipa
```
### **Extracting the App Binary**
1. **From an IPA:** Unzip the IPA to access the decrypted app binary.
2. **From a Jailbroken Device:** Install the app and extract the decrypted binary from memory.
### **Decryption Process**
**Manual Decryption Overview:** iOS app binaries are encrypted by Apple using FairPlay. To reverse-engineer, one must dump the decrypted binary from memory. The decryption process involves checking for the PIE flag, adjusting memory flags, identifying the encrypted section, and then dumping and replacing this section with its decrypted form.
**Checking and Modifying PIE Flag:**
```bash
otool -Vh Original_App
python change_macho_flags.py --no-pie Original_App
otool -Vh Hello_World
```
**Identifying Encrypted Section and Dumping Memory:**
Determine the encrypted section's start and end addresses using `otool` and dump the memory from the jailbroken device using gdb.
```bash
otool -l Original_App | grep -A 4 LC_ENCRYPTION_INFO
dump memory dump.bin 0x8000 0x10a4000
```
**Overwriting the Encrypted Section:**
Replace the encrypted section in the original app binary with the decrypted dump.
```bash
dd bs=1 seek=<starting_address> conv=notrunc if=dump.bin of=Original_App
```
**Finalizing Decryption:** Modify the binary's metadata to indicate the absence of encryption using tools like **MachOView**, setting the `cryptid` to 0.
### **Decryption (Automatically)**
#### **frida-ios-dump**
The [**frida-ios-dump**](https://github.com/AloneMonkey/frida-ios-dump) tool is employed for **automatically decrypting and extracting apps** from iOS devices. Initially, one must configure `dump.py` to connect to the iOS device, which can be done through localhost on port 2222 via **iproxy** or directly via the device's IP address and port.
Applications installed on the device can be listed with the command:
```bash
$ python dump.py -l
```
To dump a specific app, such as Telegram, the following command is used:
```bash
$ python3 dump.py -u "root" -p "<PASSWORD>" ph.telegra.Telegraph
```
This command initiates the app dump, resulting in the creation of a `Telegram.ipa` file in the current directory. This process is suitable for jailbroken devices, as unsigned or fake-signed apps can be reinstalled using tools like [**ios-deploy**](https://github.com/ios-control/ios-deploy).
#### **flexdecrypt**
The [**flexdecrypt**](https://github.com/JohnCoates/flexdecrypt) tool, along with its wrapper [**flexdump**](https://gist.github.com/defparam/71d67ee738341559c35c684d659d40ac), allows for the extraction of IPA files from installed applications. Installation commands for **flexdecrypt** on the device include downloading and installing the `.deb` package. **flexdump** can be used to list and dump apps, as shown in the commands below:
```bash
apt install zip unzip
wget https://gist.githubusercontent.com/defparam/71d67ee738341559c35c684d659d40ac/raw/30c7612262f1faf7871ba8e32fbe29c0f3ef9e27/flexdump -P /usr/local/bin; chmod +x /usr/local/bin/flexdump
flexdump list
flexdump dump Twitter.app
```
#### **bagbak**
[**bagbak**](https://github.com/ChiChou/bagbak), another Frida-based tool, requires a jailbroken device for app decryption:
```bash
bagbak --raw Chrome
```
#### **r2flutch**
**r2flutch**, utilizing both radare and frida, serves for app decryption and dumping. More information can be found on its [**GitHub page**](https://github.com/as0ler/r2flutch).
### **Installing Apps**
**Sideloading** refers to installing applications outside the official App Store. This process is handled by the **installd daemon** and requires apps to be signed with an Apple-issued certificate. Jailbroken devices can bypass this through **AppSync**, enabling the installation of fake-signed IPA packages.
#### **Sideloading Tools**
- **Cydia Impactor**: A tool for signing and installing IPA files on iOS and APK files on Android. Guides and troubleshooting can be found on [yalujailbreak.net](https://yalujailbreak.net/how-to-use-cydia-impactor/).
- **libimobiledevice**: A library for Linux and macOS to communicate with iOS devices. Installation commands and usage examples for ideviceinstaller are provided for installing apps over USB.
- **ipainstaller**: This command-line tool allows direct app installation on iOS devices.
- **ios-deploy**: For macOS users, ios-deploy installs iOS apps from the command line. Unzipping the IPA and using the `-m` flag for direct app launch are part of the process.
- **Xcode**: Utilize Xcode to install apps by navigating to **Window/Devices and Simulators** and adding the app to **Installed Apps**.
#### **Allow Application Installation on Non-iPad Devices**
To install iPad-specific applications on iPhone or iPod touch devices, the **UIDeviceFamily** value in the **Info.plist** file needs to be changed to **1**. This modification, however, requires re-signing the IPA file due to signature validation checks.
**Note**: This method might fail if the application demands capabilities exclusive to newer iPad models while using an older iPhone or iPod touch.
## References
* [https://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/](ttps://mas.owasp.org/MASTG/iOS/0x06b-iOS-Security-Testing/)
* [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0052/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0052/)
* [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0053/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0053/)
* [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0054/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0054/)
* [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0056/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0056/)
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>